User permissions to read LDAP

Galvanon · May 9, 2006

Hello all -

We have an application that queries against AD using a specific user
account. However, at a new site we are working in, the user account that
they have created for us won't allow us to connect to AD.

My question is:

What is the minimum permissions that a user account needs to be able to
query AD?

As a test, I installed the Softerra LDAP Browser 2.6, both in my windows
2003 domain, and on the Windows 2003 server in the client's environment.

In my environment, I can use my account and see all of the CN and OUs in my
domain. When I run the program on the server in the client's environment,
and I use the account they gave me, I get an error "Invalid Credentials"

Thanks!

Jorge de Almeida Pinto [MVP] · May 9, 2006

just a simple user as authenticated users have permissions all over the
place to read. (unless that was changed)

you also may wanna have a look at:
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
http://support.microsoft.com/?id=320528

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

Galvanon · May 9, 2006

How can we run a test to see if we can read AD?

CAn we do something like this in Internet Explorer?

ldap://gal-dc:3268 (It's a DC and a GC)

We get an "Operations Error" when we do that...

"Jorge de Almeida Pinto [MVP]"

Jorge de Almeida Pinto [MVP] · May 9, 2006

just logon with the user and do the queries while logged on as the user
account..

for querying AD you can use LDP while logged on or use ADFIND from joeware
http://www.joeware.net/win/free/tools/adfind.htm

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

Joe Richards [MVP] · May 9, 2006

Invalid credentials means you dorked the userid or password. If it was a
security issue you just wouldn't see anything.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Brandon McCombs · May 10, 2006

Galvanon said:
How can we run a test to see if we can read AD?

CAn we do something like this in Internet Explorer?

ldap://gal-dc:3268 (It's a DC and a GC)

you can't connect to ldap on 3268. Use 389 for ldap communication.

Joe Richards [MVP] · May 11, 2006

If it is a GC you certainly can.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Galvanon · May 11, 2006

Does binding to AD (authentication) different between 2000AD and 2003AD?

ohaya · May 14, 2006

Hi,

One of the main differences, from your standpoint, is that anonymous
access is enabled by default in Win2K AD, whereas it is DISABLED by
default in Win2K3 AD. See the links that Jorge provided earlier in this
thread.

Jim

Minimum AD Permissions needed to query LDAP for username password auth	2	May 6, 2004
Ldap binding with variable OU/CN structure	9	Oct 6, 2003
Slow Logons and Can't open files	0	Sep 29, 2009
Disabled account and LDAP	3	Aug 7, 2005
LDAP query result sorting -> Change the order of AD DCs found in the list	2	Jul 12, 2007
SQL and/or AD Security to Query AD Database?	1	May 9, 2008
LDAP	1	Jul 9, 2004
How to sync Sun one Ldap user profile to windows 2003 AD	1	Aug 18, 2006

User permissions to read LDAP

Galvanon

Jorge de Almeida Pinto [MVP]

Galvanon

Jorge de Almeida Pinto [MVP]

Joe Richards [MVP]

Brandon McCombs

Joe Richards [MVP]

Galvanon

ohaya

Ask a Question

Similar Threads