[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap-client connection to AD - LdapErr: DSID-0C090627,

To: Sankhadip Sengupta <sdsgupta@cs.utah.edu>
Subject: Re: ldap-client connection to AD - LdapErr: DSID-0C090627,
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 11 Mar 2009 00:26:26 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <20090310153032.emwqdzfvkg8ckggc@webmail.cs.utah.edu>
References: <20090310060906.38712.qmail@f4mail214.rediffmail.com> <62B2A2B8933A874DAD275E602138169B1A0308B5@gsmbcdp07es.firmwide.corp.gs.com> <20090310115936.kclva03gv4004o0w@webmail.cs.utah.edu> <49B6AD1E.3070900@stroeder.com> <20090310153032.emwqdzfvkg8ckggc@webmail.cs.utah.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090303 SeaMonkey/1.1.15

Sankhadip Sengupta wrote:
> Quoting Michael Ströder <michael@stroeder.com>:
> 
>> Sankhadip Sengupta wrote:
>>>           If you want to anonymous queries you can easily do that in
>>> Microsoft ADS.The link below is an excellent resource for doing that.I
>>> have myself achieved success with this knowhow.
>>>
>>> http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
>>
>> As said: This is a massive change in the operational security of MS AD
>> not appreciated by any AD admins I know. It's far more appropriate to
>> get the LDAP bind right in your LDAP client.
>
> This only allows "read" rights to  some or all of a particular user not
> all.
> 
> For certain queries with LDAP protocol this is required specially if the
> client is not aware of the bind dn,password etc.

I don't want to be unpolite. But I don't understand why you keep
pointing the original poster in the wrong direction.

The OP seems to be rather a beginner trying to get familiar with
connecting to AD via LDAP just for binding and searching. It seems he
was successful with the connect in the mean-time but not with the bind.
And now you're still telling him to muck around with the domain
configuration without you having further knowledge about his
environment, administrative responsibilities and security requirements.
To make it really clear: That's simply bad advice for a beginner. Period.

> It totally depends on the usage of the LDAP client and its requirements.
> 
> Also, just a note even if LDAP bind is successful in any ADS,if you do
> not have permissions to read in other hiererchies other than the bind dn
> you will face the same issue.

There might be some situation where a LDAP client app cannot properly
bind to a LDAP service (e.g. AD). But then I'd rather deploy a LDAP
proxy (OpenLDAP with back-ldap) and let the proxy bind to AD and provide
anon access to this particular broken client app (e.g. restricted by ACL
based on IP address). For this to work one has to first fully understand
how binding works on the command-line with ldapsearch. So back to basics...

Ciao, Michael.

Follow-Ups:
- Re: ldap-client connection to AD - LdapErr: DSID-0C090627,
  - From: "Sankhadip Sengupta" <sdsgupta@cs.utah.edu>

References:
- ldap-client connection to AD - LdapErr: DSID-0C090627,
  - From: "Santosh Kumar" <santosh.kb@rediffmail.com>
- RE: ldap-client connection to AD - LdapErr: DSID-0C090627,
  - From: "Kantrapati, Bharath" <bharath.kantrapati@gs.com>
- RE: ldap-client connection to AD - LdapErr: DSID-0C090627,
  - From: Sankhadip Sengupta <sdsgupta@cs.utah.edu>
- Re: ldap-client connection to AD - LdapErr: DSID-0C090627,
  - From: Michael Ströder <michael@stroeder.com>
- Re: ldap-client connection to AD - LdapErr: DSID-0C090627,
  - From: Sankhadip Sengupta <sdsgupta@cs.utah.edu>

Prev by Date: Mirrormode problem
Next by Date: Re: ldap-client connection to AD - LdapErr: DSID-0C090627,
Index(es):
- Chronological
- Thread