Allowing anonymous BIND on Microsoft AD LDS (LDAP server)

Submitted by peter on Wed, 31/01/2018 - 16:31

See also: Deleting an LDS instance (below)

Create an LDS instance

1) If not done already, install the Active Directory Lightweight Directory Services role

2) Create a unique LDS instance. We'll call it "TestingXYZ" (which gives a "service name" of "ADAM_TestingXYZ")

3) Assign useful port numbers (because the standard port numbers of 389 and 686 are already in use by AD). E.g., 50389 and 50686

4) Create an application directory partition suitable for what you want to do, e.g., cn=MyStuff,dc=cse,dc=unsw,dc=edu,dc=au

5) Optional: For security when updating via the LDAP interface, assign administrator permissions to a separate, specified account. You'll later need to be using this account when you use ADSI Edit (below).

6) Import the required LDIF files, e.g., MS-InetOrgPerson.LDF

The instance should start.

Configure the LDS instance for anonymous bind

1) Use regedit and get the value of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesADAM_TestingXYZ (see above) → ParametersConfiguration NC

2) Run ADSI Edit from Server Manager. Select ActionConnect to.... Name it: "Configure TestingXYZ" (match name to above). Specify host and port (can be 127.0.0.1:<port>). Set "Distinguished Name or Naming Context" to the value from regedit above.

3) Expand the new connection: Configure TestingXYZ (from above) → CN=Configuration...CN=ServicesCN=WindowsNT. Right click on CN=Directory Service and set dsHeuristics to "0000002001001".

4) Done

For additional information, google for "dsHeuristic".

Trying it out

From MacOS or Linux you can then do something like:

ldapsearch -H ldap://win2k8r2ent.my.desk:50389 -b cn=MyStuff,dc=cse,dc=unsw,dc=edu,dc=au -x and get:

# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# MyStuff, cse.unsw.edu.au
dn: CN=MyStuff,DC=cse,DC=unsw,DC=edu,DC=au

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Deleting an LDS instance

Note: Use StartControl PanelPrograms and Features to find and delete an LDS instance.

Tags: