Logging the source IP of simple LDAP binds

Simple bind events don’t record the calling Computer as the source, but record the ADDS-DC or the ADLDS instance name, so you cannot determine where the simple bind request came from.  So if you are trying to track down where the calling machine is that is locking out a user, you cannot determine this from…

Read More

Avoid changing the MaxPageSize LDAP query policy

I came upon a blog post on Scott Lowe’s blog suggesting a solution to resolve AD integration issues where more than 1,000 results are returned in a query on some UNIX/LINUX systems.  I will try to explain why this is a less than optimal solution, which could cause performance issues with the directory server. What…

Read More

Lotus Domino LDAP SSL certificate issue

While trying to setup a Lotus Domino server 6.5.x server to use LDAP over SSL, it appears that it does not support a 4096-bit key length. When you try to import the root certificate into the Domino key ring,  you receive the error "Certificate Signature does not match Certificate Content".

Read More

Searching Active Directory in Windows Vista

In a discussion on the ActiveDir.org mailing list today,  it came up about searching Active Directory in Windows.  From a Windows 2000, or Windows XP,  this can be done from the start menu Find People dialog, but in Windows Vista this feature appears to be completely absent.  The new search feature does not have a…

Read More

LDAP over SSL/TLS: How secure is your Directory?

One of the issues with using LDAP as an “Authentication” protocol for applications is that this usually means LDAP simple binds.  LDAP simple binds by default will pass the userId and userPassword in clear text between the client and the server.  This means that anyone or anything with access to that communication path can view…

Read More

UPN and cross-forest LDAP simple binds

Recently I was looking to help an application built on ColdFusion’s CFLDAP module, which relied upon LDAP for “authentication”, and could only be used with simple binds as a mechanism for presenting a username/password. I am working ain a multi-forest, and multi-domain environment, to which I try to minimize the number user accounts needed by…

Read More

ADAM, userProxy, and sidHistory: Not always what you expected

I had an interesting afternoon today, trying to identify an issue that occurred while working on a user migration project.  This is a solution I have used for many apps that only support a single Domain/Naming context when in a distributed directory environment.  The benefits and issues with this for long term use will be…

Read More

Efficiency with LDAP Queries

Today I have to help troubleshoot another application with poor LDAP performance, so I figured I’d tag this here for later reference. Creating More Efficient Active Directory-Enabled Applications Unfortunately LDAP has become the lowest common denominator when applciations say they integrate into Active Directory for “Authentication”.   It seems it’s more of a “Hey we have…

Read More

LDAP Queries are spaced out…

I was looking at a metaverse object in MIIS today noticed some admin had set the mail attribute to a single SPACE ( ) character.  The Metaverse is stored in a SQL server, so naturally the query structure is different than any constraints of LDAP. I wanted to discover how many other user objects had…

Read More