Surely if the service account used by the app has [only] the rights to read the data in the attributes and objects that it needs to access, then you should be fine.
Whether an app or an admin, the "least privilege" rule still applies :) neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: 19 December 2006 13:41 To: [email protected] Subject: [ActiveDir] Schema Extension Question Guys (and Gals) I am far from an LDAP expert and we have not modified our Windows 2003 FFL Schema at all. I don't even have SP1 running as I am just still a little gunshy about it. But now me and my network engineer are under heavy pressure to move our POP 3 email clients to a Server Centric Web based model that will allow internet access to email. So my network engineer and *nix expert is testing a *nix based program to do that. We are having trouble with it connecting to AD to authenticate Users because it is popping errors that state "I can't find the Schema extensions." He is chasing that and I'm not really happy about modifying the shema, if indeed we end up having to do that, but here is my question. Will this app need an elevated credential (Domain or Enterprise Admin) to simply LDAP query the AD from this *nix box to get usernames or passwords or can it be done without that power? I know you don't know the app, but the question is a generic one relative to *nix boxes querying an AD. Thanks in advance. RH _____________________________ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _____________________________ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
