Re: How to prevent LDAP simple bind?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Boris Lokhvitsky (msexpert_at_gmail.com)
Date: 08/25/04 

Date: Tue, 24 Aug 2004 17:16:28 -0700

Cool! I have tested it with the home-grown Java client performing the simpla
bind - and this policy is working fine.

Thanks Joe, thanks Jason, for your help.

Best regards,
Boris

"Boris Lokhvitsky" <msexpert@gmail.com> wrote in message
news:ey7sP1iiEHA.1040@TK2MSFTNGP09.phx.gbl...
> Thanks Joe,
>
> Yeah I understand that. What I meant was - actually there are two
> alternatives, you can either allow simple bind but require to use SSL for
> it, or you can require secure bind over plain 389. Both ways are secure, I
> am just wondering how to prevent the NON secure way which is simple bind
> over port 389.
>
> Thanks,
> Boris
>
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:ePQEIpgiEHA.2664@TK2MSFTNGP11.phx.gbl...
> > Yes I believe this will accomplish your goal as it has a requirement,
> strong
> > authentiation and a simple bind isn't.
> >
> > ADSI can use 389, as does normal LDAP and that has nothing to do with
the
> bind
> > type. You can do a sasl bind to 389 just fine. Blocking 389 would break
a
> ton of
> > stuff.
> >
> > --
> > Joe Richards Microsoft MVP Windows Server Directory Services
> > www.joeware.net
> >
> >
> >
> > Boris Lokhvitsky wrote:
> > > Hello All,
> > > Simple LDAP bind, as everybody knows, uses plaintext username and
> password
> > > transmitted over the network. In case I am not using port 636
> (LDAP-SSL),
> > > and just plain old 389, how can I prevent users from performing simple
> bind
> > > to my domain controller and only allow them to use secure SSPI bind?
> > > The best I could find was KB 823659 which advises to use GPO setting
> "LDAP
> > > server signing requirements". I am still not sure if this might help
> here.
> > > Some other articles mention that ADSI is restricted to SSL port (636)
> when
> > > it makes a bind call to the LDAP server. However, there might be
> different
> > > LDAP clients (Linux flavored indeed) that use various methods. I would
> like
> > > to prevent any possibility of a simple bind to happen.
> > > Please advise.
> > > Thanks,
> > > Boris
> > >
> > >
>
>

Relevant Pages

  • Re: Oh.... Im just wondering whos seen this stumper...
    ... It is SASL bind GSS-API Encrypted payload packets. ... Joe Kaplan wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... at the time of the failure audit. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD and Expired Password Checking and how to test?
    ... Like Joe said, the exact ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I reset the password for a user, and the password expires on ... I change the system date to 10/10/06, and try a bind, which fails. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Oh.... Im just wondering whos seen this stumper...
    ... That would explain why you only see the bind traffic. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... at the time of the failure audit. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Querying AD via LDAP w/ simple authentication - need domain name?
    ... postoffice-type address list running under 2003's LDAP? ... > that you can't use the DN with a secure bind. ... > Joe K. ... >> API will let you use all three for a simple bind... ...
    (microsoft.public.windows.server.active_directory)
  • Re: Non-Administrator users Cant do LDAP bind to AD
    ... Joe, ... I also tested my application, and that was able to do the bind, so I ... You can also install third-party certificates if you want to buy your own or ... Certificate Authourity if you have Apps that use a non-Windows LDAP ...
    (microsoft.public.windows.server.active_directory)