LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
3.4.5.2 Step 2: Create a proxy user
The use of a proxy user is mandatory for Active Directory, as anonymous binding done not grant
enough access rights to retrieve user, group, or any other name service data.
Use the Windows 2003 R2 or 2008 management tool, Active Directory Users and
Computers, to add a proxy user as a member of the "Domain Users" group. The proxy user is
used by the LDAP-UX clients to bind to the ADS for access to the name service data on the ADS.
For example, you might add a user:
CN=Proxy User, CN=Users, DC=cup, DC=hp, DC=com
CAUTION: Make sure the proxy user is a member of the Domain Users group, which allows read
access only, and not the Administrator group to protect Active Directory entries from malicious
modifications.
A proxy user's access right to objects in an Active Directory depends on what default permissions
Active Directory has been configured with during installation.
• Setting the "Windows 2000 Compatible Access" option
This option allows authenticated users read rights to all properties of their own objects, but
limited access to attributes of other objects. Because a proxy user must be able to read all
users' and groups' POSIX attributes, the administrator should specifically extend the access
capabilities for proxy users using one of the following alternatives:
◦ Configure the proxy user to be a member of "Pre-Windows 2000 Compatible Access"
group. By doing this, you allow the proxy user to read all properties of user and group
objects. Here is how to configure it:
1. Start Active Directory Users and Computers,
2. From the domain tree, click Builtin.
3. Double-click Pre-Windows 2000 Compatible Access, and select the Members tab.
4. Click Add, from a list of all users and groups, select the user name which you want
to configure as a proxy user, then click Add.
5. Click OK to save the configuration.
◦ Delegate POSIX attribute read access to the proxy user, allowing the proxy user to read
only POSIX attributes of user and group objects:
1. Start Active Directory Users and Computers.
2. Click the container that contains the proxy user, usually it is Users.
3. Select Delegate Control from the Action menu.
4. The Delegation of Control Wizard starts. Click Next.
5. On the screen that appears, click Add to get a list of users groups. Select the proxy
user, click Add, and then click OK to return to the screen that selects users and groups.
6. Click Next.
7. If you use Windows 2003 R2, you are given the screen to identify the task to
delegate; select Create a custom task to delegate and click Next.
Otherwise, skip this step.
8. The next screen allows you to identify the scope of the task you want to delegate.
Click Only the following objects in folder. Then select the Group objects, box, and
click Next.
9. You are prompted to select permissions. Click Property-specific and the following
permissions:
– Read gidNumber
– Read memberUid
Click Next.
136 Installing and configuring LDAP-UX Client Services for a Windows ADS environment