Solved

Add LDAP users to Active Directory Group and Authenticate users to remote LDAP server

Posted on 2013-02-07
6
542 Views
Last Modified: 2013-04-26
I'm looking for methods or examples of  ways to accomplish two tasks.

First I need to add users from an LDAP server external to my domain and network to an active directory group on a local domain controller running Server 2008 STD.
Second I  need to know the minimum time delay that a change in the users status on the LDAP server will be reflected on the AD group.

I am assuming the users that are added to the AD group will have a SID associated to them but I am looking for confirmation on this.

Thanks,
0
Comment
Question by:GRT_TEAM
  • 3
  • 3
6 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 38864786
I do not believe the external LDAP to AD is an option as you outline. AD to AD can have a trust relationship. Not sure you can setup a trust relationship between AD and foreign LDAP.
You could have LDAP as a replica of AD.
On a second level, not sure you would want to grant an external source the option to create accounts within your AD. I.e. you would not let someone external to your organization the ability to auto-create access resources, keys.
0
 

Author Comment

by:GRT_TEAM
ID: 38865636
Sorry I might not have been very clear with my first post.  So let me try this way, here is the scenario.  I have an web page that looks to AD group membership for authentication. I would like to have the option to add external LDAP users or groups to the AD group and have them authenticated.
0
 

Author Comment

by:GRT_TEAM
ID: 38865656
Also another thought. would it be easier to have a 'set" name for a group on the LDAP server  that is added to the AD group to allow for authentication.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 77

Expert Comment

by:arnold
ID: 38866066
The issue is as follows:
Presumably your web server is a domain member with integrated authentication or uses an ADFS to integrate the web server to AD via LDAP queries.
What is the external ldap from?
Your issue seems to be locked in getting the remote group/users somehow integrated into the existing setup.

When a trust between/among AD domains exists, you could achieve what you want.
It is not clear to me what your vision is.
You have AD domain.com
You have ldap somedomain.com

Let's say AD has webaccessgroup while ldap has accessweb

You want users from either location and so long they are members of the respective group authenticate and be granted access.

Do you rely on IIS for authentication or do you use asp,.net mechanism?
It might be that ADFS is what you are looking for.
I.e. you can define each domain and the means by which each can authenticate.
User@domain and user@domain2
0
 

Author Comment

by:GRT_TEAM
ID: 38876990
The ideal situation would be to have users from the external lDAP domain added to a group in the local Active Directory.  The web server would use a .net mechanism to look to the group. If the user trying to login is in the group AD would query the external LDAP server for user validation.  It would also be helpful to just access a SID for the user if additional  validations are required. But that only once the first part is working.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 38877029
In order to integrate an external USER into an internal AD is through the establishment of a trust between the two DOMAINs.
ADFS might be what you are looking for.
LDAP proxy might be another option that will reside on your end and based on the REALM (Domain) of the user, the proxy will direct the query to the appropriate system.

Your approach is going at the issue from the wrong side.  You need to reorient your consideration to the point of view where the data is and how to get it as close as possible to the system on which your application runs rather than I have this application and how I can get data from diverse sources to it.
i.e. When you need to haul some boxes from Points A,B and C to point D, you will not spend so much time on trying to figure out how you would unload the boxes once they are at Point D, you would come up with as efficient approach as possible to gather all the boxes from points A,B and C to minimize the number of trips you have to make.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question