RE: [ActiveDir] ADAM bind Redirection with a NULL password
Hi This is not just an ADAM problem it's been a problem with LDAP directories for some time now and was discussed in the LDAPbis WG. As a result if you look at RFC4513(RFC2829 is obsolete) you will see this issue is now addressed by making a distinction between an anonymous authentication and an unauthenticated authentication mechanism. This puts the burden of checking sins of omission on the LDAP client (a RFC to beat client vendors with) but *also* allows a server to fail a bind request that populates the name but not the password. Zero length passwords have always been a pain, the RFC has been updated to recognize that and I think you could make a change request for compliance on that basis. One other thing on the client side that you could do as a check if you can modify the app, if you bind with the dn and password provided by the user you can then read the msDS-PrincipalName attribute from ADAM rootDSE to see who you are. A more generic approach would be to bind using the dn and password and then use the RFC4532 LDAP WhoAmI (1.3.6.1.4.1.4203.1.11.3) Extended Op to see the DSA thinks you are (ADAM implements this) should return null for a anonyomous or unauthenticated connection. Lee Flight --RFC4515 extract-- 5.1.1. Anonymous Authentication Mechanism of Simple Bind An LDAP client may use the anonymous authentication mechanism of the simple Bind method to explicitly establish an anonymous authorization state by sending a Bind request with a name value of zero length and specifying the simple authentication choice containing a password value of zero length. 5.1.2. Unauthenticated Authentication Mechanism of Simple Bind An LDAP client may use the unauthenticated authentication mechanism of the simple Bind method to establish an anonymous authorization state by sending a Bind request with a name value (a distinguished name in LDAP string form [RFC4514] of non-zero length) and specifying the simple authentication choice containing a password value of zero length. The distinguished name value provided by the client is intended to be used for trace (e.g., logging) purposes only. The value is not to be authenticated or otherwise validated (including verification that the DN refers to an existing directory object). The value is not to be used (directly or indirectly) for authorization purposes. Unauthenticated Bind operations can have significant security issues (see Section 6.3.1). In particular, users intending to perform Name/Password Authentication may inadvertently provide an empty password and thus cause poorly implemented clients to request Unauthenticated access. Clients SHOULD be implemented to require user selection of the Unauthenticated Authentication Mechanism by means other than user input of an empty password. Clients SHOULD disallow an empty password input to a Name/Password Authentication user interface. Additionally, Servers SHOULD by default fail Unauthenticated Bind requests with a resultCode of unwillingToPerform. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: 29 September 2006 01:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re:[ActiveDir] Creating an OU in ADAM
cnvals[0] = location; I think that needs to agree with your ou name i.e. cnvals[0] = test; Lee Flight List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema changes between 2000 and 2003
For reference there is also a summary of of the Windows 2003 schema modifications at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/windows_server_2003_only_schema.asp Lee Flight Network Support, Computer Centre University of Leicester List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] schema updates (SMS 2003)
In fact there is an LDIF file for SMS2003, it's buried in the SMS2003 Toolkit: http://www.microsoft.com/smserver/downloads/2003/tools/toolkit.asp Unfortunately the SMS2003 Active Directory Schema Modification and Publishing for Systems Management Server 2003 documentation at: http://www.microsoft.com/downloads/details.aspx?FamilyID=d1de764c-8e26-455f-bee5-34fb1ca9f2c4DisplayLang=en neglects to mention it. :( Lee -- Lee Flight Network Support, Computer Centre University of Leicester Date: Fri, 30 Jan 2004 09:46:35 -0500 From: Tony Murray [EMAIL PROTECTED] Subject: RE: [ActiveDir] schema updates Reply-To: [EMAIL PROTECTED] I completely agree with you Joe. I've been hassling vendors left, right and centre to provide LDIF file for schema extensions. Unfortunately, noone appears to listen. The most recent extensions I've tested have been from MS (SMS 2003) and HP (Managed Objects), both of which fail to provide LDIFs. If we can't get the big boys to provide them, what hope do we have with the smaller vendors. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange intermittent problem with IADsUser::SetPassword
Hi, when the procedure starts to fail what do you see in the target DC audit trail: Account Logon | Account Management. Have you tried auditing Directory Services Access failures (KB232714)? Does the problem persist if you (are able) to switch to OpenDSObject(WinNT:// as a test? Does the account that triggers the start of the problem have any interesting (useraccountControl) flags set? It might be worth doing metabase dumps on the virtual server to compare working with broken in case something is changing an IIS attribute during running. From your diagnostics it looks like a inetinfo.exe caching issues, something like IISState from the IIS resource kit might help but it would be hard work :( The only problems I have ever looked at in this area are with password changes in Exchange OWA and these went away with IIS6.0 and Exchange 2003. cheers, Lee Flight Network Support, Computer Centre University of Leicester Subject: [ActiveDir] Strange intermittent problem with IADsUser::SetPassword Date: Wed, 14 Jan 2004 18:05:47 -0600 From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hi all, We are having some problems that are very difficult to diagnose using = the SetPassword method on IADsUser. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DSQuery shows wrong DC as holding role
