Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Business objects authentication against active directory/ldap question

Posted on 2011-02-15
5
Medium Priority
?
2,747 Views
Last Modified: 2012-05-11
We have a new process/reporting service in development and the new server will be running business objects.  It is Windows Server 2008 running in an Active Directory 2003 domain.  I have a service account that was setup for them to schedule jobs and it has allowed them to work so far.  The new requirement is that they integrate the authentication using the LDAP option.  I just received a notice from the developers that they are receiving an error message stating "“The secLdap plugin failed to verify the server administration credentials”".  Currently the account is set on to only be able to log onto the application server where business objects is installed.  Does it also need to be granted logon rights to the domain controllers where the LDAP option is pointed to?

Thanks in advance.
0
Comment
Question by:childersj
  • 3
5 Comments
 
LVL 6

Expert Comment

by:sharjeel ashraf
ID: 34899462
you will need a domain administrator account in use to allow business objects the right to query AD.

best way is to create a new account, make it  part of the domain (and maybe enterprise admins) and tell the developers to use this account.
0
 

Author Comment

by:childersj
ID: 34899502
That is not correct.
0
 
LVL 101

Expert Comment

by:mlmcc
ID: 34903374
Why do you feel that is not correct?

Did you try the advice?

mlmcc
0
 

Accepted Solution

by:
childersj earned 0 total points
ID: 34962226
I was in a rush when I typed that, not trying to be rude.  Here is my response as to why that is not the approach that should be taken.  I did figure this out as well.

Response:  Running any service account or giving developers domain or enterprise admin rights is a bad idea.  The user account only needs read access to the directory.  I guess technically giving enterprise admin would work.... but it wouldn't be a smart or realistic way to approach the problem.  It would introduce quite a bit of risk that a mistake could be made and accidentally affect AD or the domain or if the server was compromised it could allow for the compromise of an administrative account with rights to everything.

Solution:  As the account had read access to the directory structure from the root of the domain, it was not this type of rights issue.  The problem stemed from the account attribute 'Logon to' being set to only the app and database servers, not the domain controller where it was trying to connect via LDAP and find directory objects.  I thought that only affected interactive logon; however evidently it stops LDAP queries as well.
0
 

Author Closing Comment

by:childersj
ID: 34995398
I figured out the solution.  Assigning domain or enterprise admin rights is not an appropriate course of action.  Assigning the correct granular security rights maintains the integrity of the environment while allowing the application to function.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question