s4 anonymous LDAP binds

Lukasz Zalewski lukas at dcs.qmul.ac.uk
Mon Jul 5 16:08:47 MDT 2010

Hi Nadya
On 7/5/2010 9:22 PM, Nadezhda Ivanova wrote:
> Hello,
> It kind of depends on what you mean :). Do you mean not unauthenticated
> binds at all, or restrict access of Anonymous to the RootDSE?
I meant the latter (seems like the former could violate RFC 2251 
according to http://support.microsoft.com/kb/837964/)
> The link you have provided is for LDS which I don't think we provide at the
> moment. in MS-ADTS for DS, this is written:
> If the fLDAPBlockAnonOps dsHeuristic (section is true,
> anonymous (unauthenticated) users are limited to performing rootDSE searches
> and binds. If fLDAPBlockAnonOps is false, anonymous users can perform any
> LDAP operation, subject to access checks that use the ACL mechanisms
> described in this section.
Am I right thinking that the LDS link (that i mentioned previously) and 
MS-ADTS info above refer to the same attribute at the same location 
(i.e. Directory Service container)?
> I am indeed currently working on the above mentioned ACL mechanisms, which
> will restrict Anonymous access to some extent. At present, however, Samba 4
> does not much care for dsHeuristicts, we just don't take it into account in
> many cases, I suppose it's time to start. As for completely disallowing any
> kind of anonymous bind  - I really dont know when and how it happens...
That is great news :)


> Regards,
> Nadya
> On Mon, Jul 5, 2010 at 10:47 PM, Matthieu Patou<mat at matws.net>  wrote:
>>   On 05/07/2010 20:35, Lukasz Zalewski wrote:
>>> Hi all,
>>> I have noticed that s4 (func level 2008) allows anonymous ldap binds by
>>> default, i.e.
>>> ldapsearch -x -h my.s4.host -b my.base.dn CN=username
>>> prints quite a lot of information about username
>>> I was under the impression that the anonymous binds are not allowed (
>>> http://technet.microsoft.com/en-us/library/cc816788%28WS.10%29.aspx) -
>>> The document also includes information on how to enable them - dsHeuristics
>>> attribute mentioned in the above article does not seem to be defined by
>>> default (which should default to 0's across the board i believe?) so the
>>> anonymous binds should not be allowed.
>>>   No for the moment we do not do ACL controls when reading attributes, as
>> Far I as understand Nadya is on the topic but it's not so easy.
>> She is the one that can gives you more information about what's going on
>> ...
>> Matthieu.

More information about the samba-technical mailing list