Apr 17, 2005

What is a Simple Bind

A user establishes a connection to a directory server by performing a bind operation. Part of the information that is used in performing this operation is the user's identity and password. There are three basic bind mechanisms ? anonymous, simple, or secure.

The simplest bind mechanism is an anonymous bind. Access is granted based on the user having no identity within the directory. While it is normal to provide read access to certain entries and attributes for anonymous users, most application data will be protected against retrieval by unknown users.

A simple bind operation is performed when the user provides a DN for an entry within the directory and a password that goes with that entry. The entry must have a USERPASSWORD attribute, which is checked against the password provided. If the bind is successful, the user's identity will become that DN for the duration of the connection and access to entries will be based on that identity.

While the simple bind is adequate for most environments, it requires that you send the password in clear text over the network. Some directory servers implement secure authentication methods, such as Kerberos or certificate-based authentication like SSL. Any authentication method that is used must resolve to a directory entry in order to permit a comparison with the access control list (ACL). After authentication, the ACL specifies access controls that are based on the DN for the user.


See original document at http://support.sas.com/rnd/itech/doc/ldap/ldapovew.html

Apr 13, 2005

Do we need a GC or do we not when logging in?

Since the authenticating DC queries GC for the universal group membership, so the short answer would be YES. But a complete answer is
1) if it's a single domain environment, because each DC contains all information, a GC is not needed;
2) if there is not native domain, there is not universal group, therefore GC is not needed (for log in)
3) if you log on as local users, you don't even need DC; If you log on as Domain Admins, you don't need a GC to log in domain
4) if there is cached credential, you don't have to talk to a GC

Added 09/03/02
5) When user logs in using UPN, GC will be queried to determine the domain membership
6) if the group membership is cached on a local DC, client may not need to contact a GC

Apr 12, 2005

RestrictAnonymous Values

0: behavior same as before
1: Anonymous is a member of Everyone. Do not allow to enumerate of Sam database, but still has permissions that Everyone has
2: Anonymous is not a member of Everyone. Do not allow to enumerate of SAM database, and loses the permission that everyone used to have