Re: How to prevent LDAP simple bind?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Boris Lokhvitsky (msexpert_at_gmail.com)
Date: 08/24/04 

Date: Tue, 24 Aug 2004 16:37:21 -0700

Joe... By the way, this is KB 817583 that refers to what I mentioned. Here's
the quote:

While you are using a program that uses ADSI to communicate to any
Lightweight Directory Access Protocol (LDAP) server that is listening on a
port other than the SSL port 636 ... the program cannot bind to the LDAP
server by using the ADS_USE_SSL/ADS_USE_ENCRYPTION options in the
ADSOpenObject method. ... This problem occurs because ADSI is restricted to
SSL port number 636 when it makes a bind call to the LDAP server.

It doesn't seem to get along with what you said ("ADSI can use 389, as does
normal LDAP and that has nothing to do with the bind type"), or perhaps I am
missing the logic here... Not relevant to my problem, though :)

Regards,
Boris

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ePQEIpgiEHA.2664@TK2MSFTNGP11.phx.gbl...
> ADSI can use 389, as does normal LDAP and that has nothing to do with the
bind
> type. You can do a sasl bind to 389 just fine. Blocking 389 would break a
ton of
> stuff.
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net

Boris Lokhvitsky wrote:
> Hello All,
> Simple LDAP bind, as everybody knows, uses plaintext username and password
> transmitted over the network. In case I am not using port 636 (LDAP-SSL),
> and just plain old 389, how can I prevent users from performing simple
bind
> to my domain controller and only allow them to use secure SSPI bind?
> The best I could find was KB 823659 which advises to use GPO setting "LDAP
> server signing requirements". I am still not sure if this might help here.
> Some other articles mention that ADSI is restricted to SSL port (636) when
> it makes a bind call to the LDAP server. However, there might be different
> LDAP clients (Linux flavored indeed) that use various methods. I would
like
> to prevent any possibility of a simple bind to happen.
> Please advise.
> Thanks,
> Boris

Relevant Pages

  • Re: How to prevent LDAP simple bind?
    ... While you are using a program that uses ADSI to communicate to any ... the program cannot bind to the LDAP ... server by using the ADS_USE_SSL/ADS_USE_ENCRYPTION options in the ... SSL port number 636 when it makes a bind call to the LDAP server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Query LDAP from Linux??
    ... the LDAP Java stuff was ... This means he will need a server name to bind too. ... He will need a port, if he wants to do a standard LDAP bind he will want 389. ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDAP Lookup failure
    ... bind but LDP can, then that should clear ldap for you. ... ldap to bind to the server. ... When it fails can you also do a forward and reverse lookup of the host name ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory
    ... CN, OU and DC, although LDAP in general can be much more ... server name is optional and can be the DNS name of the DC, ... domain or nothing (called "serverless binding" in ADSI terms). ... However, when you use nothing, ADSI uses the current security context ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Delegate access from Entourage problems
    ... When you try to configure delegate access to a Microsoft Exchange Server account in Microsoft Entourage 2004 for Mac, ... Specify the name of your LDAP server in Entourage, ... These setting works fine for making LDAP request in our LDAP server for making "check names" requests ... 130.226.200.39 LDAP MsgId=1 Bind Request. ...
    (microsoft.public.mac.office.entourage)