s4 anonymous LDAP binds

Nadezhda Ivanova nivanova at samba.org
Mon Jul 5 16:17:42 MDT 2010

You are correct that the link refers to the same attribute. However, the
behavior of DS and LDS is quite different and we need to check if this
applies for DS as well. I haven't come across something like this for DS,
but maybe I was looking in the wrong place...

On Tue, Jul 6, 2010 at 1:08 AM, Lukasz Zalewski <lukas at dcs.qmul.ac.uk>wrote:

> Hi Nadya
> On 7/5/2010 9:22 PM, Nadezhda Ivanova wrote:
>> Hello,
>> It kind of depends on what you mean :). Do you mean not unauthenticated
>> binds at all, or restrict access of Anonymous to the RootDSE?
> I meant the latter (seems like the former could violate RFC 2251 according
> to http://support.microsoft.com/kb/837964/)
>  The link you have provided is for LDS which I don't think we provide at
>> the
>> moment. in MS-ADTS for DS, this is written:
>> If the fLDAPBlockAnonOps dsHeuristic (section is true,
>> anonymous (unauthenticated) users are limited to performing rootDSE
>> searches
>> and binds. If fLDAPBlockAnonOps is false, anonymous users can perform any
>> LDAP operation, subject to access checks that use the ACL mechanisms
>> described in this section.
> Am I right thinking that the LDS link (that i mentioned previously) and
> MS-ADTS info above refer to the same attribute at the same location (i.e.
> Directory Service container)?
>> I am indeed currently working on the above mentioned ACL mechanisms, which
>> will restrict Anonymous access to some extent. At present, however, Samba
>> 4
>> does not much care for dsHeuristicts, we just don't take it into account
>> in
>> many cases, I suppose it's time to start. As for completely disallowing
>> any
>> kind of anonymous bind  - I really dont know when and how it happens...
> That is great news :)
> Regards
> Luk
>> Regards,
>> Nadya
>> On Mon, Jul 5, 2010 at 10:47 PM, Matthieu Patou<mat at matws.net>  wrote:
>>   On 05/07/2010 20:35, Lukasz Zalewski wrote:
>>>  Hi all,
>>>> I have noticed that s4 (func level 2008) allows anonymous ldap binds by
>>>> default, i.e.
>>>> ldapsearch -x -h my.s4.host -b my.base.dn CN=username
>>>> prints quite a lot of information about username
>>>> I was under the impression that the anonymous binds are not allowed (
>>>> http://technet.microsoft.com/en-us/library/cc816788%28WS.10%29.aspx) -
>>>> The document also includes information on how to enable them -
>>>> dsHeuristics
>>>> attribute mentioned in the above article does not seem to be defined by
>>>> default (which should default to 0's across the board i believe?) so the
>>>> anonymous binds should not be allowed.
>>>>  No for the moment we do not do ACL controls when reading attributes, as
>>> Far I as understand Nadya is on the topic but it's not so easy.
>>> She is the one that can gives you more information about what's going on
>>> ...
>>> Matthieu.

More information about the samba-technical mailing list