Re: Less Informaion Availiable in LDAP on SBS than Server 2003


Just tried and apparently if a user account is a member of "Domain Power
Users" then I can query these LDAP attributes.

I'm not sure what is the right solution though, my understanding is that
using LDAP this way causes the password go accross in the clear, which is why
we wanted to use a very limited account, like you can use under 2003R2.

What additional permissions do "Domain Power Users" have, that could be
problematic?

Thanks

Corey

"Claus" wrote:

Have you tried running the LDAP query under a power user account?

--
Claus
"cleopold73" <cleopold73@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:48DE47A6-5652-4356-962B-01006830BC33@xxxxxxxxxxxxxxxx
I am querying the attributes with this tool, which is just a generic LDAP
browser tool...

http://www-unix.mcs.anl.gov/~gawor/ldap/

I get the same results using ldapsearch from a UNIX command line when
querying through ldap.

What makes this problem worse, is we have joined a regular 2003 R2 Domain
Controller to the SBS domain, and the ldap permissions problems replicate
over to it, causing us not to be able to query the UNIX attributes from
the
2003 R2 DC either...

Thanks,

Corey


"kj [SBS MVP]" wrote:

It would have to be R2 to get schema 31, Cris

OP, While you might upgrade the schema on SBS to v31 note that a SBS R2
server does not have all the same interoprability componets and services
installed that Server 2003 R2 has (unfortunatly).

OP, What method & manner were you using to query the SBS R2 (with adrprep
V31 schema) for those attributes?

--
/kj
"Cris Hanna [SBS-MVP]"
<crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eq3Hbb$GIHA.5328@xxxxxxxxxxxxxxxxxxxxxxx
When you referred to W2k3 in your Original Post for the comparison, was
the standard server "R2"?

--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues

"cleopold73" <cleopold73@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:40C4829D-B447-4DEA-B94C-12D48C77E7C2@xxxxxxxxxxxxxxxx
The real problematic attributes for us are the unix related ones like
uidNumber loginShell, unixHomeDirectory, which are there after
upgrading to
Schema 31 on SBS, but can not be seen by a proxy ldap user created as
referenced in the "Windows Security and Directory Services for UNIX
Guide"

These UNIX attributes are availiable to a non-administrator account
under a
plain 2003 R2 instance, but not availiable to a non-administrator
account SBS
R2 with Schema 31.

The reason I stayed away from the UNIX reference in the first post,
is I was
hoping to appeal to a broader audience to understand why LDAP under
SBS hides
some attributes when queried by non-administrative accounts.

Thanks

Corey

"Cris Hanna [SBS-MVP]" wrote:

> Maybe if you give us a better idea of what you want to accomplish,
we can provide "Plan B".
>
> I don't have an explanation of why its different.
>
> --
> Cris Hanna [SBS-MVP]
> -------------------------------------------------
> Microsoft MVPs
> Independent Experts (MVPs do not work for MS)
> Real World Answers
> ---------------------------------------------------------
> Please do not contact me directly regarding issues
>
> "cleopold73" <cleopold73@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:C0E28A74-7115-4499-BF53-F4E417BF7199@xxxxxxxxxxxxxxxx
> Using an LDAP browser authenticated with a non-Administrative
account user
> attributes like accountExpires, whenChanged, lastLogoff, cannot
be seen on a
> SBS. On a default install of Server 2003 R2 we can see these
attributes as a
> non-privileged user via LDAP. What is the difference in SBS that
causes this?
>
> We do see all the attributes if using an Administrative account
to bind to
> LDAP.
>
> We would like to not have to use an administrative account to
query these
> attributes.
>
> Thanks
>
> Corey



.

Relevant Pages

  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... LDAP browser tool... ... UNIX attributes from the 2003 R2 DC either... ... While you might upgrade the schema on SBS to v31 note that a SBS ... non-administrator account SBS R2 with Schema 31. ...
    (microsoft.public.windows.server.sbs)
  • [NT] Security considerations to keep in mind when using Site Server 3.0
    ... Site Server version 3.0 Commerce Edition ... LDAP_Anonymous user account, which is used by the included LDAP service. ... A valid NT user account is required to upload ...
    (Securiteam)
  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... Compatible Access" we were able to query all attributes just fine on SBS. ... You can also modify your setup to allow anonymous LDAP access... ... we wanted to use a very limited account, like you can use under 2003R2. ... I get the same results using ldapsearch from a UNIX command line ...
    (microsoft.public.windows.server.sbs)
  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... Compatible Access" we were able to query all attributes just fine on SBS. ... You can also modify your setup to allow anonymous LDAP access... ... Just tried and apparently if a user account is a member of "Domain Power ... causing us not to be able to query the UNIX attributes from ...
    (microsoft.public.windows.server.sbs)
  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... Have you tried running the LDAP query under a power user account? ... causing us not to be able to query the UNIX attributes from ... While you might upgrade the schema on SBS to v31 note that a SBS R2 ...
    (microsoft.public.windows.server.sbs)