Saturday, June 23, 2007

Securing Active Directory for Drupal LDAP access

I don't yet have the ldap authentication working on SSL or TLS, as i need to learn how to install the certificate root and certificate on the drupal server. but that will be a different post.

First, I need to tighten down security on the AD. I want the binddn reader and updater accounts to have no rights beyond that specific purpose. You would think that would be a very easy thing to specify... ehem.

Looking here (don't you love msft's refusal to adopt clean urls?):
Assign user rights to new security groups so you can specifically define a user's administrative role in the domain.
http://technet2.microsoft.com/WindowsServer/en/library/95107162-47eb-4891-832f-0c0b15b7c8581033.mspx


Enforce account lockouts on user accounts and decrease the possibility of an attacker compromising your domain through repeated logon attempts.
http://technet2.microsoft.com/WindowsServer/en/library/91a98c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx

Promote a secure operating environment by running your computer without administrative credentials except when required.
http://technet2.microsoft.com/WindowsServer/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx

this is crap - user rights assignment on AD is useless for my purpose. there are far too few rights defined, and they seem way to blunt.

found a new way-

by default, any authenticated account can scan the directory. attempting to use a plain user account as the reader account with no additional rights.... it seems to work

updater account settings:
create a new security group and put the updater account in it
right click domain in ad users and computers
choose delegate control
add the group that contains the updater account
create a custom task to delegate
only the following objects in the folder/User objects
Read all properties/Write E-Mail Address (Others)/Change Password/Reset Password
how do you edit/update those delegated rights? i've been just rerunning the wizard, hoping its smart enough to delete the prior policy.

Testing...

Unfortunately, the following error is generated when an attempt is made to modify the password. I'm assuming this is because we're not yet running TLS:
warning: ldap_modify() [function.ldap-modify]: Modify: No such attribute in /home/.martin/icsadmin/events.icstars.org/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 226.

Need to define some policies about locking out accounts after a number of password attempts are made.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)