s4 anonymous LDAP binds

Lukasz Zalewski lukas at dcs.qmul.ac.uk
Mon Jul 5 10:35:28 MDT 2010

Hi all,
I have noticed that s4 (func level 2008) allows anonymous ldap binds by 
default, i.e.
ldapsearch -x -h my.s4.host -b my.base.dn CN=username
prints quite a lot of information about username

I was under the impression that the anonymous binds are not allowed 
(http://technet.microsoft.com/en-us/library/cc816788%28WS.10%29.aspx) - 
The document also includes information on how to enable them - 
dsHeuristics attribute mentioned in the above article does not seem to 
be defined by default (which should default to 0's across the board i 
believe?) so the anonymous binds should not be allowed.

Am I missing or doing something wrong?

What shall one change in order to disable them?

Many Thanks


More information about the samba-technical mailing list