Re: LDAP

From: Joe Kaplan $MVP - ADSI$ (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/21/05

Next message: SK-TECH: "XP client can't login to domain"
Previous message: Allen Firouz: "RE: Delegating the right to force AD Site replication"
In reply to: Jobe Gates: "Re: LDAP"
Next in thread: Jobe Gates: "Re: LDAP"
Reply: Jobe Gates: "Re: LDAP"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 21 Jan 2005 14:44:15 -0600

Ok, well that case, I'm afraid the answer is "it depends". AD has extremely
configurable permissions, so it totally depends on what you actually need to
query and how you have deployed AD in your organization.

I will say that by default, a normal domain user will have rights to read
user and group objects in the domain, so that may be sufficient for your
needs. Also, like I said before, if the AIX system only needs to do a
simple bind to AD with the user's credentials, then you don't need any
special account at all as you don't have to query anything. Once the bind
was successful, you could then use the user's security context to execute
additional queries if need be.

Sorry this answer probably isn't what you wanted.

Another option is for you to use Kerberos on your AIX server and use AD as a
Kerberos TGS. I actually know next to nothing about how to get that to work
other than it can be made to work and people are doing it. :)

Joe K.

"Jobe Gates" <jgates@someisp.com> wrote in message
news:%23ulnmn%23$EHA.3368@TK2MSFTNGP15.phx.gbl...
>I think we both misunderstood. :)
>
> I have a 3rd party app running on AIX that we can setup to allow
> authentication through LDAP. I want to do single sign on. So I need to
> setup the connection between my AIX server and AD. What I was asking is
> how people ususally do this when they have an application that needs to
> query AD for authentication. I know I need to setup a user account to
> allow it to access the LDAP database but I'm not sure what rights this
> user account needs.
>
>
>

Next message: SK-TECH: "XP client can't login to domain"
Previous message: Allen Firouz: "RE: Delegating the right to force AD Site replication"
In reply to: Jobe Gates: "Re: LDAP"
Next in thread: Jobe Gates: "Re: LDAP"
Reply: Jobe Gates: "Re: LDAP"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: LDAP
... I have a 3rd party app running on AIX that we can setup to allow ... authentication through LDAP. ... people ususally do this when they have an application that needs to query AD ... I know I need to setup a user account to allow it to ...
(microsoft.public.windows.server.active_directory)
Re: how to setup login and account creation?
... You cannot use the popup to query anything. ... You can use ASP to manage permissions and to call system libraries to ... > if i can creat user account or groups, the way is been created right on ... > windows server, through browser.. ...
(microsoft.public.inetserver.iis)
RE: Connect to a Secure Win2K LDAP server from Windows 2003
... This is probably because by default the normal user account does not have ... and Read all properties and Read all permissions for group and user ... Secure LDAP itself is I ... > connect to and query the information on the secure LDAP. ...
(microsoft.public.windows.server.active_directory)
Re: Polling last logged on User Property in AD
... to poll the 'last logged on' property of a user account in AD? ... The script repository seems have everything except for this. ... You probably should query for lastLogonTimeStamp. ...
(microsoft.public.windows.server.scripting)
Re: HOW TO Assign wmi rights to non-administrators!
... This query runs only with the administrator account, ... > The action should work locally as a regular user account. ... > If you are doing this on a remote computer, ... > Microsoft MVP - Windows Server Management Infrastructure ...
(microsoft.public.win32.programmer.wmi)