s4 anonymous LDAP binds

Michael Wood esiotrot at gmail.com
Mon Jul 5 13:42:58 MDT 2010


On 5 July 2010 18:35, Lukasz Zalewski <lukas at dcs.qmul.ac.uk> wrote:
> Hi all,
> I have noticed that s4 (func level 2008) allows anonymous ldap binds by
> default, i.e.
> ldapsearch -x -h my.s4.host -b my.base.dn CN=username
> prints quite a lot of information about username
> I was under the impression that the anonymous binds are not allowed
> (http://technet.microsoft.com/en-us/library/cc816788%28WS.10%29.aspx) - The
> document also includes information on how to enable them - dsHeuristics
> attribute mentioned in the above article does not seem to be defined by
> default (which should default to 0's across the board i believe?) so the
> anonymous binds should not be allowed.
> Am I missing or doing something wrong?
> What shall one change in order to disable them?

Yes, I think this is a known issue.  I'm sure I've seen it mentioned
somewhere before.

But this entry in
implies that it's been fixed already:

Plans for fortnight ending 26 July 2008
Achieved so far

    * Fix LDAP backend to be secure (not anonymous access) (Andrew)

Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list