Installing Tools and Utilities

This section guides you through installing tools and utilities that are required when implementing an LDAP security and directory infrastructure based on Active Directory. The main Active Directory tools that you should install are shown in Table 8.1. Two of these are standard snap-ins for the Microsoft Management Console (MMC).

Table 8.1: Active Directory Tools for Managing the LDAP service

Configuring Active Directory to Allow Anonymous Browsing of the LDAP Directory

With Windows Server 2003 Active Directory, only authenticated users can initiate an LDAP request against Windows Server 2003-based domain controllers. You can override this default behavior by changing the seventh character of the dSHeuristics attribute on the DN path: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest. The structure of the dSHeuristics attribute is shown in Figure 8.4.

 

Figure 8.4 The structure of the dSHeuristics attribute

 

The dSHeuristics setting applies to all Windows Server 2003 domain controllers in the same forest. The value is realized by domain controllers upon Active Directory replication without restarting Windows.

Warning  Windows 2000 domain controllers do not support this setting and do not restrict anonymous operations if they are present in a Windows Server 2003-based forest.

Valid values for the seventh character of the dSHeuristic attribute are 0 and 2. By default, the dSHeuristics attribute does not exist, but its internal default is 0. If you set the seventh character to 2, anonymous clients can perform any operation that is permitted by the access control list (ACL). If dSHeuristics already contains a value other than 0, then you must treat the seventh character as an eight bit binary word and modify the current value by setting bit 7 to 1. For example, if the current value is 5, then this is 00000101 in binary. Set the seventh bit to 1 and it becomes 00000111, which is 7 in decimal notation.

To configure Active Directory to allow anonymous browsing of the LDAP directory, follow these steps:

1.	Create a MMC Console using the ADSI Edit MMC snap -in. Click Start, click Run..., in the Open box, enter mmc, and then click OK.
2.	On the File menu, click Add/Remove Snap-in..., and then click Add.... In the Available Standalone Snap-ins box, click ADSI Edit, click Add, click Close, and then click OK.
3.	Now connect to Active Directory Service. Right-click ADSI Edit, and then click Connect to....
4.	In the Select a well known Naming Context box, select Configuration, and then click OK.
5.	Double-click ADSI Edit, double-click Configuration, open CN=Configuration,DC=example,DC=com, open CN=Services, open CN=Windows NT, right-click CD=Directory Services, and then click Properties. Note  You will see your own domain name here instead of the example of DC=example,DC=com.
6.	Ensure that Show optional attributes is selected as shown in Figure 8.5.   Figure 8.5 Using ADSI Edit to view and edit the dSHeuristics attribute See full-sized image
7.	Scroll down the list of Attributes and click dSHeuristics. Important  If the value shown is not 0000000, then you must modify the seventh character by treating it as a binary number and setting the seventh bit to one (1).
8.	Click Edit. In the Value box, type 0000002, and then click OK.
9.	Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
10.	In the Active Directory Users and Computers dialog box, click View, and then click Advanced Features. This enables a number of advanced features, including the facility to change access permissions on Active Directory objects.
11.	Expand the container for your domain. Click the Users container so that it is selected. Right-click the Users container and click Properties.
12.	In the Users Properties dialog box, select the Security tab.
13.	Click Add. In the Enter the object names to select (examples): box, type Everyone, and then click OK.
14.	In the Permissions for Everyone box, ensure that the Read permission is set to Allow, and then click OK.
15.	Click Add. In the Enter the object names to select (examples): box, type Anonymous, and then click OK.
16.	In the Permissions for ANONYMOUS LOGON box, ensure that the Read permission is set to Allow, and then click OK.
17.	Test that anonymous browsing is now enabled by using the ldp tool. Click Start, click Run.... In the Open box, enter ldp, and then click OK.
18.	On the Connection menu, click Connect.
19.	In the Server: dialog box, enter the name of the domain controller to connect to; for example, win2003ent.example.com, as shown in Figure 8.6.   Figure 8.6 Entering the domain controller to connect to in the Server dialog box
20.	In the Port: dialog box, enter 389 as the port number, and then click OK.
21.	On the Browse menu, click Search.
22.	In the Base Dn: dialog box, enter the LDAP search base: for example, cn=Users,dc=example,dc=com, as shown in Figure 8.7.   Figure 8.7 Entering the Base Dn parameter
23.	In the Filter: dialog box, enter the filter (objectclass=*) and click Run, and then click Close. Using the scroll bar, examine the contents of the right-hand pane. It should show a list of all Active Directory user accounts and their attributes. If it does not, you should check your configuration and try again.