Univention Bugzilla – Bug 30987
Document the minimal privileges of the synchronization user on the Windows AD server
Last modified: 2015-04-01 13:48:15 CEST
Feedback in Ticket#: 2013040421000931 The documentation for UCS AD Connector should include a note about the privileges the UCS AD Connector synchronization user on the Windows AD server must have at minimum. In some organization it is not allowed to use the default Administrator user account with the full privileges. Those minimal privileges should be added to the documentation.
(In reply to comment #0) > [...] > The documentation for UCS AD Connector should include a note about the > privileges the UCS AD Connector synchronization user on the Windows AD server > must have at minimum. > [...] My bad, sorry. It's the synchronization user on the UCS side. What privileges are necessary for that user? It's the one to be defined in the AD connector setup wizard with his LDAP dn and the password.
(I was the original reporter) Without looking into your code, I don't UCS AD connector is related to FreeIPA, but in think some ways they use similar mechanisms when it comes to AD to the open source solution on the other side. I've not yet checked if this is valid for UCS too, but if UCS and FreeIPA connectors behave in similar manners for password synchronization with AD the UCS connector would only require the privileges listed in the Fedora 17's guide on FreeIPA as denoted here: https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Setting_up_Active_Directory.html
Created attachment 5172 [details] AD Connector user priviledges - german
> AD Connector user priviledges - german Thanks you Ingo, I've given a quick look and your TeX attachment. Therefore it's definitely required to have a user with Admin permissions for password replication - I guess?
The requirements are now documented in chapter 8.5.2.1 (Basic configuration of the connector)
(In reply to Moritz Muehlenhoff from comment #5) > The requirements are now documented in chapter 8.5.2.1 (Basic configuration > of the connector) I didn't find the changes.
(In reply to Stefan Gohmann from comment #6) > (In reply to Moritz Muehlenhoff from comment #5) > > The requirements are now documented in chapter 8.5.2.1 (Basic configuration > > of the connector) > > I didn't find the changes. The section has changed due to other changes in the manual. This is now in 9.5.2.1 German version: Der Replikationsbenutzer muss im Active Directory Mitglied der Gruppe <emphasis>Domänen-Admins</emphasis> sein. Synchronisiert der Connector nur lesend von Active Directory zu UCS, kann auch ein Standardbenutzerkonto angegeben werden.
OK