Adding LDAP role to domain controller
-
@Dashrender said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
@Dashrender said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
@Dashrender said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller : >
Now, I do know customers who have Synology and Qnap NAS that rely on AD for file shares and such. I would think these would be affected?
I would agree with you.
Why? They don't use LDAP, if they are affected, every Windows desktop is affected.
I just reread this - what do you mean they don't use LDAP? I mean - OK I'm guessing you're right, but if not LDAP for authentication, and assuming they are using AD for authentication - then what protocol are they using?
Kerberos, like all AD does. AD uses Kerberos unless you enable LDS.
Then I'm confused - where is the issue with LDAP vs LDAP? is LDAP sending sensitive information unencrypted over the network? what things use LDAP?
Things that connect over LDAP instead of using AD fully. Applications like people are mentioning, like NextCloud, that are generic LDAP clients, not AD clients. No normal process uses LDAP, hence why they can make the change somewhat casually. LDAP is not used by an day to day process for AD as intended. It's a fall back for non-AD clients that use generic LDAP.
-
@scottalanmiller said in Adding LDAP role to domain controller:
LDAP is not used by an day to day process for AD as intended. It's a fall back for non-AD clients that use generic LDAP.
Like copiers. Don't forget about those. But they should be using AAD instead by now.
-
@Obsolesce said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
LDAP is not used by an day to day process for AD as intended. It's a fall back for non-AD clients that use generic LDAP.
Like copiers. Don't forget about those. But they should be using AAD instead by now.
Copiers would be a common example, yeah. And a lot of web applications.
-
@scottalanmiller said in Adding LDAP role to domain controller:
@Dashrender said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
@Dashrender said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
@Dashrender said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller : >
Now, I do know customers who have Synology and Qnap NAS that rely on AD for file shares and such. I would think these would be affected?
I would agree with you.
Why? They don't use LDAP, if they are affected, every Windows desktop is affected.
I just reread this - what do you mean they don't use LDAP? I mean - OK I'm guessing you're right, but if not LDAP for authentication, and assuming they are using AD for authentication - then what protocol are they using?
Kerberos, like all AD does. AD uses Kerberos unless you enable LDS.
Then I'm confused - where is the issue with LDAP vs LDAP? is LDAP sending sensitive information unencrypted over the network? what things use LDAP?
Things that connect over LDAP instead of using AD fully. Applications like people are mentioning, like NextCloud, that are generic LDAP clients, not AD clients. No normal process uses LDAP, hence why they can make the change somewhat casually. LDAP is not used by an day to day process for AD as intended. It's a fall back for non-AD clients that use generic LDAP.
And you're saying NASs use AD clients? But copiers don't?
-
@Dashrender said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
@Dashrender said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
@Dashrender said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
@Dashrender said in Adding LDAP role to domain controller:
@Fredtx said in Adding LDAP role to domain controller : >
Now, I do know customers who have Synology and Qnap NAS that rely on AD for file shares and such. I would think these would be affected?
I would agree with you.
Why? They don't use LDAP, if they are affected, every Windows desktop is affected.
I just reread this - what do you mean they don't use LDAP? I mean - OK I'm guessing you're right, but if not LDAP for authentication, and assuming they are using AD for authentication - then what protocol are they using?
Kerberos, like all AD does. AD uses Kerberos unless you enable LDS.
Then I'm confused - where is the issue with LDAP vs LDAP? is LDAP sending sensitive information unencrypted over the network? what things use LDAP?
Things that connect over LDAP instead of using AD fully. Applications like people are mentioning, like NextCloud, that are generic LDAP clients, not AD clients. No normal process uses LDAP, hence why they can make the change somewhat casually. LDAP is not used by an day to day process for AD as intended. It's a fall back for non-AD clients that use generic LDAP.
And you're saying NASs use AD clients? But copiers don't?
Commonly, yes. Since every standard NAS runs a full AD implementation, it would be weird for them not to. Since no copier does, it would be unexpected for them to do so.
-
Remember NAS is just another way of saying "Linux Server" or "Windows Server." Both Linux and Windows servers offer AD services. It would be odd for a Windows Server to not use full AD, right? Why not Linux?
-
@scottalanmiller said in Adding LDAP role to domain controller:
Remember NAS is just another way of saying "Linux Server" or "Windows Server." Both Linux and Windows servers offer AD services. It would be odd for a Windows Server to not use full AD, right? Why not Linux?
huh - OK thanks for the info - though I guess I would kinda think a copier would do that same - why wouldn't it be based on a Linux distro, thereby gaining the access to AD services?
-
@Dashrender said in Adding LDAP role to domain controller:
@scottalanmiller said in Adding LDAP role to domain controller:
Remember NAS is just another way of saying "Linux Server" or "Windows Server." Both Linux and Windows servers offer AD services. It would be odd for a Windows Server to not use full AD, right? Why not Linux?
huh - OK thanks for the info - though I guess I would kinda think a copier would do that same - why wouldn't it be based on a Linux distro, thereby gaining the access to AD services?
IoT devices aren't full servers. Is it possible that printer makes are bundling big services into their tiny IoT SBCs on the printers, and keeping them up to date? Sure. Are they realistically? No.
Is it possible to make printers (and everything else) do Kerberos? Of course. But there's been zero reason to do so until just now. So adding that complication and overhead hasn't made sense.
Remember, one is a server. A full service, full capability server (that even offers AD.) The other is a peripheral.
-
Aww - OK offline conversation brings up - what about small NAS - like 2-4 drive NASes, they don't have near the horsepower of a 20+ drive ReadyNAS, etc.
These small SMB devices are what I'm thinking about - where do you think they fall?
yeah I need to look them up myself - I have a Linkstation I need to check on for this issue.
-
@Dashrender said in Adding LDAP role to domain controller:
what about small NAS - like 2-4 drive NASes, they don't have near the horsepower of a 20+ drive ReadyNAS, etc.
No matter how you try to approach it, reword it, look at it, etc. NAS = Server.
So state it "What about a server with only two drives?"
Is it a server? It would be expected to do AD trivially. End of story. It's not more complex than that.
-
If you think about a small VM... how many NAS devices are "smaller" than a 1 vCPU / 512MB VM? Pretty much, none. That's insanely small. But that's the size of smaller VM servers that would have no issue with AD.
-
@dbeato Thanks for the referral.
-
@magicmarker Thanks for the kind words.
-
@benhooperastrix said in Adding LDAP role to domain controller:
@dbeato Thanks for the referral.
Didn't know I referred you and now I notice you wrote it. It was well done.