connecting with LDAP bind?

H

Harpstein

I have AD setup on a Win2k3 system. It's all working and I can browse the
data from a LDAP client.

However, when I go to authenticate myself to the server, it works if I leave
the password blank.

I can send in the correct password, like "fred" and it works.

I can send in an empty password and it works.

It only fails if I send in a non-empty password that doesn't match the
actual password on the user record in AD.


Is there some sort of setting causing this? I'm new to AD and just really
want to try it out against my LDAP client but I don't see why binding would
work when I give it an empty password. Isn't this a big security hole?


Any help would be much appreciated.

Thanks,

harpstein
 
S

Simon Geary

When using ldp to connect and you use a null username or password it will
automatically use the credentials of the logged on user. Nothing to worry
about here I don't think, sounds like expected behaviour.

LDAP also published RootDSE information publicly that can be viewed by
anyone without providing any credentials at all.
 
S

Stefan Buchman

What LDAP client are you using. It's possible that it's using SSPI to
authenticate you to AD since no password was entered or you could just
be hitting the rootDSE which allows anonymous connections.

- Stefan
 
H

Harpstein

I have my own client, but I'm using the OpenLDAP (www.openldap.org) C
library for the ldap interface.

I don't believe that I'm hitting the rootDSE, but maybe I need clarification
on what I'm "hitting".

I create a user in my AD of "Fred Moot" with a username="fred",
password="moot"

then I do ldap_init to my AD server, then call

unsigned long ul = ldap_bind_s( pldap, "fred", "", LDAP_AUTH_SIMPLE );

Shouldn't this fail since fred's password is not blank? And I am logging in
as Fred Moot with this call correct, not just connecting to the AD server to
browse it right?

my real setup is that I'm running a Win2k3 server as a VPC (Microsoft
VirtualPC) on my own WinXP box, and my WinXP box is logged into a company
domain while my VPC Win2k3 box is running a dummy AD on a dummy domain as
it's own domain controller. And there is no user on the dummy VPC domain
that matches my login acct to the company domain. So, I'm not clear on how
it could be using my company domain login to login to my dummy domain on the
VPC.

I think I'm doing something wrong, or misunderstanding what I'm doing.

Thanks,

harpstein
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LDAP Query Question 2
connecting problem in vb.net with ldap to active directory 4
Disable anonymous ldap bind to Active directory 2
Ldap binding with variable OU/CN structure 9
How to prevent LDAP simple bind? 9
Ldap Bind Time, 0
How to send AD users creditials from LDAP client to ADAM and authenticate using AD 3
Minimum AD Permissions needed to query LDAP for username password auth 2

Top