Solved

Business objects authentication against active directory/ldap question

Posted on 2011-02-15
5
2,509 Views
Last Modified: 2012-05-11
We have a new process/reporting service in development and the new server will be running business objects.  It is Windows Server 2008 running in an Active Directory 2003 domain.  I have a service account that was setup for them to schedule jobs and it has allowed them to work so far.  The new requirement is that they integrate the authentication using the LDAP option.  I just received a notice from the developers that they are receiving an error message stating "“The secLdap plugin failed to verify the server administration credentials”".  Currently the account is set on to only be able to log onto the application server where business objects is installed.  Does it also need to be granted logon rights to the domain controllers where the LDAP option is pointed to?

Thanks in advance.
0
Comment
Question by:childersj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 6

Expert Comment

by:sharjeel ashraf
ID: 34899462
you will need a domain administrator account in use to allow business objects the right to query AD.

best way is to create a new account, make it  part of the domain (and maybe enterprise admins) and tell the developers to use this account.
0
 

Author Comment

by:childersj
ID: 34899502
That is not correct.
0
 
LVL 100

Expert Comment

by:mlmcc
ID: 34903374
Why do you feel that is not correct?

Did you try the advice?

mlmcc
0
 

Accepted Solution

by:
childersj earned 0 total points
ID: 34962226
I was in a rush when I typed that, not trying to be rude.  Here is my response as to why that is not the approach that should be taken.  I did figure this out as well.

Response:  Running any service account or giving developers domain or enterprise admin rights is a bad idea.  The user account only needs read access to the directory.  I guess technically giving enterprise admin would work.... but it wouldn't be a smart or realistic way to approach the problem.  It would introduce quite a bit of risk that a mistake could be made and accidentally affect AD or the domain or if the server was compromised it could allow for the compromise of an administrative account with rights to everything.

Solution:  As the account had read access to the directory structure from the root of the domain, it was not this type of rights issue.  The problem stemed from the account attribute 'Logon to' being set to only the app and database servers, not the domain controller where it was trying to connect via LDAP and find directory objects.  I thought that only affected interactive logon; however evidently it stops LDAP queries as well.
0
 

Author Closing Comment

by:childersj
ID: 34995398
I figured out the solution.  Assigning domain or enterprise admin rights is not an appropriate course of action.  Assigning the correct granular security rights maintains the integrity of the environment while allowing the application to function.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question