Re: LDAP Permissions

Tech-Archive recommends: Fix windows errors by optimizing your registry

Thanks Tomasz for taking the time to reply.

The apps in question are mostly web apps that would be querying user
permissions with an LDAP call, to authenticate the user. In essence the user
would login using a single-sign-on (SSO) authentication request. We have a
number of requests to allow certain web apps to authenticate based on their
user credentials on AD.

Obviously when you setup a web app to use SSO to authenticate, you have to
provide the webapp with a username & password in order for the LDAP query to
run against AD.
I would like to be able to create a user that is restricted only to perform
a query on group membership, but not able to modify settings on the AD
database. (i.e that a user could not use the authenticating userid to run an
LDAP script that would change permissions).

I don't have any programming experience, to me it would appear that if I
could get the permissions correct on an authenticating user account, this
would suffice to provide to our internal developers to allow them use this in
their webapps

thanks again in advance



"Tomasz Onyszko" wrote:

PaulD wrote:
Hi,
I wonder if anyone could assist with a permissions question in relation to
LDAP searches of an AD2003 database.

I've been asked to investigate a method for getting a number of applications
used in-house to authenticate the user via a single-sign-on authentication
method.

I think the most secure method to do this would be to create a new account,
which will be used to verify user permissions, based on an LDAP query of an
AD2003 database. I would like to be able to restrict this users to be only
able to perform an LDAP query against AD to see if a domain user is a member
of particular security groups. (I don't want the 'lookup' user to have any
other permission).

Can anyone advise on what would be the best method to do this?

If You want just to check if user is a member of a group maybe your
applications should utilize tokenGroups attribute which is available
when user is logged on to AD

http://msdn2.microsoft.com/en-us/library/ms680275(VS.85).aspx
http://dunnry.com/blog/EnumeratingTokenGroupsTokenGroupsInNET.aspx
http://support.microsoft.com/kb/301916

From my perspective it would be best to access from application level
each user object with its credentials (leveraging integrated
authentication) and enumerate user's token groups. But it depends on how
your application is working.

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

.

Relevant Pages

  • Re: LDAP Permissions
    ... a normal AD account that you might use as a service account for ... performing LDAP queries won't have permissions to modify anything in AD ... to authenticate the user. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ipfw plus authentication (authpf is cool but....)
    ... their ipaddress, mac address, workstation os, etc. in our ldap directory. ... gain network access is indeed belongs to that user. ... router first before being allowed to access any server. ... user will authenticate to a web based login form which is tied up ...
    (freebsd-questions)
  • Re: Trouble Authenticating users from trusted domains
    ... For the internal referrals, ... We have a new ERP system that can either authenticate with it's own user ... If you specify an LDAP server, ... >> login as a user from the child domain, ...
    (microsoft.public.win2000.active_directory)
  • RE: Cant authenticate to LDAP domain with Redhat9
    ... it is more used by the authconfig ... sure you can reach your ldap server with ldapsearch, ... Cant authenticate to LDAP domain with Redhat9 ...
    (RedHat)
  • Re: Anonymous LDAP Access Problem
    ... Check the ADSI ... I need to authenticate using LDAP and I still am having some problems. ... which works when that is a domain account, but does not when that account ...
    (microsoft.public.windows.server.active_directory)