>OK we're going round and round here. What you're describing cannot possibly >work because >it is not possible for UserA to validate UserB's password. The act of binding >to the server is >where that password validation happens. > >What you more than likely have is a hardcoded account which does a search to >find if the >authenticating user actually exists in the directory, and then it retrieves >the user's DN and >does a second bind with that value plus the supplied password. This is a >fairly common model >and there's not really anything wrong with it.
Right, that's exactly how it works. >Putting the users in your AD is fine, though any resource on your network >secured for Authenticated >Users or Everyone will be open for them. You can remove these accounts from >Domain Users, though >as a starter. Yeah, I thought there might be a way to remove every right so I merely have an object to validate to. Really, the only desire to have them in AD is to grant delegation soon and remove the burden from me to maintain them. I may very well leave them in OpenLDAP and give someone Sudo access to the ldap account tools but that's a real stretch in their capability. I might opt for a php front end I guess... Thanks! jlc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
