?
Solved

Add LDAP users to Active Directory Group and Authenticate users to remote LDAP server

Posted on 2013-02-07
6
Medium Priority
?
548 Views
Last Modified: 2013-04-26
I'm looking for methods or examples of  ways to accomplish two tasks.

First I need to add users from an LDAP server external to my domain and network to an active directory group on a local domain controller running Server 2008 STD.
Second I  need to know the minimum time delay that a change in the users status on the LDAP server will be reflected on the AD group.

I am assuming the users that are added to the AD group will have a SID associated to them but I am looking for confirmation on this.

Thanks,
0
Comment
Question by:GRT_TEAM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 38864786
I do not believe the external LDAP to AD is an option as you outline. AD to AD can have a trust relationship. Not sure you can setup a trust relationship between AD and foreign LDAP.
You could have LDAP as a replica of AD.
On a second level, not sure you would want to grant an external source the option to create accounts within your AD. I.e. you would not let someone external to your organization the ability to auto-create access resources, keys.
0
 

Author Comment

by:GRT_TEAM
ID: 38865636
Sorry I might not have been very clear with my first post.  So let me try this way, here is the scenario.  I have an web page that looks to AD group membership for authentication. I would like to have the option to add external LDAP users or groups to the AD group and have them authenticated.
0
 

Author Comment

by:GRT_TEAM
ID: 38865656
Also another thought. would it be easier to have a 'set" name for a group on the LDAP server  that is added to the AD group to allow for authentication.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 79

Expert Comment

by:arnold
ID: 38866066
The issue is as follows:
Presumably your web server is a domain member with integrated authentication or uses an ADFS to integrate the web server to AD via LDAP queries.
What is the external ldap from?
Your issue seems to be locked in getting the remote group/users somehow integrated into the existing setup.

When a trust between/among AD domains exists, you could achieve what you want.
It is not clear to me what your vision is.
You have AD domain.com
You have ldap somedomain.com

Let's say AD has webaccessgroup while ldap has accessweb

You want users from either location and so long they are members of the respective group authenticate and be granted access.

Do you rely on IIS for authentication or do you use asp,.net mechanism?
It might be that ADFS is what you are looking for.
I.e. you can define each domain and the means by which each can authenticate.
User@domain and user@domain2
0
 

Author Comment

by:GRT_TEAM
ID: 38876990
The ideal situation would be to have users from the external lDAP domain added to a group in the local Active Directory.  The web server would use a .net mechanism to look to the group. If the user trying to login is in the group AD would query the external LDAP server for user validation.  It would also be helpful to just access a SID for the user if additional  validations are required. But that only once the first part is working.
0
 
LVL 79

Accepted Solution

by:
arnold earned 1000 total points
ID: 38877029
In order to integrate an external USER into an internal AD is through the establishment of a trust between the two DOMAINs.
ADFS might be what you are looking for.
LDAP proxy might be another option that will reside on your end and based on the REALM (Domain) of the user, the proxy will direct the query to the appropriate system.

Your approach is going at the issue from the wrong side.  You need to reorient your consideration to the point of view where the data is and how to get it as close as possible to the system on which your application runs rather than I have this application and how I can get data from diverse sources to it.
i.e. When you need to haul some boxes from Points A,B and C to point D, you will not spend so much time on trying to figure out how you would unload the boxes once they are at Point D, you would come up with as efficient approach as possible to gather all the boxes from points A,B and C to minimize the number of trips you have to make.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Here's a look at newsworthy articles and community happenings during the last month.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month12 days, 11 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question