Re: LDAP Authentication from Linux
- From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 04 Apr 2008 10:20:30 +0100
Thanks Dana and everyone,
I've managed to figure out with the help of a colleague that i was using the wrong CN. I had almost everything else right though. I'm experimenting now putting the user into different OUs, to understand the effect. At the moment I have the user in the SBSUsers OU. I think this user becomes a member of Authenticated Users automatically, but I'm just learning what that means. using an LDAP browsing tool and that account, I can browse the whole AD, but I'm hoping that removing the user from Domain Users stops it from doing anything other than LDAP lookups. Not sure there though.
I'm intrigued by the ldaps idea though. I did some packet capture on the server to see if the ldap password was sent clear-text and it doesn't seem to be, so on our LAN that might be secure enough, though I think I'd still like SSL anyway just to be sure.
Adrian
Dana Epp [Security MVP] wrote:
As of Windows Server 2003 SP1, you must be a member of Authenticated Users to query Active Directory. So a limited account on the domain should have enough privileges to query it via LDAP if its properly bound. Depending on the security policy set up, you may require the query to be done securely though. Hence my recommendation to use ldaps, which is not a bad best practice anyways..
Regards,
Dana Epp [Microsoft Security MVP]
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message news:uNkyA%23clIHA.980@xxxxxxxxxxxxxxxxxxxxxxxAdrian Marsh (NNTP) wrote:Hi All,
I'm trying to implement a secure authentication from an apache2 server across to my SBS2003 server.
I've configured LDAP in apache, and if I bind using a Domain Admin account then all is well and I can login.
However, I don't really want to use a domain admin account for this. So I setup a new user account, and have tried using that but the bind fails. I'm guessing its a permissions issue, but am not sure where to start to look.
I assume you're asking LDAP for confirmation of user credentials? Should
an unprivileged user be allowed to do this for credentials other than his own?
Possibly there are security groups lower than domain admin that will allow it.
Second, am I using the right mechanism here? Isn't LDAP for directory lookups and Kerberos for authentication??
Have you tried making the Linux machine a domain member? I'm not quite sure of the state of the art of Samba at the moment, but I believe it's up to domain membership on 2003. I'm not sure if it can do domain controller yet. Again, I'm not sure if this will help as it seems to me you're asking about domain security information as an unprivileged user.
- Follow-Ups:
- Re: LDAP Authentication from Linux
- From: Adrian Marsh (NNTP)
- Re: LDAP Authentication from Linux
- References:
- LDAP Authentication from Linux
- From: Adrian Marsh (NNTP)
- Re: LDAP Authentication from Linux
- From: Joe
- Re: LDAP Authentication from Linux
- From: Dana Epp [Security MVP]
- LDAP Authentication from Linux
- Prev by Date: Re: Static default gateway reverts to earlier IP address
- Next by Date: Omega DeVille Prestige Watches Replica - Omega Watches Cheap
- Previous by thread: Re: LDAP Authentication from Linux
- Next by thread: Re: LDAP Authentication from Linux
- Index(es):
Relevant Pages
|
