1

Our phone system has the ability to load its phonebook via LDAP, but it only supports non-SSL.

As a result, I am planning on setting up an account that only has access to read our Active Directory LDAP database, and preferably only the two or three fields that are required by the phonebook (Full Name, Phone #, etc).

These LDAP login details are stored in plain text on the phone (and because it's non-SSL all transmitted in plain text), so I'm very wary of security in this manner, and it goes a bit beyond the kind of permissions I've had to set up in Windows before.

So, how do I assign permission to a windows user account to only permit LDAP access, and to only permit access to specific properties in the LDAP queries?

mdpc
  • 11,856
  • 28
  • 53
  • 67
Mark Henderson
  • 68,823
  • 31
  • 180
  • 259

1 Answers1

6

You're going to run afoul the fact that the default permissions in Active Directory are fairly permissive with respect to "Authenticated Users", a "group" which any user you create will be a member of. By default an "Authenticated Users / Read" exists at the top of the domain partition of the directory.

Trying to change these default permissions is going to be problematic if you want to stay "supported" with Microsoft (as well as just having everything work as you expect).

If you really want to limit access severely you're going to have better luck replicating data out of AD into another LDAP directory (Active Directory Lightweight Directory Services (AD LDS) or OpenLDAP, for example) with more restrictive permissions than Active Directory has by default.

You might be able to find an LDAP proxy to do the same thing. There are a number of them out there but none that I have direct experience with that I can vouch for.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • I suspected as much... The phone provider do actually have an "LDAP Aggregator" that they are partnered with, which will do this job. – Mark Henderson Oct 24 '11 at 23:26
  • 2
    P.S. Nice to see you back - although while you were away I actually had the chance to answer some questions and get some rep ;) – Mark Henderson Oct 24 '11 at 23:29
  • If you really wanted to use AD queries directly, I suppose this is one of those rare times that **Deny** is in order. – MDMarra Oct 25 '11 at 00:24
  • @MarkM: Given that Deny overrides Allow you'd need to create a LOT of Deny ACEs to allow reading only a couple of attributes on User objects. – Evan Anderson Oct 25 '11 at 14:19
  • @EvanAnderson Agreed. Definitely not the best solution, but probably the only one feasible if one of your other methods can't be used. – MDMarra Oct 25 '11 at 17:01
  • @MarkHenderson: Don't worry-- I'm not "back" yet. I just had a few minutes y'day and today to play some Server Fault... >smile – Evan Anderson Oct 26 '11 at 20:21