s4 anonymous LDAP binds

[Nadezhda Ivanova]

Hello,
It kind of depends on what you mean :). Do you mean not unauthenticated
binds at all, or restrict access of Anonymous to the RootDSE?
The link you have provided is for LDS which I don't think we provide at the
moment. in MS-ADTS for DS, this is written:
If the fLDAPBlockAnonOps dsHeuristic (section 7.1.1.2.4.1.2) is true,
anonymous (unauthenticated) users are limited to performing rootDSE searches
and binds. If fLDAPBlockAnonOps is false, anonymous users can perform any
LDAP operation, subject to access checks that use the ACL mechanisms
described in this section.

I am indeed currently working on the above mentioned ACL mechanisms, which
will restrict Anonymous access to some extent. At present, however, Samba 4
does not much care for dsHeuristicts, we just don't take it into account in
many cases, I suppose it's time to start. As for completely disallowing any
kind of anonymous bind  - I really dont know when and how it happens...

Regards,
Nadya

On Mon, Jul 5, 2010 at 10:47 PM, Matthieu Patou <mat at matws.net> wrote:

>  On 05/07/2010 20:35, Lukasz Zalewski wrote:
>
>> Hi all,
>> I have noticed that s4 (func level 2008) allows anonymous ldap binds by
>> default, i.e.
>> ldapsearch -x -h my.s4.host -b my.base.dn CN=username
>> prints quite a lot of information about username
>>
>> I was under the impression that the anonymous binds are not allowed (
>> http://technet.microsoft.com/en-us/library/cc816788%28WS.10%29.aspx) -
>> The document also includes information on how to enable them - dsHeuristics
>> attribute mentioned in the above article does not seem to be defined by
>> default (which should default to 0's across the board i believe?) so the
>> anonymous binds should not be allowed.
>>
>>  No for the moment we do not do ACL controls when reading attributes, as
> Far I as understand Nadya is on the topic but it's not so easy.
>
> She is the one that can gives you more information about what's going on
> ...
>
> Matthieu.
>