Announcement

Collapse
No announcement yet.

Search both a domain and childomain with one ldap query

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Search both a domain and childomain with one ldap query

    i have this scenario:
    # 1 Active Directory tree, dc=company,dc=com.
    All employees are domain users in there.

    # I have web servers (using php, asp, java) that authenticate them ok.
    Now I want to external users (not employees, but customers, agents etc).
    Externals would use the same web apps as internals. I can assume that user names are unique across both domains.

    How do I best add these external users (the LDAP question follows)?

    A: add them to the existing domain
    but then they can effectively use internal windows resources, which I don't want.
    or
    B: create a child domain, such as dc=external,dc=company,dc=com

    I like the B approach.
    But my question is, when I authenticate users from the web layer, can I do this from one base tree (company.com) and at the same time see external users?
    That's what I'm looking for, otherwise, I have to do two separate ldap searches, and that will complicate account management.

    Does anyone have any experience in this?

    /Thomas

  • #2
    Re: Search both a domain and childomain with one ldap query

    If you ask me, I would NEVER let external accounts reside in production AD. The security risk is too high - any valid domain account has too much permissions in AD.

    What I would do is:

    1) set up an instance of ADAM (AD Application Mode):
    http://blogs.technet.com/efleis/arch...irst-time.aspx

    2) use adamsync to populate and synchronize the production AD accounts with ADAM while creating accounts of userProxy object class (the authentication requests for those accounts will be proxied to AD):
    http://blogs.technet.com/efleis/arch...oxy-users.aspx

    3) Create the external accounts in ADAM using "user" object class (those will be authenticated by ADAM itself)

    4) Configure the web applications to authenticate against ADAM instance instead of AD directly.

    More on ADAM: http://blogs.technet.com/efleis/arch...c/default.aspx

    This approach will make sure that external users do not have any sort of access to your production environment.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Search both a domain and childomain with one ldap query

      Originally posted by guyt View Post
      2) use adamsync to populate and synchronize the production AD accounts with ADAM while creating accounts of userProxy object class (the authentication requests for those accounts will be proxied to AD):
      http://blogs.technet.com/efleis/arch...oxy-users.aspx

      3) Create the external accounts in ADAM using "user" object class (those will be authenticated by ADAM itself)
      This sounds very interesting!
      Is this fairly common practice?

      So basically, I end up with a "DMZ'd" ldap server?
      Do internal accounts (employees etc) keep their passwords in ADAM?

      On previous projects, I've never had to use active directory, because web users were always separate from internal accounts.

      This case is different, and I don't want internal users to have to remember two passwords, and at the same time, i don't want to be forced to do two separate LDAP lookups on the web server layer.

      /Thomas

      Comment


      • #4
        Re: Search both a domain and childomain with one ldap query

        Originally posted by latompa View Post
        Is this fairly common practice?
        In this specific scenario ? Sure. This is the preferred method which balances both security and usability.

        Originally posted by latompa
        So basically, I end up with a "DMZ'd" ldap server?
        Yes.
        Originally posted by latompa
        Do internal accounts (employees etc) keep their passwords in ADAM?
        No. The passwords are in AD and authentication requests for internal accounts are proxied/forwarded to AD. AD/AM is smart enough to know that objects with userProxy object class should be authenticated not by AD/AM itself, but on remote server (more on this in the urls I pointed to)

        Originally posted by latompa
        On previous projects, I've never had to use active directory, because web users were always separate from internal accounts.

        This case is different, and I don't want internal users to have to remember two passwords, and at the same time, i don't want to be forced to do two separate LDAP lookups on the web server layer.
        You end up with accounts seating in the single namespace, hence all the objects (both internal and external accounts) can be queried with single query.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Search both a domain and childomain with one ldap query

          OK, got all that setup.
          ADAM has an external ou, for all my external people.

          I AdamSync in users from my internal ActiveDirectory, into a ou=internal

          Initially, I misunderstood the proxyUser for users in ActiveDirectory, I thought that there was only one proxyUser (with search rights to AD).
          THat's not the case, you'd have one ADAm proxyUser __per__ AD user.
          A ADAM proxyUser is connected to a a AD user via a objectSid.

          I will describe this on my blog and update this post.

          /Thomas
          Last edited by latompa; 4th November 2006, 00:31. Reason: misunderstanding

          Comment


          • #6
            Re: Search both a domain and childomain with one ldap query

            Sorry for being late to the party, but looks like you already figured how it all should work. Sorry for not being clear enough.

            How about posting the URL of your blog ?
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment

            Working...
            X