Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 83
  • Last Modified:

Active Directory Sync with LDAP just for client Authentication

Dear Experts,

we are using LDAP, for user Authentication, so all users has 4 to 5 passwords like (Internet, local Intranet and VPN). we want to configure Active Directory and AD should talk with LDAP, so that users will have only one login and password.

For Example : now we are using one admin id on the user machine with fixed password that should get sync from Active Directory which is sync with LDAP server and update the Userid and password from it instead of fixed userid and password
  • 7
  • 4
1 Solution
Not quite sure if you can catch your topic. If you have Active Directory, you have a domain. So at least all windows clients can authenticate against the domain an there is no need for any local synchronisation. Access permission are "snyced" to the client machin by just adding the windows groups to the local admin group.  

Active Directory works LDAP based.

So my imagination is, that is has something to do with non-windows systems, as more or less all windows based system can be integrated into AD? And even externl access can be handled mostly with AD integration, either by pass through authentication, radius or identity management.

Can you explain a bit the environment, you are talking around or the tagets waht you want to realize?
mshakebAuthor Commented:
Hi Bembi,

1. Right now all our clients are on workgroup and using Local User id and password to   logon  to Windows.
2. we are using Internet, Intranet, VPN through LDAP which is install on Linux(Centos), All our Users have 3 to 4 passwords. so we want to have only one password for all (windows, internet, intranet and VPN). that's why we want to configure lite AD and sync with LDAP.

IF we configure Lite  AD Sync with LDAP(Linux), all the Clients will have only one Password.

hope you understand.

if you have any other idea you can guide me.
Chris DentPowerShell DeveloperCommented:
AD is an LDAP directory with some bells and whistles attached. Why not just do away with the LDAP directory you've got on Linux and have one directory and therefore one password?

Alternatively, do away with AD and use the LDAP directory you have on Linux? Perhaps consider Samba so you can do away with those local accounts on computers as well.

If you don't want to join clients to a domain and use domain accounts (Kerberos, etc), perhaps look at pGina ( Might work since it should let you do LDAP authentication from a Windows.

You seem to be trying to engineer a very complex solution to a fairly simple problem (based on what you've said above). Can you help us understand the constraints you're working under?

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

mshakebAuthor Commented:
1. we are using  Internet, Intranet, VPN authentication through LDAP since long time.
2. Local windows login and password to login in O.S
So Users has to remember all the password, we want to make for the apps only one userid and password, which will be same for windows as well as internet, intranet and VPN

That's why  we thought to implement AD and sync with LDAP.

Please any solution.
Chris DentPowerShell DeveloperCommented:
You could probably just about manage to sync passwords between the various LDAP directories (and I'm including AD in that). However, you won't be able to use AD as a source because it won't let you at a plain text password.

You will have a significant amount of trouble getting the local user account passwords to match that in any meaningful way. It would need a hell of a lot of logging and error checking because machines aren't always available to you for that kind of operation (a password change operation).

Essentially, creating any kind of synchronisation system would add a massive support and  administration cost, too many places to go wrong, too complex. This assumes you manage to overcome the problem of building it in the first place, it'll almost certainly be bespoke (built for you and you only).

On the other hand, if you fully explore removing these other authentication sources you have exactly one place to look in the event of failure. Credential caching on your clients is well-known and handled gracefully by the OS without you needing to do anything.

If clients aren't joined to the domain, and only use local accounts, why do you bother having AD at all? What's it used for?

Why can't you make the VPN and intranet systems refer to AD as an LDAP directory?

In short, your goal is clear, but I strongly believe that your goal is not best met by implementing password synchronisation, it's best met by reducing the number of authentication sources.

mshakebAuthor Commented:
hi Chris,

Can we configure AD for (intranet, internet and VPN) and remove LDAP server. so that they will be only one Server.
Chris DentPowerShell DeveloperCommented:
I don't see why not. It will take a bit of work, and you'll have to find a way to test it, but in the long term that's the least painful path in my opinion.

mshakebAuthor Commented:
what will be the way, how shall I make only one User authentication for all apps including windows
Chris DentPowerShell DeveloperCommented:
This can be broken down into lots of different components. Each of those can be executed as a mini-project, as you go through and complete them your users will end up with fewer and fewer credentials.

1. Workstations (local user accounts)

Find a system you can test this on.

Before you begin, your AD domain must be correctly set-up, and clients must be able to find it. Reviewing event logs and using tools like DCDiag can help verify your AD domain.

DNS settings are a frequently misunderstood aspect of MS AD domains. Clients (end-user devices) must be able to find the AD Domain. They do this using DNS, and for that to work reliably they must use the DNS service used by AD and *only* that service. Therefore a pre-requisite step is getting DHCP set-up to ensure that happens.

If you only have a single Domain Controller, and wish DNS to be available if that falls down, you need another DNS server which can hold a copy of the DNS zone used by AD. The simplest solution there is a second Domain Controller, but that is not the only option, please say if you wish to explore the other options.

a. Create a user account in the AD Domain for the user
b. Join the system to the domain
c. Log on as the new (domain) user

So far so good, but I'm sure you'll notice that the user profile settings (desktop, wallpaper, etc, etc) have gone. You can get these back and there are a number of choices for doing this. Which is most appropriate depends on the size of your estate.

d. Ensure you have an administrator account available on the computer (which is neither the old or new user account).
e. Reboot the computer (this is done to unload all user registry hives)
f. Log on as the administrative account
g. Go to C:\Users, you should see one folder for the old local user, and another for the new user.
h. Copy everything (including hidden and system files) from the old local user folder to the new one.
i. Log off your administrator account
j. Log on as the new user (again). Now you have old user profile under the new user.

There are ways to automate steps d to j, whether or not there's point in learning that depends on how many you need to do. The threshold is pretty low, 10 or more and you might want to consider automation.

This completes migration of the local user account into the Domain. You will find that the user can log on whether you're connected to the domain or not (cached credentials).

2. Intranet

I imagine this uses relatively simple LDAP authentication. This simple needs updating with new settings.

However, depending on what you use for an Intranet this must be done with care, especially if the Intranet links content to users.

What can you tell us about the Intranet and it's LDAP configuration?

In an ideal situation having a test copy of the Intranet would be good, especially if you're a little unsure of the impact we may have by changing things.

3. Internet

Is this another web service (in a similar manner to your Intranet)? Or something else?

Regardless of which, if it's using LDAP authentication we need to find the settings so they can be changed.

As with the Intranet, if this is a fixed system you're not quite sure about having a copy would be great to test against.

4. VPN

What do you use for this?

For instance, Cisco AnyConnect can be configured to use an LDAP server for authenticating VPN clients. Adding a new LDAP server, then switching over the authentication server for the client would be relatively easy, provided you created all of the users you need in AD first.

mshakebAuthor Commented:
any other ways, is there any third party utility which can sync with LDAP.
mshakebAuthor Commented:
got the solution,  we are using ADFS 2012 service for passwords
mshakebAuthor Commented:
ADFS service
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now