active directory as a powerful ldap server the unknown
play

Active Directory as a powerful LDAP server: the unknown tips Alban - PowerPoint PPT Presentation

Nov 26, 2023 •150 likes •429 views

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min Introduction Active Directory context NT inheritance SAM (Security Account Manager, Samba V3) Active Directory (2000 2003)

  1. Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

  2. Introduction

  3. Active Directory context ● NT inheritance – SAM (Security Account Manager, Samba → V3) – Active Directory (2000 → 2003) – Active Directory Domain Service (2008 → ) ● Budget under pressure ● Implemented everywhere 3 Nov. 2015 AD as powerful LDAP server

  4. Standard vs proprietary ● Winner and losers https://www.netmarketshare.com/operating-s

  5. 5 Nov. 2015 AD as powerful LDAP server

  6. AD: yes, looks like a LDAP server ● Root DSE ● 15 Supported Controls – Server sort, Pages result – AD related like crossdom_move_target , … – Note: C++ source code available https://msdn.microsoft.com/en-us/library/aa366977(v=vs.85).aspx ● LDAP listener (389/636, 3268/3269) ● CN=Schema,CN=Configuration,DC=example,dc=com ● …. 6 Nov. 2015 AD as powerful LDAP server

  7. Schema https://msdn.microsoft.com/en-us/library/ms675085(v=vs.85).aspx ● Standard schema – OrganizationalUnit, OrganizationalPerson – InetOrgPerson (2003 ->) – NIS: nisMap, nisNetgroup, nisObject ● Microsoft schema – Because AD is a Microsoft product: Ms..., NT… – Because AD is part of Windows server: PKI, RRAS, site, DNS, IPSEC, ... – Because Microsoft is Microsoft ● groupOUniqueNames, Group-of-Names (Ldap-Display-Name = ….), Group ● Top: 118 attributes – When-Created, NT-Security-Descriptor, Object-Guid, USN-Changed, ... – Description, WWW-Home-Page, Is-Member-Of-DL, … 7 Nov. 2015 AD as powerful LDAP server

  8. Schema

  9. Schema ● MS Exchange extension ● Your own extension – ldifde.exe -v -i -f mySuperSchemaExt.ldif – Syntax for attributes and objectClass – Validate each record by dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - 9 Nov. 2015 AD as powerful LDAP server

  10. Example dn: CN=myUniqueKey,CN=Schema,CN=Configuration,DC=example,DC=com changetype: add adminDescription: myUniqueKey adminDisplayName: myUniqueKey attributeID: 1.3.6.1.4.1.38427.389.200.2 attributeSyntax: 2.5.5.12 dn: CN=myUser,CN=Schema,CN=Configuration,.. cn: myUniqueKey changetype: ntdsschemaadd IsDefunct: FALSE adminDescription: Auxiliary class for USER isMemberOfPartialAttributeSet : TRUE adminDisplayName: myUser isSingleValued: FALSE cn: myUser lDAPDisplayName : myUniqueKey defaultHidingValue: FALSE objectClass: attributeSchema defaultSecurityDescriptor : D:S: objectClass: top governsID: 1.3.6.1.4.1.38427.389.100.1 oMSyntax: 64 IsDefunct: FALSE rangeLower: 1 ldapDisplayName: myUser rangeUpper: 64 mayContain : myUniqueKey searchFlags: 5 objectClass: classSchema showInAdvancedViewOnly : FALSE objectClass: top systemOnly: FALSE objectClassCategory: 3 possSuperiors : user dn: rDNAttID : cn changetype: modify showInAdvancedViewOnly: FALSE add: schemaUpdateNow subClassOf : user schemaUpdateNow: 1 systemOnly: FALSE - 10 Nov. 2015 AD as powerful LDAP server

  11. Common objects ● ● 262688/ 262690 same but Smartcard required – Advanced (!(userAccountControl=2)) vs (!(userAccountControl:1.2.840.113556.1.4.803:=2)) 11 Nov. 2015 AD as powerful LDAP server

  12. Common objects ● Group of users, contacts, computers, groups ● Group type – Security (groupType=2147483648) – Distribution (!(groupType=*)) ● Group scope – Domain local (groupType=4) – Global (groupType=2) – Universal (groupType=8) 12 Nov. 2015 AD as powerful LDAP server

  13. Group membership ● the cross domain challenge (&(objectclass=user) (memberof=CN=grp1,OU=Groups,DC=examp le,DC=com)) ● nested groups (&(objectclass=group) (member:1.2.840.113556.1.4.1941:=CN= user.99,OU=Users,DC=example,DC=com)) 13 Nov. 2015 AD as powerful LDAP server

