Our company is trying to implement a few single sign-on applications using Active Directory (Windows Server 2003) and LDAP. I would like to lock down the account used to make these LDAP queries as much as possible. What is the best practice for configuring this type of account?
Please see How to configure Active Directory to allow anonymous queries for minimum security.
By default, the Microsoft LDAP implementation does not support Secure LDAP. To setup secure LDAP using SSL, certificates must be installed on both the LDAP Server and the LDAP Client(s). In many cases, the LDAP Server is the domain controller running Active Directory.
The certificates required to run secure LDAP using SSL can be configured in several ways. The concept is always the same:
- The Active Directory domain controller uses a special certificate that is issued by a trusted certification authority.
- The clent computer trusts the certification authority that issues the certificate to the Active Directory domain controller.
You can restrict/allow what a user can or see/query within AD by easily using the Delegation Wizard. You can access the Delegation Wizard easily by right-clicking on an OU, and the selecting Delegation Control. You als may want to take a look at these articles:
Default security concerns in Active Directory delegation
Best practices for delegating Active Directory administration: Case study: a delegation scenario