s4 anonymous LDAP binds

Matthieu Patou mat at matws.net
Mon Jul 5 13:47:51 MDT 2010

  On 05/07/2010 20:35, Lukasz Zalewski wrote:
> Hi all,
> I have noticed that s4 (func level 2008) allows anonymous ldap binds 
> by default, i.e.
> ldapsearch -x -h my.s4.host -b my.base.dn CN=username
> prints quite a lot of information about username
> I was under the impression that the anonymous binds are not allowed 
> (http://technet.microsoft.com/en-us/library/cc816788%28WS.10%29.aspx) 
> - The document also includes information on how to enable them - 
> dsHeuristics attribute mentioned in the above article does not seem to 
> be defined by default (which should default to 0's across the board i 
> believe?) so the anonymous binds should not be allowed.
No for the moment we do not do ACL controls when reading attributes, as 
Far I as understand Nadya is on the topic but it's not so easy.

She is the one that can gives you more information about what's going on ...


More information about the samba-technical mailing list