  14. Common objects ● Contacts (no SSID = no authN) ● Computers (objectclass=computer) ● Others – Managed Service Account (2008R2 ->, Win7 ->) ● New-ADServiceAccount [accountname] ● Install-ADServiceAccount [accountname] 14 Nov. 2015 AD as powerful LDAP server

  15. Windows domain ● GUID – Global Unique Identifier = 128 bits uniqueKey = objectGUID – Unique across the world for each object ● SSID – Security Identifier from NT users and groups, stored in objectSID – For ACL and access rights – Can change when moving the hosting domain (Merge, split, migrate) – S-1-5-32-544 : ● A revision level, 1 ● An identifier authority value, 5 (NT Authority) ● A domain identifier, 32 (Builtin) ● A relative identifier, 544 (Administrators) ● A relative identifier, 513 (domain users) 15 Nov. 2015 AD as powerful LDAP server

  16. Windows domain ● Replication – One or more sites – Update Sequence Number (USN) – Stamps - Each object has a stamp with the version number, timestamp, and the GUID of the domain controller where the change was made – Knowledge Consistency Checker (KCC) – REPADMIN /SHOWREPL * /CSV (now ADREPLSTATUS) – LDAP (389,636,3268) and Kerberos, DNS, SMB, FRS ● Global catalog – Domain wise and not server specific (=> ldap://example.com/ is OK) – Subset of entries and data – Find servers hosting GC ● BaseDN: cn=sites,CN=Configuration,DC=example,DC=com ● Scope: subtree ● Filter: (&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1)) 16 Nov. 2015 AD as powerful LDAP server

  17. Authentication ● user identification ● id/password – DN, GUID (LDAP://servername/<GUID=XXXXX>), SID ● Kerberos ● Strong authentication (Certificate) ● FIDO in future AD release ● Machine authentication 17 Nov. 2015 AD as powerful LDAP server

  18. Access rights ● default behavior ● Security descriptor vs Access Control List – NTSecurityDescriptor – msExchMailboxSecurityDescriptor ● Manage access rights – Group Policy Management Console (GPMC) – dsacls.exe dsacls “cn=mickey mouse,ou=people,dc=example,dc=com” – Powershell (Get-Acl 'cn=mickey mouse,ou=people,dc=example,dc=com').access | ft identityreference, accesscontroltype -AutoSize 18 Nov. 2015 AD as powerful LDAP server

  20. Access rights

  21. Logs ● Event viewer ● GPO – Directory Service Access – Directory Service Changes – Directory Service Replication – Detailed Directory Service Replication ● auditpol /set /subcategory:"directory service changes" /success:enable ● In SASLs ● LDAP logging – → 2012 – 2012 → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\"16 LDAP Interface Events"=dword:0000000 5 21 Nov. 2015 AD as powerful LDAP server

  22. Tools ● Microsoft Management Console (MMC) ● ADUC vs ADAC ● adsiedit.msc ● ldp.exe ● ldifde.exe ldifde -i -u -f myData.ldif -s server:port -b username domain password -j . -c "cn=Configuration,DC=xxxx" ● DS tools (dsquery, dsadd, dsmod, dsacls) ● Powershell Import-Module ActiveDirectory -PSSession $s – 22 Nov. 2015 AD as powerful LDAP server

  23. Password policy Reset password: the challenge ● Prepare access rights – Create a basic domain account with no additional privileges – Use Delegate control wizard from within ADUC ● User objects ● Reset password ● Write lockoutTime (if unlock is enabled) ● Write shadowlastchange ● Prepare Password MySecretPassword → double quote → “MySecretPassword” → base64 UTF-16 → IAAcIE0AeQBTAGUAYwByAGUAdABQAGEAcwBzAHcAbwByAGQAHSA= ● Apply to user LDAPS → ldapmodify UnicodePwd :: IAAcIE0AeQBTAGUAYwByAGUAdABQAGEAcwBzAHcAbwByAGQAHSA= 23 Nov. 2015 AD as powerful LDAP server

  24. Password policy ● Default domain password policy (gpmc.msc) – Password Policy (history, strength) – Account Lockout Policy ()

  25. Looking around ● AD LDS ● ADFS (Identity federation) ● Microsoft Azure Active Directory 25 Nov. 2015 AD as powerful LDAP server

  26. Conclusion ● Active Directory is a true LDAP server ● Multiple MS tools set ● Standard and MS oriented approach coexist ● Take time to discover and test capabilities 26 Nov. 2015 AD as powerful LDAP server

  27. Questions are welcome now or later

Recommend

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick Mike Dorman cjellick@godaddy.com mdorman@godaddy.com Go Daddy OpenStack Cloud Platform Group Agenda OpenStack at Go Daddy Keystone

875 views • 28 slides
Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP LDAP Servers Information Structure Protocol Overview LDAP operations UNDERSTANDING LDAP LDAP stands for Lightweight Directory Access

268 views • 12 slides
Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory Unlike the earlier Microsoft Windows NT 4.x Domain directory service which used proprietary DCE/RPC calls, Active Directory is based on standard

557 views • 27 slides
How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

Getting Started What do you already know about ldap ? . . . . . . . . . . . . . . slide #3 What Do You Want? . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide #4 Argument for LDAP Account Information . . . . . . . . . . . . . . . . .

