2,591 questions
LDAPS how to control who can bind to the LDAPS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 16%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Goedtkindt Peter
1
Reputation point
I have multiple questions:
I set up LDAPS using AZURE domain services. All seems to works fine, but...
A/ Can I limit who can bind to the ldap and run queries? I do want to restrict the number of users that have that right? Out of the box, it seems any user can run queries.
B/ On the other hand, I have one application that is not able to configure a bind user at all. And that application cannot run queries. Is it possible to allow anonymous access to the LDAP - how is that configured?
C/ Off course, these 2 requirements are completely opposite and seemingly cannot be satisfied both... unless I could set up a second LDAPS on the same domain that allows anonymous queries. I could limit the access to that LDAP to the unique IP of the app server that cannot specify a bind user and then connect without bind? Or should I setup an LDAP relay?
Thanks
Microsoft Security | Microsoft Entra | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2022-12-08T00:04:08.04+00:00 Hi @Goedtkindt Peter ,
As you mentioned, the default permissions grant read access to everyone. I'm not sure if what you want is supported for Azure AD Domain Services, but I have reached out to the product team to ask.
Sign in to comment
Sign in to answer