Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4626
Views
0
Helpful
4
Replies

ACS 5.x and Active Directory Integration: Security Concerns

Nikos Nicolaides
Level 1
Level 1

‎12-24-2010 01:22 AM - edited ‎03-10-2019 05:40 PM

Hi all,

I am trying to integrate ACS 5.x appliance with Active Directory and my client is concerned about AD security. The ACS User Guide states that the ACS AD account needs to have ONE of the following privileges.

Add workstations to domain user right in corresponding domain.

Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS to the domain).

Since these are not 'read only' privileges to Active Directory, can I at least ask why does ACS 5.x needs more than 'read access' to the Active Directory?

Is there a way to make it work with a  'read only' account?
If not, can i use LDAP instead?

Regards,

Nicos

TIA, Nicos Nicolaides
Labels:
0 Helpful
4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

‎12-24-2010 08:41 AM

Nicos,


Because it needs to add it self to the domain. Read only can't do this. You can use LDAP in place of AD but you need to check protocol compatibility issues





Regards,

~JG


Do rate helpful posts

0 Helpful

Eduardo Aliaga
Level 4
Level 4
In response to Jagdeep Gambhir

‎12-24-2010 10:09 AM

After ACS adds itself to the domain, can we change the Active Directory user to be read-only ?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Eduardo Aliaga

‎12-26-2010 02:22 AM


Hi Nicos,

We only require a user to be a part of at "Create computer object".  Once the ACS is connected to the AD using a username and password, you can remove the "Create Computer Object". It is only required for specific task on the ACS. In nut shell, you can change it to read-only privileges.The authentication will work as expected however, you may face some issues while fetching attributes from AD.


Regds,

Jatin

~Jatin
0 Helpful

Nicolas Meessen
Level 1
Level 1

‎01-10-2011 07:44 PM

Note that the ACS will do a join every time it's restarted, so you can't really delete the AD account or restrict it to read-only as it will work at first but then break on the next restart of ACS.

Details on LDAP integration are here.

And details on privileges needed for AD integration are outlined here as you mentioned in your post, no other real way around it.

OTH

Nicolas

0 Helpful
Customers Also Viewed These Support Documents