When we were moving roles around recently for Windows 2003 upgrade we scripted: netdom query /server:dcname fmso to check consistency. As some roles are stored as attributes on the schema and configuration containers changes (KB 223787) may take longer to replicate than those stored as attributes on the domain container. You might also want to make sure you have the latest version of the ds* command line tools see KB 824678. Lee Flight Network Support, Computer Centre University of Leicester List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft Announces Identity Managment Solution
Maybe there's a little more to it, in light of the the SSO scalability paper at: http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/adscaltest.asp and the latest info. on TrustBridge: http://www.microsoft.com/usa/presentations/Hur_SecuritySummitWest03.ppt Further speculation is available at: http://infoworld.com/article/03/06/30/HNmsid_1.html Lee Flight University of Leicester, UK From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Subject: RE: [ActiveDir] Microsoft Announces Identity Managment Solution Date: Tue, 1 Jul 2003 13:07:14 -0400 Yeah, just wanted to stir up some trouble... hehe I have heard that it is a new Marchitecture shift at Microsoft along with .NET. Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question About Schema Extensions.... Chicken or Egg
The Exchange 2000 schema extensions can lead to managled attributes when the W2003 schema updates take place wrt. the InetOrgPerson in W2003 see KB 314649 and KB 325379. Those two articles are not entirely consistent but the InetOrgPersonPrevent.ldf in KB 325379 (updated 06/20/2003) is the one to use if you need to unmangle Exchange 2000 prior to W2003 upgrade. Lee Flight Univeristy of Leicester [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd(NIH/CIT) Sent: Friday, June 27, 2003 10:15 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Question About Schema Extensions Chicken or Egg The reason why I ask is because I though I remembered that Andres Luther at the DEC 2003 saying that there were two bug fixes for Exchange 2000 schema extensions in the Windows 2003 schema extensions. winmail.dat
RE: [ActiveDir] [ActiveDir Digest] Back to Basics - Design Pros and Cons
Hi, the windows-hied list (there is a link from http://windows.stanford.edu) discusses these issues for hied. There is an archive at: http://admin.ufl.edu/windows/discussions/windows-hied/ search in the subject for OU design. Empty root is certainly a design option but I do not believe that is regarded as a best practice as is sometimes implied in design reviews, it's just an option. If you are a school within a larger organization you would want to check if that organization has any (possibly un-exercised) active directory planning or guidleines in place. Lee Flight Network Support, Computer Centre University of Leicester - From: Wohlgehagen, Max W [EMAIL PROTECTED] Subject: [ActiveDir] Back to Basics - Design Pros and Cons Date: Wed, 11 Dec 2002 12:20:28 +1100 Reply-To: [EMAIL PROTECTED] There is so much material out there on AD now it is almost scary [in many ways it is not too dissimilar to NDS 'cepting the DNS component] My problem is design for a new network, being in a school we have the luxury of starting from scratch without business fallout problems. We are multi-campus and have a fairly substantial network with an 11MB Spread Spectrum Microwave link between campuses. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Manual Refresh of GPO on local computer
If you are convinced that the policy change is active and replicating, you could try checking to see if the user policy has been tatoo'ed with the (old) redirection settings. KB article 242557 describes the keys. Beyond that debug the GPO application (KB article 250842) Lee Flight Network Support, Computer Centre University of Leicester -Original Message- From: Christopher Hummert [mailto:[EMAIL PROTECTED]] Sent: Friday, December 06, 2002 3:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Manual Refresh of GPO on local computer I've changed the folder redirection on our group policy but I have a local computer that seems like it doesn't want to accept the changes. Is there a way to make it manually refresh the changes? -Chris List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MMS
Hi, If you want to do inter-AD forest testing: Microsoft Metadirectory Services 2003, Standard Edition, will ship approximately 90 days after the Windows .NET Server release (1Q03). Standard edition will be made available as a no-charge web download. From: http://www.microsoft.com/windows2000/technologies/directory/MMS/mms2003_faq.asp requires Windows .NET Server and SQL2000 (and that 1Q03 has now slipped a little) Lee Flight Network Support, Computer Centre University of Leicester From: Rick Kingslan [EMAIL PROTECTED] Subject: RE: [ActiveDir] MMS Date: Wed, 20 Nov 2002 17:52:03 -0600 Reply-To: [EMAIL PROTECTED] Jim, That's about to change. When MMS 3.0 is released, I've been told by our MS folks that it will be a sale item, much like Windows 2000, or Windows XP. But, it will still have a hefty price. This, plus the training that most folks will likely need to install, configure and manage it. Cool software, just not for the average savant. If you're looking to just play around with it, I'm not sure what to tell you. MS may offer a trial as they do with many other packages. I, for one, wouldn't count on it. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/