12-24-2010 01:22 AM - edited 03-10-2019 05:40 PM
Hi all,
I am trying to integrate ACS 5.x appliance with Active Directory and my client is concerned about AD security. The ACS User Guide states that the ACS AD account needs to have ONE of the following privileges.
•Add workstations to domain user right in corresponding domain.
•Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS to the domain).
Since these are not 'read only' privileges to Active Directory, can I at least ask why does ACS 5.x needs more than 'read access' to the Active Directory?
Is there a way to make it work with a 'read only' account?
If not, can i use LDAP instead?
Regards,
Nicos
12-24-2010 08:41 AM
Nicos,
Because it needs to add it self to the domain. Read only can't do this. You can use LDAP in place of AD but you need to check protocol compatibility issues
Regards,
~JG
Do rate helpful posts
12-24-2010 10:09 AM
After ACS adds itself to the domain, can we change the Active Directory user to be read-only ?
12-26-2010 02:22 AM
Hi Nicos,
We only require a user to be a part of at "Create computer object". Once the ACS is connected to the AD using a username and password, you can remove the "Create Computer Object". It is only required for specific task on the ACS. In nut shell, you can change it to read-only privileges.The authentication will work as expected however, you may face some issues while fetching attributes from AD.
Regds,
Jatin
01-10-2011 07:44 PM
Note that the ACS will do a join every time it's restarted, so you can't really delete the AD account or restrict it to read-only as it will work at first but then break on the next restart of ACS.
Details on LDAP integration are here.
And details on privileges needed for AD integration are outlined here as you mentioned in your post, no other real way around it.
OTH
Nicolas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide