• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 559
  • Last Modified:

Add LDAP users to Active Directory Group and Authenticate users to remote LDAP server

I'm looking for methods or examples of  ways to accomplish two tasks.

First I need to add users from an LDAP server external to my domain and network to an active directory group on a local domain controller running Server 2008 STD.
Second I  need to know the minimum time delay that a change in the users status on the LDAP server will be reflected on the AD group.

I am assuming the users that are added to the AD group will have a SID associated to them but I am looking for confirmation on this.

Thanks,
0
GRT_TEAM
Asked:
GRT_TEAM
  • 3
  • 3
1 Solution
 
arnoldCommented:
I do not believe the external LDAP to AD is an option as you outline. AD to AD can have a trust relationship. Not sure you can setup a trust relationship between AD and foreign LDAP.
You could have LDAP as a replica of AD.
On a second level, not sure you would want to grant an external source the option to create accounts within your AD. I.e. you would not let someone external to your organization the ability to auto-create access resources, keys.
0
 
GRT_TEAMAuthor Commented:
Sorry I might not have been very clear with my first post.  So let me try this way, here is the scenario.  I have an web page that looks to AD group membership for authentication. I would like to have the option to add external LDAP users or groups to the AD group and have them authenticated.
0
 
GRT_TEAMAuthor Commented:
Also another thought. would it be easier to have a 'set" name for a group on the LDAP server  that is added to the AD group to allow for authentication.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
arnoldCommented:
The issue is as follows:
Presumably your web server is a domain member with integrated authentication or uses an ADFS to integrate the web server to AD via LDAP queries.
What is the external ldap from?
Your issue seems to be locked in getting the remote group/users somehow integrated into the existing setup.

When a trust between/among AD domains exists, you could achieve what you want.
It is not clear to me what your vision is.
You have AD domain.com
You have ldap somedomain.com

Let's say AD has webaccessgroup while ldap has accessweb

You want users from either location and so long they are members of the respective group authenticate and be granted access.

Do you rely on IIS for authentication or do you use asp,.net mechanism?
It might be that ADFS is what you are looking for.
I.e. you can define each domain and the means by which each can authenticate.
User@domain and user@domain2
0
 
GRT_TEAMAuthor Commented:
The ideal situation would be to have users from the external lDAP domain added to a group in the local Active Directory.  The web server would use a .net mechanism to look to the group. If the user trying to login is in the group AD would query the external LDAP server for user validation.  It would also be helpful to just access a SID for the user if additional  validations are required. But that only once the first part is working.
0
 
arnoldCommented:
In order to integrate an external USER into an internal AD is through the establishment of a trust between the two DOMAINs.
ADFS might be what you are looking for.
LDAP proxy might be another option that will reside on your end and based on the REALM (Domain) of the user, the proxy will direct the query to the appropriate system.

Your approach is going at the issue from the wrong side.  You need to reorient your consideration to the point of view where the data is and how to get it as close as possible to the system on which your application runs rather than I have this application and how I can get data from diverse sources to it.
i.e. When you need to haul some boxes from Points A,B and C to point D, you will not spend so much time on trying to figure out how you would unload the boxes once they are at Point D, you would come up with as efficient approach as possible to gather all the boxes from points A,B and C to minimize the number of trips you have to make.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now