Why Administrative?

corndog · 02-10-2011, 09:59 AM

The Help screen for the Directory Connector specifies that it needs an Administrative account from the Active Directory, to connect and get names. This can be done with a regular account. Is there any real reason that the connector needs administrative rights to the AD? Or is this just a gratuitous admin grab, and a possible future security breach if there are vulnerabilities found in Untangle?

mrunkel · 02-10-2011, 10:14 AM

<joke>Yes, we are collecting all your admin passwords and selling them to eastern european hackers so that they may take over the world.</joke>

In all seriousness, while you may connect with a non-admin account, an LDAP query does not return the full address list unless the account has admin rights.

Note: However, you can not use the administrator account, it needs to be another account with administrator rights.

Big D · 02-10-2011, 10:27 AM

Indeed the account needs to have enough access to query AD. It only performs queries and no alter commands so the account just needs to be able to view everything. Primarily for group membership and AD users.

So you could make a admin user that can only read and that should be sufficient in theory. Never tried so can't say for sure.

02-10-2011, 09:59 AM	#1 (permalink)
corndog Newbie Join Date: Feb 2011 Posts: 1	Why Administrative? The Help screen for the Directory Connector specifies that it needs an Administrative account from the Active Directory, to connect and get names. This can be done with a regular account. Is there any real reason that the connector needs administrative rights to the AD? Or is this just a gratuitous admin grab, and a possible future security breach if there are vulnerabilities found in Untangle?

02-10-2011, 10:14 AM	#2 (permalink)
mrunkel Join Date: Jul 2008 Posts: 2,766	<joke>Yes, we are collecting all your admin passwords and selling them to eastern european hackers so that they may take over the world.</joke> In all seriousness, while you may connect with a non-admin account, an LDAP query does not return the full address list unless the account has admin rights. Note: However, you can not use the administrator account, it needs to be another account with administrator rights. __________________ m. Big Frickin Disclaimer: While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions. It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one. Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

02-10-2011, 10:27 AM	#3 (permalink)
Big D Master Untangler Join Date: Nov 2008 Posts: 691	Indeed the account needs to have enough access to query AD. It only performs queries and no alter commands so the account just needs to be able to view everything. Primarily for group membership and AD users. So you could make a admin user that can only read and that should be sufficient in theory. Never tried so can't say for sure. __________________ The beatings shall continue until morale improves!

Protect

Filter

Perform

Connect

Manage

Add-Ons