Re: adam bind-redirect
- From: "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 May 2005 23:54:00 -0600
No, you cannot do this. It is bad from security standpoint if we would allow
admins to impersonate a user.
But the question is -- why do you need to do bind-redirect? If you are an
admin, you don't need to impersonate the user. You can just read data from
the user object and do whatever you want with it.
What is it you need to do?
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1C8C70BE-5CC9-42FE-81C6-D246BBB8EB35@xxxxxxxxxxxxxxxx
> Question?
> If we dont have the password of the authenticated user.
> Can we use an administrative password to do the bind-redirect
>
> "Dmitri Gavrilov [MSFT]" wrote:
>
>> Lee is correct. You won't be able to do a proxy bind if you don't have
>> the
>> password.
>>
>> In any case, you are better off doing a secure bind as the currently
>> impersonated user. This is the safest approach. This will work only if
>> ADAM
>> runs on the same box where IIS is. Or if you enable delegation.
>>
>> Re schema extension -- you can design any class you want. Then, you add
>> msDS-bindProxy (a class in the base ADAM schema) as an aux class, and off
>> you go. The userProxy class supplied in the LDF file is a "sample". You
>> can
>> either modify it as you want, or make another class like that. Up to you.
>> ADAM only cares about msDS-bindProxy being an aux class of your proxy
>> class.
>>
>> --
>> Dmitri Gavrilov
>> SDE, Active Directory Core
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Use of included script samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>> "Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
>> news:Pine.GSO.4.55.0504281900480.14446@xxxxxxxxxxxxxxxxxxxxxx
>> >
>> > Hi
>> >
>> > inline below...
>> >
>> > On Thu, 28 Apr 2005, [Utf-8] mwr wrote:
>> >
>> >> So if we dont have the password of the person
>> >> being authenticated (as in windows authentication or
>> >> a third party doing authentication) then the proxy-redirect isnt an
>> >> option.
>> >> Correct?
>> >
>> > As Bind redirect requires the distinguishedName or userPrincipalName
>> > of the bind proxy object in the ADAM naming context and the Windows
>> > password. I do not see how you could impersonate that in a simple LDAP
>> > bind, maybe others with more dev expertise know different...
>> >
>> >> Assuming we can do the bind redirect in another scenario
>> >> and we define a custom class in ADAM .
>> >> Is it possible to add one of our custom classes as an auxillary class
>> >> to
>> >> the
>> >> user proxy object? No sure how to do that.
>> >
>> > Yes you should be able to do that, I think what a number of folks
>> > do in practice is design the bindProxy that they want and then modify
>> > the MS-UserProxy to meet that and import that into ADAM.
>> >
>> > Lee Flight
>>
>>
>>
.
- References:
- Re: adam bind-redirect
- From: mwr
- Re: adam bind-redirect
- Prev by Date: Re: security descriptor
- Next by Date: Re: AD 2003 Replication Failure/Authentication Failure
- Previous by thread: Re: adam bind-redirect
- Next by thread: Active Directory Policy Inheritence
- Index(es):
Relevant Pages
|
