3,430
edits
Changes
Jump to navigation
Jump to search
Line 54:
Line 54: + + + + + + + Line 64:
Line 71: + +
→Common Settings
| (userAccountControl:1.2.840.113556.1.4.803:=2)
| (userAccountControl:1.2.840.113556.1.4.803:=2)
| Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter.
| Filters on not disabled account. Sometimes this needs to be preceded with a <code>!</code> to negate the filter.
|-
| Account Suffix
| @PS1
| When attempting to check password, the sAMAccountName needs the suffix appeneded to it.
|-
|-
| mail
| mail
| mail
| mail
| ldap field that stores the user's email address
| ldap field that stores the user's email address
| Minimum password length
| 1
| AD lets users bind to ldap with 0 length passwords. It's fscked up, but accepted.
|}
|}
* You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
* You almost always want to get debug info for ldap when setting up. There are a lot of things that can go wrong.
* Start without the filter field, add it later.
* Start without the filter field, add it later.
* When a service checks a password, it usually attempts to bind to samba as that user. To bind successfully, it needs to bind as user@PS1
* If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct.