s4 anonymous LDAP binds

Michael Wood esiotrot at gmail.com
Mon Jul 5 13:42:58 MDT 2010


Hi

On 5 July 2010 18:35, Lukasz Zalewski <lukas at dcs.qmul.ac.uk> wrote:
> Hi all,
> I have noticed that s4 (func level 2008) allows anonymous ldap binds by
> default, i.e.
> ldapsearch -x -h my.s4.host -b my.base.dn CN=username
> prints quite a lot of information about username
>
> I was under the impression that the anonymous binds are not allowed
> (http://technet.microsoft.com/en-us/library/cc816788%28WS.10%29.aspx) - The
> document also includes information on how to enable them - dsHeuristics
> attribute mentioned in the above article does not seem to be defined by
> default (which should default to 0's across the board i believe?) so the
> anonymous binds should not be allowed.
>
> Am I missing or doing something wrong?
>
> What shall one change in order to disable them?

Yes, I think this is a known issue.  I'm sure I've seen it mentioned
somewhere before.

But this entry in
http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page
implies that it's been fixed already:

Plans for fortnight ending 26 July 2008
Achieved so far

    * Fix LDAP backend to be secure (not anonymous access) (Andrew)

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba-technical mailing list