Solved

Add LDAP users to Active Directory Group and Authenticate users to remote LDAP server

Posted on 2013-02-07
6
535 Views
Last Modified: 2013-04-26
I'm looking for methods or examples of  ways to accomplish two tasks.

First I need to add users from an LDAP server external to my domain and network to an active directory group on a local domain controller running Server 2008 STD.
Second I  need to know the minimum time delay that a change in the users status on the LDAP server will be reflected on the AD group.

I am assuming the users that are added to the AD group will have a SID associated to them but I am looking for confirmation on this.

Thanks,
0
Comment
Question by:GRT_TEAM
  • 3
  • 3
6 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 38864786
I do not believe the external LDAP to AD is an option as you outline. AD to AD can have a trust relationship. Not sure you can setup a trust relationship between AD and foreign LDAP.
You could have LDAP as a replica of AD.
On a second level, not sure you would want to grant an external source the option to create accounts within your AD. I.e. you would not let someone external to your organization the ability to auto-create access resources, keys.
0
 

Author Comment

by:GRT_TEAM
ID: 38865636
Sorry I might not have been very clear with my first post.  So let me try this way, here is the scenario.  I have an web page that looks to AD group membership for authentication. I would like to have the option to add external LDAP users or groups to the AD group and have them authenticated.
0
 

Author Comment

by:GRT_TEAM
ID: 38865656
Also another thought. would it be easier to have a 'set" name for a group on the LDAP server  that is added to the AD group to allow for authentication.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 76

Expert Comment

by:arnold
ID: 38866066
The issue is as follows:
Presumably your web server is a domain member with integrated authentication or uses an ADFS to integrate the web server to AD via LDAP queries.
What is the external ldap from?
Your issue seems to be locked in getting the remote group/users somehow integrated into the existing setup.

When a trust between/among AD domains exists, you could achieve what you want.
It is not clear to me what your vision is.
You have AD domain.com
You have ldap somedomain.com

Let's say AD has webaccessgroup while ldap has accessweb

You want users from either location and so long they are members of the respective group authenticate and be granted access.

Do you rely on IIS for authentication or do you use asp,.net mechanism?
It might be that ADFS is what you are looking for.
I.e. you can define each domain and the means by which each can authenticate.
User@domain and user@domain2
0
 

Author Comment

by:GRT_TEAM
ID: 38876990
The ideal situation would be to have users from the external lDAP domain added to a group in the local Active Directory.  The web server would use a .net mechanism to look to the group. If the user trying to login is in the group AD would query the external LDAP server for user validation.  It would also be helpful to just access a SID for the user if additional  validations are required. But that only once the first part is working.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 38877029
In order to integrate an external USER into an internal AD is through the establishment of a trust between the two DOMAINs.
ADFS might be what you are looking for.
LDAP proxy might be another option that will reside on your end and based on the REALM (Domain) of the user, the proxy will direct the query to the appropriate system.

Your approach is going at the issue from the wrong side.  You need to reorient your consideration to the point of view where the data is and how to get it as close as possible to the system on which your application runs rather than I have this application and how I can get data from diverse sources to it.
i.e. When you need to haul some boxes from Points A,B and C to point D, you will not spend so much time on trying to figure out how you would unload the boxes once they are at Point D, you would come up with as efficient approach as possible to gather all the boxes from points A,B and C to minimize the number of trips you have to make.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now