s4 anonymous LDAP binds
Michael Wood
esiotrot at gmail.com
Mon Jul 5 13:42:58 MDT 2010
Hi
On 5 July 2010 18:35, Lukasz Zalewski <lukas at dcs.qmul.ac.uk> wrote:
> Hi all,
> I have noticed that s4 (func level 2008) allows anonymous ldap binds by
> default, i.e.
> ldapsearch -x -h my.s4.host -b my.base.dn CN=username
> prints quite a lot of information about username
>
> I was under the impression that the anonymous binds are not allowed
> (http://technet.microsoft.com/en-us/library/cc816788%28WS.10%29.aspx) - The
> document also includes information on how to enable them - dsHeuristics
> attribute mentioned in the above article does not seem to be defined by
> default (which should default to 0's across the board i believe?) so the
> anonymous binds should not be allowed.
>
> Am I missing or doing something wrong?
>
> What shall one change in order to disable them?
Yes, I think this is a known issue. I'm sure I've seen it mentioned
somewhere before.
But this entry in
http://wiki.samba.org/index.php/Samba4/Andrew_and_Jelmers_Fantasy_Page
implies that it's been fixed already:
Plans for fortnight ending 26 July 2008
Achieved so far
* Fix LDAP backend to be secure (not anonymous access) (Andrew)
--
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical
mailing list