Re: LDAP Permissions
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Mar 2008 13:08:24 -0500
In general, a normal AD account that you might use as a service account for
performing LDAP queries won't have permissions to modify anything in AD
except to change its own password and possibly modify a few other settings
on itself that are primarily cosmetic. It would not have rights to modify
anything else of consequence, so you probably don't need to do anything to
support this beyond just creating a normal user account.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"PaulD" <PaulD@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C28ADD3D-607A-4E9C-A036-9BD3E6520965@xxxxxxxxxxxxxxxx
Thanks Tomasz for taking the time to reply.
The apps in question are mostly web apps that would be querying user
permissions with an LDAP call, to authenticate the user. In essence the
user
would login using a single-sign-on (SSO) authentication request. We have a
number of requests to allow certain web apps to authenticate based on
their
user credentials on AD.
Obviously when you setup a web app to use SSO to authenticate, you have to
provide the webapp with a username & password in order for the LDAP query
to
run against AD.
I would like to be able to create a user that is restricted only to
perform
a query on group membership, but not able to modify settings on the AD
database. (i.e that a user could not use the authenticating userid to run
an
LDAP script that would change permissions).
I don't have any programming experience, to me it would appear that if I
could get the permissions correct on an authenticating user account, this
would suffice to provide to our internal developers to allow them use this
in
their webapps
thanks again in advance
"Tomasz Onyszko" wrote:
PaulD wrote:
Hi,
I wonder if anyone could assist with a permissions question in relation
to
LDAP searches of an AD2003 database.
I've been asked to investigate a method for getting a number of
applications
used in-house to authenticate the user via a single-sign-on
authentication
method.
I think the most secure method to do this would be to create a new
account,
which will be used to verify user permissions, based on an LDAP query
of an
AD2003 database. I would like to be able to restrict this users to be
only
able to perform an LDAP query against AD to see if a domain user is a
member
of particular security groups. (I don't want the 'lookup' user to have
any
other permission).
Can anyone advise on what would be the best method to do this?
If You want just to check if user is a member of a group maybe your
applications should utilize tokenGroups attribute which is available
when user is logged on to AD
http://msdn2.microsoft.com/en-us/library/ms680275(VS.85).aspx
http://dunnry.com/blog/EnumeratingTokenGroupsTokenGroupsInNET.aspx
http://support.microsoft.com/kb/301916
From my perspective it would be best to access from application level
each user object with its credentials (leveraging integrated
authentication) and enumerate user's token groups. But it depends on how
your application is working.
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
.
- References:
- Re: LDAP Permissions
- From: Tomasz Onyszko
- Re: LDAP Permissions
- From: PaulD
- Re: LDAP Permissions
- Prev by Date: Migrating Schema Extentions with AD Groups
- Next by Date: Re: Distinguished Name in AD
- Previous by thread: Re: LDAP Permissions
- Next by thread: Re: Placing active directory log in a different partition
- Index(es):
Relevant Pages
|
