Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Bind DN Rights

This thread has been viewed 10 times

  • 1.  Bind DN Rights

    Posted Dec 14, 2017 12:58 PM

    We are currently using our domain admin rights to authenticate with our AD enviornment for ClearPass Policy Manager.  Becasue it is authenticating user to AD in cleartext we want to change the Bind DN user to one that has less right/authority.  What is the minimum rights needed for clearpass to use AD for authentication purposes?



  • 2.  RE: Bind DN Rights

    EMPLOYEE
    Posted Dec 14, 2017 01:01 PM

    You should never use a domain admin account.

    You simply need a standard user account (Domain Users). No special privs.

     

    Also, you should be using LDAPS so passwords are not in the clear.



  • 3.  RE: Bind DN Rights

    EMPLOYEE
    Posted Dec 20, 2017 07:55 AM

    +1 on the do not use Administrator accounts.

     

    I would create a special service account with a very strong password so you can disable password renewal, expiration and password lockout on the account to prevent it from expiring/locking.

     

    Then on the rights, you basically (only) need read access to the fields and records that you use in your authentication. As Tim said, the standard user template is a good start that will work in most cases, unless access has been locked down in your specific Active Directory.

     

    You can easily test what access you have with an LDAP Browser, like the browser inside Clearpass.