Recipe 14.3 Enabling Anonymous LDAP Access

Previous page
Table of content
Next page

14.3.1 Problem

You want to enable anonymous LDAP access for clients. In Windows 2000 Active Directory, anonymous queries were enabled by default, although restricted. With Windows Server 2003 Active Directory, anonymous queries are disabled except for querying the RootDSE.

14.3.2 Solution

14.3.2.1 Using a graphical user interface

  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value: 0000002.

  6. If the attribute has an existing value, make sure the seventh digit is set to 2.

  7. Click OK twice.
14.3.2.2 Using VBScript
' This code enables or disables anonymous query mode for a forest. ' ------ SCRIPT CONFIGURATION ------ boolEnableAnonQuery = 2  ' e.g. 2 to enable, 0 to disable ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://RootDSE") set objDS = GetObject( _              "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _               & objRootDSE.Get("configurationNamingContext") ) strDSH = objDS.Get("dSHeuristics") for i = len(strDSH) to 6    strDSH = strDSH & "0" next strNewDSH = Left(strDSH,6) & boolEnableAnonQuery strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 7 ) WScript.Echo "Old value: " & strDSH WScript.Echo "New value: " & strNewDSH if strDSH <> strNewDSH then    objDS.Put "dSHeuristics", strNewDSH    objDS.SetInfo    WScript.Echo "Successfully set anon query mode to " & boolEnableAnonQuery else    WScript.Echo "Anon query mode already set to " & boolEnableAnonQuery end if

14.3.3 Discussion

To enable anonymous access, you have to modify the dSHeuristics attribute of the cn=Directory Service,cn=Windows NT,cn=Services,ConfigurationDN object. The dSHeuristics attribute is an interesting attribute used to control certain behavior in Active Directory. For example, you can enable "List Object Mode" (see Recipe 14.15) by setting the dSHeuristics flag.

The dSHeuristics attribute consists of a series of digits that when set enable certain functionality. To enable anonymous access, the seventh bit must be set to 2. By default, dSHeuristics does not have a value. If you set it to enable anonymous access, the value would be the following: 0000002.

After enabling anonymous access, the assumption is you'll want to grant access for anonymous users to retrieve some data from Active Directory. To do that, grant the ANONYMOUS LOGON user access to the parts of the directory you want anonymous users to search. You must grant the access from the root of the directory down to the object of interest. See MS KB 320528 for an example of how to enable the anonymous user to query email addresses of user objects.

14.3.4 See Also

MS KB 320528 (How to Configure Active Directory to Allow Anonymous Queries), and MS KB 326690 (Anonymous LDAP Operations to Active Directory Are Disabled on Windows Server 2003 Domain Controllers)


Previous page
Table of content
Next page
Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456
Authors: Laura E. Hunter, Robbie Allen
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
MySQL Clustering
Mastering Delphi 7
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
MPLS Configuration on Cisco IOS Software
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy