Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Add LDAP users to Active Directory Group and Authenticate users to remote LDAP server

Posted on 2013-02-07
6
Medium Priority
?
554 Views
Last Modified: 2013-04-26
I'm looking for methods or examples of  ways to accomplish two tasks.

First I need to add users from an LDAP server external to my domain and network to an active directory group on a local domain controller running Server 2008 STD.
Second I  need to know the minimum time delay that a change in the users status on the LDAP server will be reflected on the AD group.

I am assuming the users that are added to the AD group will have a SID associated to them but I am looking for confirmation on this.

Thanks,
0
Comment
Question by:GRT_TEAM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 38864786
I do not believe the external LDAP to AD is an option as you outline. AD to AD can have a trust relationship. Not sure you can setup a trust relationship between AD and foreign LDAP.
You could have LDAP as a replica of AD.
On a second level, not sure you would want to grant an external source the option to create accounts within your AD. I.e. you would not let someone external to your organization the ability to auto-create access resources, keys.
0
 

Author Comment

by:GRT_TEAM
ID: 38865636
Sorry I might not have been very clear with my first post.  So let me try this way, here is the scenario.  I have an web page that looks to AD group membership for authentication. I would like to have the option to add external LDAP users or groups to the AD group and have them authenticated.
0
 

Author Comment

by:GRT_TEAM
ID: 38865656
Also another thought. would it be easier to have a 'set" name for a group on the LDAP server  that is added to the AD group to allow for authentication.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 80

Expert Comment

by:arnold
ID: 38866066
The issue is as follows:
Presumably your web server is a domain member with integrated authentication or uses an ADFS to integrate the web server to AD via LDAP queries.
What is the external ldap from?
Your issue seems to be locked in getting the remote group/users somehow integrated into the existing setup.

When a trust between/among AD domains exists, you could achieve what you want.
It is not clear to me what your vision is.
You have AD domain.com
You have ldap somedomain.com

Let's say AD has webaccessgroup while ldap has accessweb

You want users from either location and so long they are members of the respective group authenticate and be granted access.

Do you rely on IIS for authentication or do you use asp,.net mechanism?
It might be that ADFS is what you are looking for.
I.e. you can define each domain and the means by which each can authenticate.
User@domain and user@domain2
0
 

Author Comment

by:GRT_TEAM
ID: 38876990
The ideal situation would be to have users from the external lDAP domain added to a group in the local Active Directory.  The web server would use a .net mechanism to look to the group. If the user trying to login is in the group AD would query the external LDAP server for user validation.  It would also be helpful to just access a SID for the user if additional  validations are required. But that only once the first part is working.
0
 
LVL 80

Accepted Solution

by:
arnold earned 1000 total points
ID: 38877029
In order to integrate an external USER into an internal AD is through the establishment of a trust between the two DOMAINs.
ADFS might be what you are looking for.
LDAP proxy might be another option that will reside on your end and based on the REALM (Domain) of the user, the proxy will direct the query to the appropriate system.

Your approach is going at the issue from the wrong side.  You need to reorient your consideration to the point of view where the data is and how to get it as close as possible to the system on which your application runs rather than I have this application and how I can get data from diverse sources to it.
i.e. When you need to haul some boxes from Points A,B and C to point D, you will not spend so much time on trying to figure out how you would unload the boxes once they are at Point D, you would come up with as efficient approach as possible to gather all the boxes from points A,B and C to minimize the number of trips you have to make.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question