Re: Turning off secured LDAP on Win2K domain controllers?

From: Thomas Foster [MS] (a-thomf@online.microsoft.com)
Date: 06/20/02 

From: "Thomas Foster [MS]" <a-thomf@online.microsoft.com>
Date: Thu, 20 Jun 2002 14:17:46 -0700

Hi Robert,

You are trying to performa LDAP queries anonymously, without being
authenticated by the Domain Controller? Although this is possible, I highly
recommend against it for you can potentially expose your database.

There are two things that need to take place before Active Directory will
support anonymous queries; Permissions on the directory must be set properly
to allow for anonymous queries. Second is client configuration. This article
will give you the necessary information needed to configure a LDAP client to
search the Active Directory. Setting Directory Permissions The following
permissions need to be applied to the root of the Domain Naming
Context for the domain that you want queries to be searched against. Follow
the steps below to grant the required permissions for anonymous access.
Repeat for each item in the table. The table shows the required Permissions
needed to perform queries to look up e-mail names. Substitute the Table
heading listed in the steps with the value listed in the table.

User Object Permissions
Inheritance Permission Type
ANONYMOUS LOGON List Contents
Container
Objects Object
ANONYMOUS LOGON List Contents
Organizational Unit Objects Object
ANONYMOUS LOGON Read Public Information User Objects
                                 Property
ANONYMOUS LOGON Read Phone and Mail Options User Object
                                 Property

1. Open ADSIEdit from the Windows 2000 Support Tools. Navigate to the Domain
Naming Context Folder. This folder should have the LDAP path of your domain.
Select the folder.

2. Right click on the Domain Naming Context and select properties.

3. Select the Security Tab from the Properties of the Domain Naming Context.

4. Click the Advance button on the Security Editor.

5. Click the Add button. Select the user User Object from the dialog box and
click Ok.

6. Select the Permission Type tab.

7. Select Inheritance from the Apply onto pull down list. 8. Click on the
Allow Checkbox for the Permission Permission.

The configuration outlined above will allow anonymous queries to the Active
Directory. This is just an example of how to configure Active Directory to
allow anonymous queries to retreiven email information of a particular user.
You may need to experiment with different permission settings if you need to
search for a different object or attribute.

Here is an example query that can be used to test this configuration.

(&(objectclass=user)(cn=*[insert a valid username here]))

Hope this helps 

--
Thomas Foster
Microsoft Support
Get Secure! :  http://www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties,
and confers no rights.
"Robert Gordon" <Robert_Gordon@nospam.perlegen.com> wrote in message
news:ekV3$PHGCHA.2012@tkmsftngp08...
> Currently, in order to pull data from my DCs via LDAP,  I have to specify
a
> user name and "use secure password authentication" in order to pull LDAP
> queries.
>
> This only works under Outlook Express' directory searches.  It doesn't
work
> under Netscape or any other LDAP compliant app.  How can I turn off the
"use
> secure password authentication" requirement, so that anyone can pull
> information from my AD, via LDAP?
>
>

Relevant Pages

  • Re: LDAP Permissions
    ... a normal AD account that you might use as a service account for ... performing LDAP queries won't have permissions to modify anything in AD ... to authenticate the user. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Setting up user group that can create and save select queries
    ... 'Run with owner permissions' - See www.jmwild.com/RWOP.htm for more information. ... Put your users in one of the wizard-created groups, as well as the group you created for them, and they'll be able to save their queries. ... Give the users modify permissions on the query to change the SQL property in code. ... The application database used to enter and update the data; ...
    (microsoft.public.access.security)
  • Re: Anonymous LDAP browsing in Outlook 2003
    ... appropriate security permissions after you change the dsHeuristics. ... >> objects using normal LDAP searches, then they will also be visible via ... >> SDE, Active Directory Core ... >>> can I grant the proper permissions to allow anonymous users to access ...
    (microsoft.public.windows.server.active_directory)
  • Re: RWOP /table permissions question
    ... Look in the security FAQ. ... without them needing permissions on the tables. ... Microsoft Access MVP ... Now base all your SQL statements on these queries rather than ...
    (microsoft.public.access.security)
  • Re: Setting up user group that can create and save select queries
    ... You are having this problem because of a bug with the security wizard. ... Put your users in one of the wizard-created groups, as well as the group you created for them, and they'll be able to save their queries. ... Give the users modify permissions on the query to change the SQL property in code. ... The application database used to enter and update the data; ...
    (microsoft.public.access.security)