Re: LDAP Authentication for Single Sign On

I'll answer your questions below inline.

I hope this helps some more. No worries about being a newbie. :)

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jeremy Revitch" <JeremyRevitch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B5C51A35-F9B9-4670-ADF0-25B00244DD0C@xxxxxxxxxxxxxxxx
Joe - Thanks for the rapid and comprehensive response. Of course it spurs
a
couple more questions...

Please keep in mind that I am an AD/LDAP novice (read:clueless)

1.) So no authentication is required when performing bind operations only
against AD?


Just to be clear, the bind operation IS the authentication. It is the
operation in LDAP when the client provides credentials to the server and
asks the server to authenticate them. The type of credentials may vary
based on the type of bind being performed, but the basic idea is the same.
If the bind is successful, the connection state changes to "authenticated"
and any operations performed on that connection after the bind will use the
security context of the authenticated user. If the bind fails, an error is
returned.

However, some applications and services that do programmatic authentication
against LDAP directories do more than a bind operation as part of the
authentication. Some will also perform LDAP searches to do things like
verifying that the user exists or reading some attributes on the user. I
was trying to suggest that this is not really necessary and isn't really
part of the authentication itself, as the bind operation is the actual
authentication.

2.) My users are distributed in a number of OU's that all live under a
self
created Users & User Groups OU. (Again excuse my ignorance here) Can the
bind
operation work in this configuration?


The bind operation just specifies the user's credentials and the connection
to the directory itself, so the users can be in any container in the
directory at all. With AD, they can be in other domains in the forest if
you have a multiple domain forest and the bind will still work.

3.) If I do find that I have to create a service account can you steer me
towards somewhere I might look for details on limiting said service
account
so that it only has access to read from the OU in question?


That isn't my specialty at all, so I'd suggest starting another thread.

4.) If the (non-Windows) client doesn't support anything other than a
simple
bind and I use a self assigned certificate isn't it just a case of
configuring the client performing the bind to trust it?


You can. However, I don't like this idea for the reasons I mentioned. You
may wish to allow other clients to use SSL LDAP as well and then the
self-signed cert becomes a big deployment hassle. A real SSL cert from a
vendor isn't very expensive and setting up an internal CA isn't that big of
a deal either.

In my opinion, self-signed certs on only suitable for test labs. If you
want to use one, go right ahead. You can also start with one and get a real
cert later if you find it to be painful for whatever reason.

5.) You mention not needing transport security if IPSEC is in place in the
VPN. But isn't the password still sent in plaintext and therefore subject
to
exposure?

IPSEC is another type of transport layer security like SSL, so it can
potentially be used in place of SSL. In the case of a VPN tunnel, if the
VPN uses some sort of transport layer security (which they usually do) like
SSL or IPSEC, then that may be sufficient for what you need. However, if
the data travels over any unencrypted network segments, the simple bind data
will be available to a sniffer on the unencrypted segment. As to whether
that's a real threat or not depends on your data center architecture and
your own internal security policies.


Thanks in advance for your help,

Jeremy



.

Relevant Pages

  • Re: ADAM Authentication
    ... network issues with secure authentication. ... If you can do a simple bind though, ... You might consider creating a fixed service account in ADAM with a password ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDAP Authentication for Single Sign On
    ... Some will also perform LDAP searches to do things like ... part of the authentication itself, as the bind operation is the actual ...
    (microsoft.public.windows.server.active_directory)
  • Re: Pure LDAP Authentication using vb.net
    ... order to implement LDAP authentication. ... Microsoft-specific authentication mechanisms like GSS-SPNEGO will work, ... you will likely need to use something like LDAP simple bind. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDAP Authentication for Single Sign On
    ... So no authentication is required when performing bind operations only ... If I do find that I have to create a service account can you steer me ... If the client doesn't support anything other than a simple ... That isn't really necessarily part of the authentication though. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Query AD from DMZ via LDAP?
    ... You could use ADAM with passthrough authentication or bind proxy objects, ... Determining group memberships would be a bonus. ...
    (microsoft.public.windows.server.active_directory)