Security

Reply
New Contributor

Bind DN Rights

We are currently using our domain admin rights to authenticate with our AD enviornment for ClearPass Policy Manager.  Becasue it is authenticating user to AD in cleartext we want to change the Bind DN user to one that has less right/authority.  What is the minimum rights needed for clearpass to use AD for authentication purposes?

Guru Elite

Re: Bind DN Rights

You should never use a domain admin account.

You simply need a standard user account (Domain Users). No special privs.

 

Also, you should be using LDAPS so passwords are not in the clear.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Bind DN Rights

+1 on the do not use Administrator accounts.

 

I would create a special service account with a very strong password so you can disable password renewal, expiration and password lockout on the account to prevent it from expiring/locking.

 

Then on the rights, you basically (only) need read access to the fields and records that you use in your authentication. As Tim said, the standard user template is a good start that will work in most cases, unless access has been locked down in your specific Active Directory.

 

You can easily test what access you have with an LDAP Browser, like the browser inside Clearpass.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: