Hi Andrew:
The security level in the AD you are connecting to has been locked down to not allow users other than Domain Admins to read certain LDAP attributes.
One way around this (not sure if there are others) is to have a Domain Admin use the ‘Delegate Control’ feature on the parent OU (or at the domain root) and grant the user connecting to AD read access to the LDAP attributes.
In the ‘Delegation of Control’ wizard, at a high-level the common task option: ‘Read all user information’ should allow the read permissions you need. If the client is more security conscious then the Admin can narrow the scope to just the attributes you require, which I’m guessing is probably ‘memberOf’.
Link: http://technet.microsoft.com/en-us/library/cc775585(WS.10).aspx
Hope this helps, I’ve run in to this in the past and it had me scratching my head until I found someone who was well-versed in AD security.
Thanks,
-Matt-
From: eLink Discussion: Content Server Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com] Sent: Sunday, January 16, 2011 7:20 PMTo: eLink RecipientSubject: LDAP Username and Password
LDAP Username and Password
Posted by andrew.ormesher@fastman.net.au (Ormesher, Andrew) on 2011/01/16 22:19
Hi all,Have set up an LDAP RO sync, having a slight issue with the account to run it though. When I give it a domain account that has query access to AD granted, the sync fails with an invalid credentials error. When I give it a domain account that has admin rights to AD, it works no problem.Can someone explain exactly what permissions are required to be given to the account, so the sync works without having to provide Admin access? Cheers!Andrew OrmesherFastman Consulting Aus.
[To reply to this thread, use your normal E-mail reply function.]
Discussion:
Content Server Directory Services Discussion
Livelink Server:
knowledge-wlweb01
To Unsubscribe from this Discussion, send an e-mail to unsubscribe.directoryservices@elinkkc.opentext.com.
