Thursday, February 26, 2015

LDAP Troubleshoting

Using LDAP with Active Directory

Administrators may decide to use Active Directory via LDAP. This may be done by connecting to Active Directory via an anonymous bind or by using a privileged user. The following topic explains how to set up an anonymous connection or a privileged connection, and some accompanying security risks.

Connecting via an Anonymous Bind

Active Directory does not allow anonymous access by default, but Administrators may enable anonymous searches if they choose.
Note:  There are security risks with allowing anonymous LDAP binds with Active Directory; in this case, any users who have network access to the Active Directory server can search Active Directory.

How to Enable Anonymous Searches on the Active Directory Server

  1. On the Windows 2000 Active Directory server, run the Active Directory Users and Groups administration tool.
  2. Select the top level of the directory from the tree view in the left hand panel, and right click. Select the first item on the menu, which begins with Delegate Control. Click Next.
  3. In the next window, titled Users or Groups, click Add.
  4. On the next list, select ANONYMOUS LOGON and click Add. Administrators may also need to select Everyone and the Guests group, depending on how Active Directory is configured. Click OK when this is done. Click Next.
  5. Select Create a custom task to delegate and click Next.
  6. In the next list, select ReadRead All Properties will be selected at the same time. Click Next.
  7. Click Finish.

Connecting via a Privileged Bind

By default, Active Directory can only be searched via LDAP if a privileged user is used to connect to the LDAP server. A privileged bind requires the distinguished name (DN) and password for the user. There are two options for connecting via a privileged bind:
  • Create a new Windows user within Active Directory. Assign this user only the right to read access to the directory. Use this user as the privileged user.
  • Use an existing Windows user as the privileged user.
Note:  There are security risks with connecting via a privileged bind to Active Directory. Any user who can navigate to the file system and locate the file may find the user ID and password of the privileged user.

Troubleshooting LDAP with Active Directory

For Administrators using a Windows workstation, the LDP executable may be used to troubleshoot LDAP authentication properties. The LDP executable, found on the Windows 2003 Server CD in the \SUPPORT\TOOLSfolder, allows LDAP operations to be performed against Active Directory and includes a graphical user interface. To learn more, see Troubleshooting LDAP.
The only change for this procedure is in Steps 2, 10 and 12. Follow the steps below when using the LDP executable against Active Directory:
  1. Login as the Windows user (username, password, domain) whose username and password are being used for the privileged bind.
  2. Add sAMAccountName to the Attributes field and click OK.
  3. Enter (sAMAccountName=WindowsUserName) in the Filter field, where WindowsUserName is the Windows username that will be used as the privileged user for binding to LDAP.
For Administrators using a UNIX workstation, the LDAP Browser may be used to troubleshoot LDAP authentication properties. To learn more, see Troubleshooting LDAP.