Our company is trying to implement a few single sign-on applications using Active Directory (Windows Server 2003) and LDAP. I would like to lock down the account used to make these LDAP queries as much as possible. What is the best practice for configuring this type of account?
Asked
Active
Viewed 3.1k times
2 Answers
4
You can restrict/allow what a user can or see/query within AD by easily using the Delegation Wizard. You can access the Delegation Wizard easily by right-clicking on an OU, and the selecting Delegation Control. You als may want to take a look at these articles:
Default security concerns in Active Directory delegation
Best practices for delegating Active Directory administration: Case study: a delegation scenario
mrTomahawk
- 944
- 1
- 7
- 14
0
Please see How to configure Active Directory to allow anonymous queries for minimum security.
By default, the Microsoft LDAP implementation does not support Secure LDAP. To setup secure LDAP using SSL, certificates must be installed on both the LDAP Server and the LDAP Client(s). In many cases, the LDAP Server is the domain controller running Active Directory.
The certificates required to run secure LDAP using SSL can be configured in several ways. The concept is always the same:
- The Active Directory domain controller uses a special certificate that is issued by a trusted certification authority.
- The clent computer trusts the certification authority that issues the certificate to the Active Directory domain controller.
Mitch Wheat
- 295,962
- 43
- 465
- 541
-
Anonymous queries are unnecessary (and less secure) since the OP is clearly setting up a "bind" user. Linking to the whole article may give a reader the impression that they should follow all of the instructions. Better to quote the sections that are relevant to the OP (and future visitor's) specific need. If you want to cite the source, please clearly state that this is not the recommended strategy. – claytond Feb 27 '17 at 20:38