what is the least user privilege/role to use in order to synchronize active directory users with external server via LDAP?

Question

Hello everyone

we have integration between windows server where Active Directory(AD) is running and Cisco unified communication manager(CUCM).

the integration is done using LDAP and the account used on CUCM for this purpose is the domain controller account. the synchronization is working fine and AD users can be seen on CUCM GUI after carrying out the sync.

recently and for security purposes, the customer has a requirements to implement the AD-CUCM integration with using different user account with the least privilege instead of using the domain controller account.

in this case, what is the least user privilege/role for the user account that we suppose to use on CUCM in order to synchronize CUCM server with active directory to pull AD users?

Answer 1

Hello Daisy. domain user with default group membership works for the integration.

thanks a lot for your assistance

Answer 2

Hello Mohammad Ahmad Al Kronz -X (malkronz),

Thank you for posting in Microsoft Community forum.

Based on the description "the integration is done using LDAP and the account used on CUCM for this purpose is the domain controller account.", what account do you mean about domain controller account now? Is it domain user account or domain administrator account or the machine account of domain controller?

Based on "using different user account with the least privilege instead of using the domain controller account.", do you want to use one normal domain user account?

Whether the account you are using to sync data between AD and CUCM must be in AD server? If so, I am afraid there may be not such document or official link from Microsoft to describe or explain it.

You can try one normal domain user to see if it helps.

Hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 3

Thanks for your input Daisy. let me explain what is going on in the working scenario to make it easier:

1. on CUCM web interface we navigate to LDAP integration page and enter the following:
2. user ID who has access rights to the LDAP directory
3. the password of that user
4. user search base(O,OU,DC,etc...)
5. then we save this and click synchronization button
6. behind the scene, CUCM will use the user ID we entered in step 1 to send simple bind request to LDAP server(AD on the domain controller)
7. LDAP server will return success then CUCM will use the user search base(O,OU,DC,etc...) to fetch all the matching AD users
8. we then go to end users page on CUCM and find all AD users listed there

Typically we just use the domain account which is the account created when installing domain controller role on the windows server but this account has more privileges than needed. in this case we just need to create a user and assign it a role/privilege ONLY for accessing active directory and fetch AD users so we can use it in step 1 instead of using user account with full privileges.
is this possible? if yes, what are the role/privilege to achieve this

Thanks

Answer 4

Hello Mohammad Ahmad Al Kronz -X (malkronz),

Thank you for your update and sharing.

I am so glad that the normal domain user works for the integration.

If my reply is helpful, please click "accept answer" for us to closed this thread. Meanwhile, it will help people who have similar issue find the helpful answer quickly.

Thanks again. Have a nice day!

Best Regards,
Daisy Zhou