Solved

Business objects authentication against active directory/ldap question

Posted on 2011-02-15
5
2,480 Views
Last Modified: 2012-05-11
We have a new process/reporting service in development and the new server will be running business objects.  It is Windows Server 2008 running in an Active Directory 2003 domain.  I have a service account that was setup for them to schedule jobs and it has allowed them to work so far.  The new requirement is that they integrate the authentication using the LDAP option.  I just received a notice from the developers that they are receiving an error message stating "“The secLdap plugin failed to verify the server administration credentials”".  Currently the account is set on to only be able to log onto the application server where business objects is installed.  Does it also need to be granted logon rights to the domain controllers where the LDAP option is pointed to?

Thanks in advance.
0
Comment
Question by:childersj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 6

Expert Comment

by:sharjeel ashraf
ID: 34899462
you will need a domain administrator account in use to allow business objects the right to query AD.

best way is to create a new account, make it  part of the domain (and maybe enterprise admins) and tell the developers to use this account.
0
 

Author Comment

by:childersj
ID: 34899502
That is not correct.
0
 
LVL 100

Expert Comment

by:mlmcc
ID: 34903374
Why do you feel that is not correct?

Did you try the advice?

mlmcc
0
 

Accepted Solution

by:
childersj earned 0 total points
ID: 34962226
I was in a rush when I typed that, not trying to be rude.  Here is my response as to why that is not the approach that should be taken.  I did figure this out as well.

Response:  Running any service account or giving developers domain or enterprise admin rights is a bad idea.  The user account only needs read access to the directory.  I guess technically giving enterprise admin would work.... but it wouldn't be a smart or realistic way to approach the problem.  It would introduce quite a bit of risk that a mistake could be made and accidentally affect AD or the domain or if the server was compromised it could allow for the compromise of an administrative account with rights to everything.

Solution:  As the account had read access to the directory structure from the root of the domain, it was not this type of rights issue.  The problem stemed from the account attribute 'Logon to' being set to only the app and database servers, not the domain controller where it was trying to connect via LDAP and find directory objects.  I thought that only affected interactive logon; however evidently it stops LDAP queries as well.
0
 

Author Closing Comment

by:childersj
ID: 34995398
I figured out the solution.  Assigning domain or enterprise admin rights is not an appropriate course of action.  Assigning the correct granular security rights maintains the integrity of the environment while allowing the application to function.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question