The problem is inherited within the default ACL that AD is setup with. You should be able to bind as the user (userDN, password) and then be able to change whatever you need to so long as you have an ACL that permits the user to do this. I say ACL and not user groups that MS provides (e.g. domain admins, Administrators, etc) as they behave differently.
>From what I remember from working on AD integration with Open LDAP last year, you need to MMC to manage the AD (�Active Directory Users and Computers� MMC snap-in) and right-click on the subtree or entity that you want to enforce a new ACL. Here is a short blurb of how I was able to do something similar (required to allow users to read/write to a new attribute): (a) I created a new attribute in AD schema called myAttribute and added this to user object class. (b) Using the �Active Directory Users and Computers� MMC snap-in, expand, highlight and right-click the Active Directory node representing: OU=Sad_MS_Users,DC=myCompany,DC=co,DC=uk (c) Click on menuitem �Delegated Control �� to start the �Delegation of Control Wizard�. Click �Next� to acknowledge the welcome message. (d) Add a user group to associate the permissions by clicking on �Add�. From the displayed window, find �SELF� user group and click �Add�. Then click �OK� to accept this user group. (e) The required �SELF� group will be selected then click �Next�. (f) Select �Create a custom task to delegate� option and then click �Next�. (g) Select �Only the following objects in the folder. >From the list, click �User object� checkbox only and then click �Next�. (h) Select �Property-specfic� checkbox only and then scroll-down �Permissions� window and select �Read myAttribute� & �Write myAttribute�. Then click �Next�. (i) Click �Finish� to complete the process. I hope this helps if I understood you correctly. Regards, Abdul --- "Barrett, John" <[EMAIL PROTECTED]> wrote: > Most of the time it's that simple but not always. > In my environment the > only way I can use a simple bind to a generic AD > account to modify AD > entries (i.e., not binding as myself to modify my > own entry) is to have > Full Domain privileges on the AD account I'm binding > to. I do not want > Full Domain privileges. So I'm thinking I may need > to authenticate via > Kerberos. Does anyone have a simple example and > instructions for > setting it up? > > -----Original Message----- > From: Christopher A Bongaarts > [mailto:[EMAIL PROTECTED] > Sent: Friday, January 21, 2005 2:36 PM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: Re: Accessing AD > > > In the immortal words of > [EMAIL PROTECTED]: > > Maybe someone asked this before: > > I would like to access Active Directory and add > groups in the > directory > > tree. > > This from a platform different of Win32, let's say > *UNIX*. > > Do I need to authenticate via Kerberos ? > > No, the standard LDAP bind works just fine; just > bind as a user with > sufficient rights to perform the operations you > need. > > %% Christopher A. Bongaarts %% [EMAIL PROTECTED] > %% > %% Internet Services %% > http://umn.edu/~cab %% > %% University of Minnesota %% +1 (612) 625-1809 > %% > __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo
