Re: LDAP Authentication from Linux

---

• From: "Dana Epp [Security MVP]" <dana@xxxxxxxxxxx>
• Date: Thu, 3 Apr 2008 15:19:03 -0700

---

As of Windows Server 2003 SP1, you must be a member of Authenticated Users to query Active Directory. So a limited account on the domain should have enough privileges to query it via LDAP if its properly bound. Depending on the security policy set up, you may require the query to be done securely though. Hence my recommendation to use ldaps, which is not a bad best practice anyways.

Regards,
Dana Epp [Microsoft Security MVP]


"Joe" <joe@xxxxxxxxxxxxxx> wrote in message news:uNkyA%23clIHA.980@xxxxxxxxxxxxxxxxxxxxxxx

Adrian Marsh (NNTP) wrote:

Hi All,

I'm trying to implement a secure authentication from an apache2 server across to my SBS2003 server.

I've configured LDAP in apache, and if I bind using a Domain Admin account then all is well and I can login.

However, I don't really want to use a domain admin account for this. So I setup a new user account, and have tried using that but the bind fails. I'm guessing its a permissions issue, but am not sure where to start to look.

I assume you're asking LDAP for confirmation of user credentials? Should
an unprivileged user be allowed to do this for credentials other than his own?
Possibly there are security groups lower than domain admin that will allow it.

Second, am I using the right mechanism here? Isn't LDAP for directory lookups and Kerberos for authentication??

Have you tried making the Linux machine a domain member? I'm not quite sure of the state of the art of Samba at the moment, but I believe it's up to domain membership on 2003. I'm not sure if it can do domain controller yet. Again, I'm not sure if this will help as it seems to me you're asking about domain security information as an unprivileged user.

.

---

• Follow-Ups:
  • Re: LDAP Authentication from Linux
    • From: Adrian Marsh (NNTP)

• References:
  • LDAP Authentication from Linux
    • From: Adrian Marsh (NNTP)
  • Re: LDAP Authentication from Linux
    • From: Joe

• Prev by Date: Re: SSL Problems With OWA
• Next by Date: RWW checklist required for remote computer
• Previous by thread: Re: LDAP Authentication from Linux
• Next by thread: Re: LDAP Authentication from Linux
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Printer Permission Issue ... user's domain X account is a member of the local administrator's group? ... The user cannont print to a certain printer on domain Y w/o a username and ... Users computer cached the authentication of that printer ... (microsoft.public.win2000.networking) Re: Cross-Domain question (Parent - Child) ... LDAP binding for authentication. ... groups that a user is a member to figure out the assigned roles for a user. ... that our product will only support the universal groups in cross-domain case. ... query in a multidomain forest you may or may not see the value populated ... (microsoft.public.win2000.active_directory) Re: Indexing Service in an Intranet ... If you query from a web page it depends on your authentication mechanism. ... IUSER_MachineName or the Everyone Account has rights to see. ... > If I use a virtual folder in IIS and index the resource, I get VPaths, ... (microsoft.public.inetserver.indexserver) Suspected corrupted account...? ... I have a web application that uses Windows Authentication via Impersonated ... The authentication scheme is ... We created a test account that is only a member of the ... (microsoft.public.security) Re: IAS and dynamic vlans ... The IAS is member of a domain and so he can look up for the machine ... account to exist during authentication. ... (microsoft.public.internet.radius)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2008-04