442 views • 26 slides
LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads Implements a distributed model for storing information

554 views • 39 slides
LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads. Implements a distributed model for storing

854 views • 39 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Apache Directory Studio A new Open Source LDAP &amp; Directory Tooling Platform Stefan Seelmann

Apache Directory Studio A new Open Source LDAP &amp; Directory Tooling Platform Stefan Seelmann

Apache Directory Studio A new Open Source LDAP &amp; Directory Tooling Platform Stefan Seelmann &amp; Pierre-Arnaud Marcelot seelmann@apache.org pamarcelot@apache.org Apache Directory Studio, a new Open Source LDAP &amp; Directory Tooling

291 views • 18 slides
Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic Poitou OpenDS ludovic.poitou@sun.com A poor man's choice: JNDI or JLDAP/Netscape LDAP SDK Good News: Apache Directory Client API OpenDS

678 views • 20 slides
Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory Collection of related objects Files, Printers, Fax servers etc. Directory Service Information needed to use and manage the objects. Source

438 views • 27 slides
Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and looks up entries that match attribute-based specifications (e.g., Microsoft's Active Directory Service, X.500 and LDAP) Case Study - X.500

515 views • 12 slides
How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories Nick Urbanik How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of Vocational Education (Tsing Yi), Department of ICT Nick Urbanik

1.17k views • 106 slides
LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com http://www.samba.org/~idra What is LDB ? LDB is an LDAP-like database interface LDAP-like data model support LDAP like search expressions but it

1.03k views • 24 slides
Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active

Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active

Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active Directory Disasters) Guido Grillenmeier Senior Consultant Technology Solutions Group Hewlett-Packard Agenda What is a Disaster? Authoritative

363 views • 19 slides
Sun Identity Management &amp; Open Directory Jennifer Walbank/Pascal

Sun Identity Management &amp; Open Directory Jennifer Walbank/Pascal

Sun Identity Management &amp; Open Directory Jennifer Walbank/Pascal Grosvenor, LDAP Guru from the server group :) &amp; Berry Mak University of Technology,

555 views • 31 slides
The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to Access Control The Design Process The available Standards Best Practices The User object The plumbing Implementing the Schema

494 views • 47 slides
Netscape Directory and Calendar Server More information on :

Netscape Directory and Calendar Server More information on :

Netscape Directory and Calendar Server More information on : http://www.cs.kuleuven.ac.be/faq/Calendar (also via home page DeptCW &gt; Interne Informatie &gt; FAQ &gt; Directory &amp; Calendar Servers) Date: 18/02/2000 Slide 1

664 views • 31 slides
LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP

544 views • 6 slides
Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in

Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in

Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in Azure Active Directory (https://azure.microsoft.com/en- us/services/active-directory/) using the Azure Resource Manager API's. Documentation regarding

925 views • 46 slides
The LDAP Directory Life After Sun A story of migration Alban MEUNIER IdM Senior consultant

The LDAP Directory Life After Sun A story of migration Alban MEUNIER IdM Senior consultant

The LDAP Directory Life After Sun A story of migration Alban MEUNIER IdM Senior consultant ameunier@smartwavesa.com www.smartwavesa.com Agenda Introduction Common layer Migrate a standalone instance Migrate a replicated infra

876 views • 32 slides
DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999 Peter Gietz, University of Tbingen Peter.Gietz@directory.dfn.de DESIRE LDAP Index system

855 views • 12 slides
Infrastructure Systems Fred Seaton, Sr. UNIX Administrator SERVICES PROVIDED

Infrastructure Systems Fred Seaton, Sr. UNIX Administrator SERVICES PROVIDED

Infrastructure Systems Fred Seaton, Sr. UNIX Administrator SERVICES PROVIDED Infrastructure: VMWare, UNIX, Windows, and Mac servers Authentication Services: CAS , LDAP, Active Directory, Open Directory Email Services:

128 views • 8 slides
Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features

Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features

25. DECUS Symposium 16.04.2002 Windows.NET Beta 3 Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features Active Active Directory New Features Wolfgang Werner Wolfgang Werner Compaq Compaq Decus Bonn

588 views • 31 slides
Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com

Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com

Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com www.ADSecurity.org TrimarcSecurity.com ABOUT Founder Trimarc, a security company. Microsoft Certified Master (MCM) Directory Services

1.35k views • 100 slides

More recommend