AppNote: Configuring Active Directory to Allow Anonymous Queries for NSL LDAP Client
Novell Cool Solutions: AppNote
By Prasanna GH, Talekar Nagareshwar
Digg This -
Posted: 10 Jun 2005
Table of Contents
Novell Nsure SecureLogin 126.96.36.199 allows you to use SecureLogin's LDAP client with Active Directory. To make this new feature functional, you must grant certain permissions for anonymous users to perform anonymous searches on user objects. This AppNote explains how to configure Active Directory to allow anonymous queries. The permissions you need to give for anonymous users and how to set these permissions are explained in detail here.
By default, anonymous LDAP operations are not permitted on Active Directory. This means that an attempt to perform anonymous search in Active Directory results in the server requesting authenticated connection to LDAP and refusing the query. Therefore, some additional configuration is required to make Active Directory allow anonymous queries. The procedures detailed in this Appnote help you solve this problem, using SecureLogin's LDAP client with Active Directory.
The configuration explained here is required for the Secure Login LDAP client. When SecureLogin is installed in non-eDirectory mode and uses the LDAP client to connect to Active Directory, it requires anonymous permissions to be enabled for user objects. The following steps apply to Windows 2000 and Windows 2003 servers having Active Directory. However, the same steps could apply to other Windows servers with few or no changes needed.
Enabling Anonymous Queries
Enabling anonymous queries involves granting Anonymous Logon access to user objects that need to be located by anonymous search. The following rights must be given to all user objects to enable anonymous search.
|User Object||Permissions||Inheritance||Permission Type|
|ANONYMOUS LOGON||List Contents||This object and all child objects||Object|
|ANONYMOUS LOGON||Read name||This object and all child objects||Property|
|ANONYMOUS LOGON||Read Name||This object and all child objects||Property|
|ANONYMOUS LOGON||Read objectClass||This object and all child objects||Property|
Table: Anonymous Permissions
Note: The strings and images are specific to Windows 2000 server. There might be minor GUI changes for other Windows servers.
To assign permissions,
1. Launch ADSIEDIT (Start > Run > Type ADSIEDIT.msc).
Note: If ADSIEDIT is not installed on your server, manually install it from the Windows server CD.
2. In the left panel, navigate to the user container, right-click and view properties.
The CN=Users Properties dialog box is displayed.
Normally, the user container will be CN=Users, DC=domain name, DC=com. If the user objects are present in different containers, repeat the following steps on each of the containers.
Figure 1: User Properties in ADSIEdit
3. Click the Security tab, then click Advanced.
The Access Control Settings for Users dialog box is displayed.
Figure 2: Access Control settings for users
4. Click Add.
5. If this is Windows 2000 server, a User List dialog box is displayed. Select Anonymous Logon and click OK.
If this is a Windows 2003 server, a Select User dialog box appears, prompting you to enter the object name. Type "Anonymous Logon" and click OK.
The Permission Entry for Users dialog box appears for Anonymous Logon.
Figure 3: Adding Anonymous Logon user on Windows 2000 Server
Figure 4: Adding Anonymous Logon user on Windows 2003 Server
6. In the Object tab, set the following values:
- Apply onto: Select This object and all child objects.
- Permissions: Check List Contents.
7. In the Properties tab, set the following values:
- Apply onto: Select this object and all child objects.
- Clear All: Click to clear permissions (if any are already set).
- Permissions: Check the Read Name and Read objectClass permissions.
- Check the "Apply these permissions within this container only" box.
8. Click OK to close the dialog.
Figure 5: Setting List Contents permission for users under the Object tab
Figure 6: Setting permission for various user properties
Figure 7: Enabling checkbox to apply permission to objects within the container
The Access Control Settings for Users dialog box will have four Anonymous Logon permissions as shown in the screenshot below. (Note that these permissions need not be in the order shown here).
Figure 8: Final permissions for Anonymous Logon after applying the changes
9. Click Apply, then OK twice to close the Properties dialog.
The permissions applied for the user container affect all the user objects within that container. But in exceptional cases some users, especially admin users, might not inherit these permissions. In that case, explicitly make those users inherit permissions from the parent object.
Inheriting Permissions From Parent Object
To make user inherit permissions from parent object,
- Launch the ADSIEDIT and navigate to the user container.
- Select the user, right-click and view properties. The Properties dialog box is displayed.
- Click the Security tab, then click Advanced. Access control settings for <User name> are displayed.
- Check Allow inheritable permissions from parent to propagate to this object.
- Click Apply, then OK to close the dialog boxes.
Figure 9: Making Administrator User to Inherit Permission From Parent
Additional Configuration for Windows 2003 server
Windows 2003 servers require certain additional configuration procedures to enable anonymous queries. Follow the steps given below.
1. Launch ADSIEdit and navigate to CN=Directory Service, CN= Windows NT, CN = Services, CN= Configuration, DC=<domain name>, DC=com.
2. Right-click the "CN=Directory Service" container, choose Properties from the Context menu, and scroll down to the dsHeuristics attribute.
Note: The Properties dialog varies for various Windows 2003 servers. On certain servers, you might see a list box for properties instead of a selection box.
Figure 10: dsHeuristics Property for Directory Service
3. In Edit Attribute field, enter "0000002" if the dsHeuristics attribute is not already set.
The seventh character ("2") controls the way you can bind to the LDAP service. If instead of "2" the character is "0" or absent, it means that anonymous LDAP operations are disabled. Setting the seventh character to "2" permits anonymous operations.
Figure 11: Setting the Value to dsHeuristics Property
Caution: If the attribute already contains a value, make sure you are changing only the seventh character from the left. This is the only character that needs to be changed in order to enable anonymous binds.
For example, if the current value is "0010000", change it to "0010002". If the current value is less than 7 characters, add zeros followed by "2". For example, "001" becomes "0010002".
4. Click Apply, then OK to close the dialog.
After giving anonymous permissions for user objects, use the LDAP search tools to make sure that you can retrieve user distinguished name using an anonymous search on the directory.
The anonymous permissions explained in this AppNote are specific to the Novell Secure Login LDAP client. Nevertheless, you may be able to follow these procedures for general anonymous configuration as well. In this case, the permissions you give for the anonymous user might be different.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com