000022669 - Use sdaceldap with Active Directory without Binding as a user (Anonymous access)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022669
Applies Tosdaceldap
Microsoft Active Directory
IssueUse sdaceldap with Active Directory without Binding as a user (Anonymous access)
Cannot view objects in directory
CauseAnonymous permissions in Active Directory controlled by group Everyone
ResolutionChange the permissions on the parent container of the users to allow Read permission by Everyone:
You will need ADSI Edit to change the permissions on the container, install the Windows 2000 tools from the /Support/Tools directory on the Windows 2000 CD.

1. Go to Start->Run and enter mmc
2. Go to Console->"Add/Remove Snap-in"
3. In Standalone tab select Add
4. Select "ADSI Edit" and "OK"
5. Right click "ADSI Edit" and select "Connect to"
6. Accept the default "Domain NC"
7. Browse to the container you would like to change
8. Right click the container and select Properties
9. Select Security tab
10. Select Add, group "Everyone", Add, OK
By default, Read Access is allowed to the container object only.
11. Select "Advanced"
12. Highlight the entry "Allow  Everyone  Read This Object Only"
13. Select View/Edit
14. Next to "Apply Onto" select "This object and all child objects"
15. Check the option "Apply these permissions to objects and or containers within this container only"
16. Select Apply, OK
Sdaceldap will now be able to find and import users without binding as a specific user.

Warning: The changes above will make it possible to read all objects in the container that has been modified.  Do not implement these changes if there is information in the container such as user attributes that need to be kept secure.

Security considerations for why you would implement the above to allow anonymous access:
- If you are not using SSL to connect to Active Directory do not send a username and password across the network.  
- If you are scripting the use of sdaceldap to be run at off-peak hours you will not want to store the password on the system in a file.
Legacy Article IDa3462