Anonymous LDAP requests

I strongly recommend against this. Many applications communicate with directory services through LDAP, but the LDAP Request for Comments (RFC) specification stipulates that an LDAP bind should support the passing of a credential. Connecting anonymously really shouldn’t be needed. You may have many Unix-style applications that currently use an anonymous LDAP bind to other directory services, but there’s a good chance that they do actually support binding through a credential, making anonymous binding unnecessary.

Where possible, if anonymous binds are required, create a separate AD LDS instance that allows the anonymous connection and has the subset of information that’s required by the application.

If you have to enable anonymous binds, you can do so.

  1. Start Adsiedit.msc (Start, Run, Adsiedit.msc).
  2. Expand the Configuration container. Expand Services, Windows NT.
  3. Right-click CN=Directory Service and select Properties.
  4. Double-click the dSHeuristics attribute.
  5. If the value is currently <Not Set>, set it to 0000002. If it isn’t currently blank, you must change the 7th character of the string to 2. (For example, if it was 001, 0010002 should be your new value. Click OK.
  6. Close the ADSIEdit tool.

Anything that NT AUTHORITYANONYMOUS LOGON or Everyone has rights to can now be read through an anonymous bind

 

Source: http://www.windowsitpro.com/article/active-directory/q-how-do-i-enable-anonymous-ldap-binds-to-windows-server-2008-active-directory-ad-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s