notes on AD allowing "bind as user" without passwords

author Alan T. DeKok <aland@freeradius.org>

Mon, 13 May 2024 14:58:18 +0000 (10:58 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Tue, 14 May 2024 00:34:53 +0000 (20:34 -0400)
author Alan T. DeKok <aland@freeradius.org>
Mon, 13 May 2024 14:58:18 +0000 (10:58 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Tue, 14 May 2024 00:34:53 +0000 (20:34 -0400)
diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap

index 44c0e1f541cf3b90a52a3799d5ee32a9df2b58ed..8d074c3b178425ec197bddb5afd17240c6b0826b 100644 (file)
--- a/raddb/mods-available/ldap
+++ b/raddb/mods-available/ldap
@@ -302,6 +302,13 @@ ldap {
                 #  password_attribute:: Which attribute in the request should be used as
                 #  the password when performing user binds.
                 #
+               #  Note that Active Directory will allow unauthenticated user binds by default!
+               #
+               #  You can fix this by choosing the "ADSI Edit" command from the Server Manager's Tools menu.
+               #  Then, open the Configuration subtree, and then open the properties of the `CN=Directory
+               #  Service, CN=Windows NT, CN=Services, CN=Configuration` object.  Modify the
+               #  `msDS-Other-Settings` attribute, and add a new entry for `DenyUnauthenticatedBind=1`.
+               #
  #              password_attribute = &User-Password
  
                 #
author	Alan T. DeKok <aland@freeradius.org>
	Mon, 13 May 2024 14:58:18 +0000 (10:58 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Tue, 14 May 2024 00:34:53 +0000 (20:34 -0400)