So I need to modify the ACL. If this for one or another reason is not possible, ( enterprise standards ) the alternate way would it be Kerberos ? Or must the ACL set up anyway ?
does domain admins no have this problem ? thx a bunch reinhard "abdul mulla" <[EMAIL PROTECTED]> 25-gen-2005 13:30 To "Barrett, John" <[EMAIL PROTECTED]>, "Christopher A Bongaarts" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] cc [email protected] Subject RE: Accessing AD The problem is inherited within the default ACL that AD is setup with. You should be able to bind as the user (userDN, password) and then be able to change whatever you need to so long as you have an ACL that permits the user to do this. I say ACL and not user groups that MS provides (e.g. domain admins, Administrators, etc) as they behave differently. From what I remember from working on AD integration with Open LDAP last year, you need to MMC to manage the AD (âActive Directory Users and Computersâ MMC snap-in) and right-click on the subtree or entity that you want to enforce a new ACL. Here is a short blurb of how I was able to do something similar (required to allow users to read/write to a new attribute): (a) I created a new attribute in AD schema called myAttribute and added this to user object class. (b) Using the âActive Directory Users and Computersâ MMC snap-in, expand, highlight and right-click the Active Directory node representing: OU=Sad_MS_Users,DC=myCompany,DC=co,DC=uk (c) Click on menuitem âDelegated Control ââ to start the âDelegation of Control Wizardâ. Click âNextâ to acknowledge the welcome message. (d) Add a user group to associate the permissions by clicking on âAddâ. From the displayed window, find âSELFâ user group and click âAddâ. Then click âOKâ to accept this user group. (e) The required âSELFâ group will be selected then click âNextâ. (f) Select âCreate a custom task to delegateâ option and then click âNextâ. (g) Select âOnly the following objects in the folder. From the list, click âUser objectâ checkbox only and then click âNextâ. (h) Select âProperty-specficâ checkbox only and then scroll-down âPermissionsâ window and select âRead myAttributeâ & âWrite myAttributeâ. Then click âNextâ. (i) Click âFinishâ to complete the process. I hope this helps if I understood you correctly. Regards, Abdul --- "Barrett, John" <[EMAIL PROTECTED]> wrote: > Most of the time it's that simple but not always. > In my environment the > only way I can use a simple bind to a generic AD > account to modify AD > entries (i.e., not binding as myself to modify my > own entry) is to have > Full Domain privileges on the AD account I'm binding > to. I do not want > Full Domain privileges. So I'm thinking I may need > to authenticate via > Kerberos. Does anyone have a simple example and > instructions for > setting it up? > > -----Original Message----- > From: Christopher A Bongaarts > [mailto:[EMAIL PROTECTED] > Sent: Friday, January 21, 2005 2:36 PM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: Re: Accessing AD > > > In the immortal words of > [EMAIL PROTECTED]: > > Maybe someone asked this before: > > I would like to access Active Directory and add > groups in the > directory > > tree. > > This from a platform different of Win32, let's say > *UNIX*. > > Do I need to authenticate via Kerberos ? > > No, the standard LDAP bind works just fine; just > bind as a user with > sufficient rights to perform the operations you > need. > > %% Christopher A. Bongaarts %% [EMAIL PROTECTED] > %% > %% Internet Services %% > http://umn.edu/~cab %% > %% University of Minnesota %% +1 (612) 625-1809 > %% > __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo
