Preparing Locked-Down Active Directory for LDAP Authentication

Thanks to

Featured Active Directory Advanced Features

Configuring LDAP authentication in a firewall, UTM, Subversion Server, etc, generally only requires a valid Active Directory User. This is because by default “Authenticated Users” special group has Read and List Content permissions on almost all Active Directory Containers.

However, In a locked-down Active Directory, authenticated user ACEs are removed from the default Active Directory containers, including the Users, Systems, and OUs where User and Computer objects are stored. Also Permissions inheritance is disabled on containers of User, Contact, InetOrgPerson, or Computer objects.

This post focuses on identifying security permissions required to be configured in locked-down Active Directory by understanding LDAP Authentication protocol flow in details. To configure an LDAP Client like Subversion Server for LDAP authentication refer post LDAP Authentication between COLLABNET Subversion Edge and Active Directory”.

LDAP Authentication Protocol Flow

This is generally a 3 step process. First LDAP client authenticates to Active Directory as a valid user. Then it makes sure that authenticating username should exist in Active Directory by sending a SearchRequest. If authenticating user is found in SearchResponse, it connects to Active Directory as authenticating user. If a successful connection is made then the authentication is successful otherwise not. Actual password of authenticating user is not retrieved from Active Directory.

  1. BindRequest from Bind User
  2. SearchRequest – Find authenticating user in Base DN
  3. BindRequest from Authenticating User

LDAP Authentication Protocol Flow

LDAP Authentication Protocol Flow by

Configuring Permissions/Delegating Rights to LDAP Bind User

As you can see in LDAP Authentication Protocol Flow, there are two BindRequest-BindResponse pairs. BindRequest only requires a valid user. However, actual user is searched in Base OU before it is authenticated in second BindRequest-BindResponse. During this part LDAP client can also ask for more information like groups and their memberships, email or phone number of user being searched, etc. So according LDAP Bind User should have permissions configured on Base OU.

Rights can be assigned for some specific OUs or over complete domain. However it is better to create a different OU in Active Directory for SVN Users. This reduces the attack surface in case the Bind User is compromised, as the username and password for this user will be entered into the configuration of other systems.

For the purpose of simple user authentication LDAP Bind User should have at least “List Content” rights on Base OU. You can also give “Read All Properties” rights if LDAP Search contains more attributes.

For search to span all OUs under Base OU, apply permissions onto “This object and all child objects”. You can also use “Delegate Control” wizard for the same.

Turn on “Advanced Features” view to see “Security” tab in OU’s properties.

Active Directory Advanced Features by

Open “Advanced Security Settings” for “SVN Users” OU by right clicking OU, select “Properties”, then “Security” tab and then “Advanced”.

Advanced Security SettingsAdvanced Security Settings by

Add user “ldapsvc” and assign “List Contents” permission for “This object and all child objects” as shown below.