These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

LDAP01/Setting Up Windows

Classnotes | LDAP01 | RecentChanges | Preferences
So how do we solve this? Well, there are a few ways around this problem.
  • We specify values for the binddn and bindpw (the bind DN and the binding password for that DN) in /etc/ldap.conf. This has the problem that /etc/ldap.conf must be world readable (so any local UNIX users could read it and obtain the password for the administrator.
  • We impliment a posixAccount-like system in Windows (which we will do in a second).
  • We allow anonymous searches of specifc attributes in Active Directory.

While the third option not the most desirable, it is certainly more desirable than the first (the searches still require a tool for searching, and via firewalls you can easily plug up anonymous searches from any clients other than the OpenLDAP server{s}). So, what we need to do is relax the ACLs on users and groups in Active Directory.

To do this, launch the Active Directory Users and Computers administration tool (Figure 9-1 on page 196). Right click on the Users icon and select "Properties".

Next, you move to the security tab of the resulting dialog box and select the "Advanced" button. You need to add the following three entries to the access control list (bottom of page 196 and also in Figure 9-1 on page 197):

  • The Everyone group requires the List Contents permission on the User container itself.
  • The Everyone group requires the ability to read certain properties of User objects. This permission should apply to the User container and all its children.
  • The Everyone group requires the ability to read certain properties of Group objects. This permission should apply to the User container and all its children.

Note that "Read All Properties" does not include the permission to read a user's password annonymously.

Windows 2000 does not support StartTLS?, but does support the LDAPS protocol on port 636. But there are two preconditions for this to work:

  • The Windows Active Directory server much support 128-bit encryption.
  • The Active Directory server mush have been issued a digital certificate.

After the directory server has been configured to support LDAPs, we should add the following lines to /etc/ldap.conf 

 ssl  on
 port 636

If you are having troubles with the server's certificate not being verified, then you may wish to add the line "TLS_REQVERT never" to /etc/slapd/ldap.conf, the OpenLDAP client library configuration file.

Classnotes | LDAP01 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited October 2, 2003 3:07 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.