Re: ADAM - SASL Bind for Windows Security Principal
- From: "Chang" <mchang92612@xxxxxxxxx>
- Date: Wed, 20 Apr 2005 16:18:40 -0700
When I login as a good user:
-----------
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='SysAdmin'; Pwd= <unavailable>; domain =
'peregrinedom'.}
Authenticated as dn:'SysAdmin'.
***Searching...
ldap_search_s(ld, "dc=eng,DC=Cheetah,DC=com", 0, "objectclass=*", attrList,
0, &msg)
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: dc=eng,DC=Cheetah,DC=com
1> distinguishedName: DC=eng,DC=Cheetah,DC=com;
-----------
When I login as a bogus user:
-----------
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='xyz'; Pwd= <unavailable>; domain = 'peregrinedom'.}
Authenticated as dn:'xyz'.
***Searching...
ldap_search_s(ld, "dc=eng,DC=Cheetah,DC=com", 0, "objectclass=*", attrList,
0, &msg)
Error: Search: Unavailable. <52>
Server error:
Error<94>: ldap_parse_result failed: No result present in message
Getting 0 entries:
-----------
So maybe I was not login as guest in the latter case. I do have a guest
user enabled on my Windows 2003 ADAM server. After I disabled it, the bogus
login retured 0x31 [Invalid Credentials].
These tests lead me to some questions:
(1) I also tried to enable/disable the guest user on my Windows 2000 DC. I
found out it has no affect at all. The one affecting the ldap_bind_s is the
guest user on my ADAM server? Why? In my ldap_bind_s call I explicitly
specified the user, password and my DC domain name, if it cannot find the
bogus user and decide to fallback to guest user, shouldn't it use the guest
user on my DC?
(2) How come ldap_bind_s didn't just give me an error when the user
name/password didn't pass? I just tried ldap_simple_bind_s with a bogus
user name/password and it returned 0x31.
"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:Pine.LNX.4.44.0504200138001.3262-100000@xxxxxxxxxxxxxxxxxx
> Hi
>
> when the guest bind reports success does it actually allow you any access?
> I suspect not, but if you can try a repro with ldp.exe that should give
> us the detailed error on any search attempt on a naming context after the
> bind (if using your own code examine LDAP_OPT_SERVER_ERROR), I would hope
> it will say that you are not authenticated (000004DC).
>
> From your event log it seems that you do have a guest
> account enabled on the W2003 server or in the domain, is that the case?
>
>
> Thanks
> Lee Flight
>
> On Tue, 19 Apr 2005, Chang wrote:
>
> >
> > Configuration: I have an ADAM instance installed on a Windows 2003
server.
> > This server joins a Windows 2000 DC.
> >
> > I tried to bind to a Windows user using the ldap_bind_s. I followed the
> > documentation to pass in parameters:
> >
> > dn: NULL
> > cred: pointer to a SEC_WINNT_AUTH_IDENTITY_EX structure where I filled
user
> > name, domain, password and their length.
> > method: LDAP_AUTH_NTLM.
> >
> > If I enter correct user name, domain, and password the ldap_bind_s
returns
> > 0. From the security event log I can verify that I'm login as the
correct
> > user.
> >
> > However if I just use a junk user (e.g. xyz) or domain name, the
ldap_bind_s
> > still returns 0 - I expect an error here. From the security event log I
can
> > tell that I'm login as "guest" account.
> >
> > I guess there is something in AD that I could configure to disable this
> > behavior. Can you help? Thanks.
> >
> >
> >
>
.
- Follow-Ups:
- Re: ADAM - SASL Bind for Windows Security Principal
- From: Lee Flight
- Re: ADAM - SASL Bind for Windows Security Principal
- References:
- ADAM - SASL Bind for Windows Security Principal
- From: Chang
- Re: ADAM - SASL Bind for Windows Security Principal
- From: Lee Flight
- ADAM - SASL Bind for Windows Security Principal
- Prev by Date: Re: Invalid Syntax - The parameter is incorrect.
- Next by Date: Re: LDAP Question
- Previous by thread: Re: ADAM - SASL Bind for Windows Security Principal
- Next by thread: Re: ADAM - SASL Bind for Windows Security Principal
- Index(es):
Relevant Pages
|
