Forum Discussion

madina1920's avatar
madina1920
Copper Contributor
May 31, 2023

Restrict Active Directory LDAP "bind" to specific accounts

We have On-prem Active Directory, users and applications are authenticated by AD to access network resources.

Please advise if there is a way to secure or delegate AD LDAP "bind" only to admins or specific service accounts. Currently anyone with valid credentials can "bind" Active Directory and traverse through OUs and see all AD information, is it possible to limit it to only Administrators and service accounts and have LDAP Kerberos authentication in service. thank you!

  • Alban1998's avatar
    Alban1998
    Iron Contributor
    Hello,
    This is by design - Active Directory is a directory, not a secured vault.
    You can always restrict read/browse rights by applying a delegation model (updating OU ACL, updating access rights...), but the more you restrict it, the more technical issues and management complexity you'll get.
    • madina1920's avatar
      madina1920
      Copper Contributor

      Alban1998 thank you for reply, I thought so too, just wanted to double-check with experts. And LDAP binding, when used for application to authenticate users, there is no such permission in AD correct?

Resources