What permissions are needed to read Active Directory as LDAP? | ansaurus

tags:

views:

1546

answers:

1

+2 Q:

What permissions are needed to read Active Directory as LDAP?

The setup:

There is a central AD domain (CENTRAL) and multiple seperate forests, each of which has their own domain (BRANCH1, BRANCH2, BRANCH3)

There are 2-way domain trusts between CENTRAL and all other domains.

An application I'm working on runs on the CENTRAL domain and performs LDAP searches on all domains, using the credentials CENTRAL\ldapreader.

This works perfectly for CENTRAL and BRANCH1, but BRANCH2 and BRANCH3 refuse the connection with an invalid credentials error. If the search instead uses an account in those domains (BRANCH2\ldapreader, etc) then the search works fine.

What level of permissions are needed to read AD as an LDAP server? Everything I've found indicates that this is allowed for AUTENTICATED USERS, which should work fine with CENTRAL\ldapreader due to the two way trust but that isn't the behavior we're getting.

+2 A:

I think the permission you're looking for is "List Contents". You should ensure "CENTRAL\ldapreader" has this permission for BRANCH2 and BRANCH3.

I'm wondering if you set up the trusts with selective authentication or forest-wide authentication and whether you can manualy browse BRANCH2 and BRANCH3.

Onots 2009-05-14 18:28:29

If by "manually browse" you mean connect with an LDAP browsing client, then that shows the same behavior as the application.I'll check out the List Contents permission, see how they are configured.

DrStalker 2009-05-15 00:08:32

Yes, I meant connecting with an LDAP client. My best guess for now is that the trusts with BRANCH2 and BRANCH3 have either 1) not set proper DNS records or 2) have selective authentication instead of forest-wide authentication.

Onots 2009-05-15 16:04:13

related questions

Querying Active Directory with "SQL"?

Can I get more than 1000 records from a DirectorySearcher in Asp.Net?

How to get AD User Groups for user in Asp.Net?

Attempting to update a user's "connect to:" home directory path in AD using C#

Monitoring group membership in Active Directory more efficiently (C# .NET)

How do I speed up data retrieval from .NET AD within ColdFusion

How do you authenticate against an Active Directory server using Spring Security?

Managing large user databases for single-signon.

Move Active Directory Group to Another OU using Powershell

How to move SharePoint sites from one active directory domain to another?

When did I last talk to my Domain Server?

Using ActiveDirectoryMembershipProvider with two domain controllers

I am having trouble getting phpBB to authenticate with our Active Directory

How do I use ADAM to run unit tests?

COMException "Library not registered." while using System.DirectoryServices

Caching Active Directory Data

Windows / Active Directory - User / Groups

Get a list of available domains (NT4 and Active Directory)

How do I use NTLM authentication with Active Directory

I/O permission settings using .net installer

quoting System.DirectoryServices.ResultPropertyCollection

How do you impersonate an Active Directory user in Powershell?

Setting Group Type for new Active Directory Entry in VB.NET

Is there a way for MS Access to grab the current Active Directory user?

Checklist for IIS 6/ASP.NET Windows Authentication?