Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Business objects authentication against active directory/ldap question

Posted on 2011-02-15
5
Medium Priority
?
2,701 Views
Last Modified: 2012-05-11
We have a new process/reporting service in development and the new server will be running business objects.  It is Windows Server 2008 running in an Active Directory 2003 domain.  I have a service account that was setup for them to schedule jobs and it has allowed them to work so far.  The new requirement is that they integrate the authentication using the LDAP option.  I just received a notice from the developers that they are receiving an error message stating "“The secLdap plugin failed to verify the server administration credentials”".  Currently the account is set on to only be able to log onto the application server where business objects is installed.  Does it also need to be granted logon rights to the domain controllers where the LDAP option is pointed to?

Thanks in advance.
0
Comment
Question by:childersj
  • 3
5 Comments
 
LVL 6

Expert Comment

by:sharjeel ashraf
ID: 34899462
you will need a domain administrator account in use to allow business objects the right to query AD.

best way is to create a new account, make it  part of the domain (and maybe enterprise admins) and tell the developers to use this account.
0
 

Author Comment

by:childersj
ID: 34899502
That is not correct.
0
 
LVL 101

Expert Comment

by:mlmcc
ID: 34903374
Why do you feel that is not correct?

Did you try the advice?

mlmcc
0
 

Accepted Solution

by:
childersj earned 0 total points
ID: 34962226
I was in a rush when I typed that, not trying to be rude.  Here is my response as to why that is not the approach that should be taken.  I did figure this out as well.

Response:  Running any service account or giving developers domain or enterprise admin rights is a bad idea.  The user account only needs read access to the directory.  I guess technically giving enterprise admin would work.... but it wouldn't be a smart or realistic way to approach the problem.  It would introduce quite a bit of risk that a mistake could be made and accidentally affect AD or the domain or if the server was compromised it could allow for the compromise of an administrative account with rights to everything.

Solution:  As the account had read access to the directory structure from the root of the domain, it was not this type of rights issue.  The problem stemed from the account attribute 'Logon to' being set to only the app and database servers, not the domain controller where it was trying to connect via LDAP and find directory objects.  I thought that only affected interactive logon; however evidently it stops LDAP queries as well.
0
 

Author Closing Comment

by:childersj
ID: 34995398
I figured out the solution.  Assigning domain or enterprise admin rights is not an appropriate course of action.  Assigning the correct granular security rights maintains the integrity of the environment while allowing the application to function.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question