First Last Prev Next    This bug is not in your last search results.
Bug 30987 - Document the minimal privileges of the synchronization user on the Windows AD server
Document the minimal privileges of the synchronization user on the Windows AD...
Status: CLOSED FIXED
Product: UCS manual
Classification: Unclassified
Component: Services for Windows
unspecified
Other Linux
: P5 enhancement (vote)
: UCS 3.2
Assigned To: Moritz Muehlenhoff
Stefan Gohmann
http://docs.univention.de/handbuch-3....
:
Depends on:
Blocks: 34325
  Show dependency treegraph
 
Reported: 2013-04-05 11:18 CEST by Nico Gulden
Modified: 2015-04-01 13:48 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
AD Connector user priviledges - german (7.11 KB, application/x-tex)
2013-04-16 09:02 CEST, Ingo Steuwer 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Gulden univentionstaff 2013-04-05 11:18:18 CEST 
Feedback in Ticket#: 2013040421000931

The documentation for UCS AD Connector should include a note about the privileges the UCS AD Connector synchronization user on the Windows AD server must have at minimum. In some organization it is not allowed to use the default Administrator user account with the full privileges. Those minimal privileges should be added to the documentation.
Comment 1 Nico Gulden univentionstaff 2013-04-05 11:26:07 CEST 
(In reply to comment #0)
> [...] 
> The documentation for UCS AD Connector should include a note about the
> privileges the UCS AD Connector synchronization user on the Windows AD server
> must have at minimum. 
> [...]

My bad, sorry. It's the synchronization user on the UCS side. What privileges are necessary for that user? It's the one to be defined in the AD connector setup wizard with his LDAP dn and the password.
Comment 2 Mathieu Simon 2013-04-06 13:43:19 CEST 
(I was the original reporter)

Without looking into your code, I don't UCS AD connector is related to FreeIPA, but in think some ways they use similar mechanisms when it comes to AD to the open source solution on the other side.

I've not yet checked if this is valid for UCS too, but if UCS and FreeIPA connectors behave in similar manners for password synchronization with AD the UCS connector would only require the privileges listed in the Fedora 17's guide on FreeIPA as denoted here: https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Setting_up_Active_Directory.html
Comment 3 Ingo Steuwer univentionstaff 2013-04-16 09:02:35 CEST 
Created attachment 5172 [details]
AD Connector user priviledges - german
Comment 4 Mathieu Simon 2013-04-16 11:04:20 CEST 
> AD Connector user priviledges - german

Thanks you Ingo, I've given a quick look and your TeX attachment.

Therefore it's definitely required to have a user with Admin permissions for password replication - I guess?
Comment 5 Moritz Muehlenhoff univentionstaff 2013-09-27 09:48:59 CEST 
The requirements are now documented in chapter 8.5.2.1 (Basic configuration of the connector)
Comment 6 Stefan Gohmann univentionstaff 2013-10-25 21:00:47 CEST 
(In reply to Moritz Muehlenhoff from comment #5)
> The requirements are now documented in chapter 8.5.2.1 (Basic configuration
> of the connector)

I didn't find the changes.
Comment 7 Moritz Muehlenhoff univentionstaff 2013-11-07 12:34:11 CET 
(In reply to Stefan Gohmann from comment #6)
> (In reply to Moritz Muehlenhoff from comment #5)
> > The requirements are now documented in chapter 8.5.2.1 (Basic configuration
> > of the connector)
> 
> I didn't find the changes.

The section has changed due to other changes in the manual. This is now in 9.5.2.1

German version:
Der Replikationsbenutzer muss im Active Directory Mitglied der Gruppe <emphasis>Domänen-Admins</emphasis> sein. Synchronisiert der Connector nur lesend von Active Directory zu UCS, kann auch ein Standardbenutzerkonto angegeben werden.
Comment 8 Stefan Gohmann univentionstaff 2013-11-15 22:50:02 CET 
OK
First Last Prev Next    This bug is not in your last search results.