.png?width=100&auto=webp&quality=80&disable=upscale "Picture of John Savill")
.png?width=400&auto=webp&quality=80&disable=upscale "John Savill")
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Q. How do I enable anonymous LDAP binds to Windows Server 2008 Active Directory (AD)?
John Savill
June 25, 2010
1 Min Read
A. I strongly recommend against this. Many applications communicate with directory services through LDAP, but the LDAP Request for Comments (RFC) specification stipulates that an LDAP bind should support the passing of a credential. Connecting anonymously really shouldn't be needed. You may have many Unix-style applications that currently use an anonymous LDAP bind to other directory services, but there's a good chance that they do actually support binding through a credential, making anonymous binding unnecessary.
Where possible, if anonymous binds are required, create a separate AD LDS instance that allows the anonymous connection and has the subset of information that's required by the application.
If you have to enable anonymous binds, you can do so.
Start Adsiedit.msc (Start, Run, Adsiedit.msc).
Expand the Configuration container. Expand Services, Windows NT.
Right-click CN=Directory Service and select Properties.
Double-click the dSHeuristics attribute.
If the value is currently , set it to 0000002. If it isn't currently blank, you must change the 7th character of the string to 2. (For example, if it was 001, 0010002 should be your new value. Click OK.
Close the ADSIEdit tool.
Anything that NT AUTHORITYANONYMOUS LOGON or Everyone has rights to can now be read through an anonymous bind.
About the Author
You May Also Like
.png?width=700&auto=webp&quality=80&disable=upscale)