• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

LDAP Users

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
I have a couple Web Apps out there that use LDAP to authenticate. They all require a user a user for access to active directory. I'm just wondering what the best practices are for that user? Whats the bare minimum as far as rights that I can give to this user?
 
Just make a standard user. All they need is to be in the "domain users" which everyone is by default when you create a user. They don't need to be put into any special groups.
What we do internally is just create a user in an OU that doesnt have any GPO's applied to it and we call it "readonly"
We give the user a strong password and poof. Now any applications that we have internally that need read access to AD to authenticate we use that account.
 
include (dirname(__FILE__) . "/../src/adLDAP.php");
try {
$adldap = new adLDAP($options);
}
catch (adLDAPException $e) {
echo $e;
exit();
}
//var_dump($ldap);

echo ("<pre>\n");

// authenticate a username/password
if (0) {
$result = $adldap->authenticate("username", "password");
var_dump($result);
}

just authen...
 
Just make a standard user. All they need is to be in the "domain users" which everyone is by default when you create a user. They don't need to be put into any special groups.
What we do internally is just create a user in an OU that doesnt have any GPO's applied to it and we call it "readonly"
We give the user a strong password and poof. Now any applications that we have internally that need read access to AD to authenticate we use that account.

I locked the account down to SCL only... this place did not use smart cards :)
 
Back
Top