What permissions are required to read Active Directory as LDAP?

Question

What permissions are required to read Active Directory as LDAP?

Setup:

There is a central AD domain (CENTRAL) and several separate forests, each of which has its own domain (BRANCH1, BRANCH2, BRANCH3)

There are two ways of trusting between CENTRAL and all other domains.

The application I'm working on runs in the CENTRAL domain and searches for LDAP in all domains using the CENTRAL \ ldapreader credentials.

This works fine for CENTRAL and BRANCH1, but BRANCH2 and BRANCH3 fail to connect with an invalid credential error. If instead the search uses an account in these domains (BRANCH2 \ ldapreader, etc.), the search works fine.

What permission level is required to read AD as an LDAP server? All I found indicates that it is allowed for AUTENTICATED USERS, which should work fine with CENTRAL \ ldapreader due to two-way trust, but this is not the behavior that we get.

+6

active-directory ldap

Drstalker May 14, '09 at 1:14

source share

1 answer

Onots · Accepted Answer · 2009-05-14T18:28:29+0000

I think the resolution you are looking for is "List Content". You must ensure that "CENTRAL \ ldapreader" has this permission for BRANCH2 and BRANCH3.

I am wondering if you will set up trusts with selective or whole forest authentication, and can you manually view BRANCH2 and BRANCH3.

What permissions are required to read Active Directory as LDAP?

More articles: