Our phone system has the ability to load its phonebook via LDAP, but it only supports non-SSL.
As a result, I am planning on setting up an account that only has access to read our Active Directory LDAP database, and preferably only the two or three fields that are required by the phonebook (Full Name, Phone #, etc).
These LDAP login details are stored in plain text on the phone (and because it's non-SSL all transmitted in plain text), so I'm very wary of security in this manner, and it goes a bit beyond the kind of permissions I've had to set up in Windows before.
So, how do I assign permission to a windows user account to only permit LDAP access, and to only permit access to specific properties in the LDAP queries?
Best Answer
You're going to run afoul the fact that the default permissions in Active Directory are fairly permissive with respect to "Authenticated Users", a "group" which any user you create will be a member of. By default an "Authenticated Users / Read" exists at the top of the domain partition of the directory.
Trying to change these default permissions is going to be problematic if you want to stay "supported" with Microsoft (as well as just having everything work as you expect).
If you really want to limit access severely you're going to have better luck replicating data out of AD into another LDAP directory (Active Directory Lightweight Directory Services (AD LDS) or OpenLDAP, for example) with more restrictive permissions than Active Directory has by default.
You might be able to find an LDAP proxy to do the same thing. There are a number of them out there but none that I have direct experience with that I can vouch for.