Simple bind events don’t record the calling Computer as the source, but record the ADDS-DC or the ADLDS instance name, so you cannot determine where the simple bind request came from. So if you are trying to track down where the calling machine is that is locking out a user, you cannot determine this from [...]
LDAP
I came upon a blog post on Scott Lowe’s blog suggesting a solution to resolve AD integration issues where more than 1,000 results are returned in a query on some UNIX/LINUX systems. I will try to explain why this is a less than optimal solution, which could cause performance issues with the directory server. What [...]
While trying to setup a Lotus Domino server 6.5.x server to use LDAP over SSL, it appears that it does not support a 4096-bit key length. When you try to import the root certificate into the Domino key ring, you receive the error "Certificate Signature does not match Certificate Content".
In a discussion on the ActiveDir.org mailing list today, it came up about searching Active Directory in Windows. From a Windows 2000, or Windows XP, this can be done from the start menu Find People dialog, but in Windows Vista this feature appears to be completely absent. The new search feature does not have a [...]
One of the issues with using LDAP as an “Authentication” protocol for applications is that this usually means LDAP simple binds. LDAP simple binds by default will pass the userId and userPassword in clear text between the client and the server. This means that anyone or anything with access to that communication path can view [...]
Recently I was looking to help an application built on ColdFusion’s CFLDAP module, which relied upon LDAP for “authentication”, and could only be used with simple binds as a mechanism for presenting a username/password. I am working ain a multi-forest, and multi-domain environment, to which I try to minimize the number user accounts needed by [...]
I had an interesting afternoon today, trying to identify an issue that occurred while working on a user migration project. This is a solution I have used for many apps that only support a single Domain/Naming context when in a distributed directory environment. The benefits and issues with this for long term use will be [...]
Today I have to help troubleshoot another application with poor LDAP performance, so I figured I’d tag this here for later reference. Creating More Efficient Active Directory-Enabled Applications Unfortunately LDAP has become the lowest common denominator when applciations say they integrate into Active Directory for “Authentication”. It seems it’s more of a “Hey we have [...]
It was discovered quite awhile ago, that due to an RFC for LDAP, and using Bind Redirection for simple bind authentication back to Active Directory could be a problem. I will explain the scenario, and then explain the issue, since it was kind of an “Ah Ha” moment when I came across this. ADAM is [...]
