C
Charlie
We have separate Windows 2000 AD environments for dev, qa,
uat, staging, prod.
In our dev. environment we are able to bind to AD via LDAP
port 389 using ldp.exe. We bind (simple bind)using a
normal,unprivileged account (account is only member of
Domain Users). When doing a search for the memberof
attribute (shows the groups which the account is a
member), it is able to retrieve the "memberof" attributes
for user accounts.
However, in the other environments using an identically
named account with the same privilege level, the search
cannot retrieve the "memberof" attribute. But when I bind
using an account of higher privilege (Domain Admin), I can
retrieve the "memberof" attribute.
The environments were "allegedly" vanilla installs of AD.
I am not an LDAP guru by any means, but here are the areas
I checked:
I used LDIFDE and received the same result.
Using ADSI I checked the Configuration
Container/services/windowsnt/directory service/Query-
Policies. Both looked identical to me.
I started to check the schema container but quickly
realized I might get better results here.
The one thing I did not do was bind using SSPI method (-b
flag in LDIFDE)
It looks like a permission issue, but where do I configure
it and what's the setting?
Any LDAP gurus available to help?
Thanks very much.
uat, staging, prod.
In our dev. environment we are able to bind to AD via LDAP
port 389 using ldp.exe. We bind (simple bind)using a
normal,unprivileged account (account is only member of
Domain Users). When doing a search for the memberof
attribute (shows the groups which the account is a
member), it is able to retrieve the "memberof" attributes
for user accounts.
However, in the other environments using an identically
named account with the same privilege level, the search
cannot retrieve the "memberof" attribute. But when I bind
using an account of higher privilege (Domain Admin), I can
retrieve the "memberof" attribute.
The environments were "allegedly" vanilla installs of AD.
I am not an LDAP guru by any means, but here are the areas
I checked:
I used LDIFDE and received the same result.
Using ADSI I checked the Configuration
Container/services/windowsnt/directory service/Query-
Policies. Both looked identical to me.
I started to check the schema container but quickly
realized I might get better results here.
The one thing I did not do was bind using SSPI method (-b
flag in LDIFDE)
It looks like a permission issue, but where do I configure
it and what's the setting?
Any LDAP gurus available to help?
Thanks very much.