LDAP Service Account Permissions

jhuhmann
Contributor

I'm setting up an Active Directory connection and it is asking for a service account. What are the minimum permissions the account needs in AD for LDAP functionality?

1 ACCEPTED SOLUTION

jarednichols
Honored Contributor

The simple existence of the account being there should be sufficient. You shouldn't need any privs. I use the same account as my casper install account as it's an AD-based service account.

View solution in original post

4 REPLIES 4

jarednichols
Honored Contributor

The simple existence of the account being there should be sufficient. You shouldn't need any privs. I use the same account as my casper install account as it's an AD-based service account.

jhuhmann
Contributor

Excellent. Thanks.

justinrummel
Contributor III

Would that service account need JOIN privileges if you were trying to do authenticate binds to AD? It depends on your AD security settings.

- Justin

jarednichols
Honored Contributor

In most environments, AD accounts need specific permission to create the computer object when joining. Most environments will require a pre-created computer object before binding. Best practice is to allow a particular service account to create the object when joining, but to limit it to particular OUs and not the entire directory.

I believe OP was simply asking about the ability to do the user info lookups required so that AD users can log into the JSS.