Solved

Active Directory Sync with LDAP just for client Authentication

Posted on 2014-04-08
12
54 Views
Last Modified: 2015-07-03
Dear Experts,

we are using LDAP, for user Authentication, so all users has 4 to 5 passwords like (Internet, local Intranet and VPN). we want to configure Active Directory and AD should talk with LDAP, so that users will have only one login and password.

For Example : now we are using one admin id on the user machine with fixed password that should get sync from Active Directory which is sync with LDAP server and update the Userid and password from it instead of fixed userid and password
0
Comment
Question by:mshakeb
  • 7
  • 4
12 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 39989896
Not quite sure if you can catch your topic. If you have Active Directory, you have a domain. So at least all windows clients can authenticate against the domain an there is no need for any local synchronisation. Access permission are "snyced" to the client machin by just adding the windows groups to the local admin group.  

Active Directory works LDAP based.

So my imagination is, that is has something to do with non-windows systems, as more or less all windows based system can be integrated into AD? And even externl access can be handled mostly with AD integration, either by pass through authentication, radius or identity management.

Can you explain a bit the environment, you are talking around or the tagets waht you want to realize?
0
 
LVL 1

Author Comment

by:mshakeb
ID: 39990768
Hi Bembi,

1. Right now all our clients are on workgroup and using Local User id and password to   logon  to Windows.
2. we are using Internet, Intranet, VPN through LDAP which is install on Linux(Centos), All our Users have 3 to 4 passwords. so we want to have only one password for all (windows, internet, intranet and VPN). that's why we want to configure lite AD and sync with LDAP.

IF we configure Lite  AD Sync with LDAP(Linux), all the Clients will have only one Password.

hope you understand.

if you have any other idea you can guide me.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 39990954
AD is an LDAP directory with some bells and whistles attached. Why not just do away with the LDAP directory you've got on Linux and have one directory and therefore one password?

Alternatively, do away with AD and use the LDAP directory you have on Linux? Perhaps consider Samba so you can do away with those local accounts on computers as well.

If you don't want to join clients to a domain and use domain accounts (Kerberos, etc), perhaps look at pGina (http://pgina.org/). Might work since it should let you do LDAP authentication from a Windows.

You seem to be trying to engineer a very complex solution to a fairly simple problem (based on what you've said above). Can you help us understand the constraints you're working under?

Chris
0
 
LVL 1

Author Comment

by:mshakeb
ID: 39995793
1. we are using  Internet, Intranet, VPN authentication through LDAP since long time.
2. Local windows login and password to login in O.S
So Users has to remember all the password, we want to make for the apps only one userid and password, which will be same for windows as well as internet, intranet and VPN

That's why  we thought to implement AD and sync with LDAP.

Please any solution.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 39995885
You could probably just about manage to sync passwords between the various LDAP directories (and I'm including AD in that). However, you won't be able to use AD as a source because it won't let you at a plain text password.

You will have a significant amount of trouble getting the local user account passwords to match that in any meaningful way. It would need a hell of a lot of logging and error checking because machines aren't always available to you for that kind of operation (a password change operation).

Essentially, creating any kind of synchronisation system would add a massive support and  administration cost, too many places to go wrong, too complex. This assumes you manage to overcome the problem of building it in the first place, it'll almost certainly be bespoke (built for you and you only).

On the other hand, if you fully explore removing these other authentication sources you have exactly one place to look in the event of failure. Credential caching on your clients is well-known and handled gracefully by the OS without you needing to do anything.

If clients aren't joined to the domain, and only use local accounts, why do you bother having AD at all? What's it used for?

Why can't you make the VPN and intranet systems refer to AD as an LDAP directory?

In short, your goal is clear, but I strongly believe that your goal is not best met by implementing password synchronisation, it's best met by reducing the number of authentication sources.

Chris
0
 
LVL 1

Author Comment

by:mshakeb
ID: 39995899
hi Chris,

Can we configure AD for (intranet, internet and VPN) and remove LDAP server. so that they will be only one Server.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 39995904
I don't see why not. It will take a bit of work, and you'll have to find a way to test it, but in the long term that's the least painful path in my opinion.

Chris
0
 
LVL 1

Author Comment

by:mshakeb
ID: 39995963
what will be the way, how shall I make only one User authentication for all apps including windows
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 39996013
This can be broken down into lots of different components. Each of those can be executed as a mini-project, as you go through and complete them your users will end up with fewer and fewer credentials.

1. Workstations (local user accounts)


Find a system you can test this on.

Before you begin, your AD domain must be correctly set-up, and clients must be able to find it. Reviewing event logs and using tools like DCDiag can help verify your AD domain.

DNS settings are a frequently misunderstood aspect of MS AD domains. Clients (end-user devices) must be able to find the AD Domain. They do this using DNS, and for that to work reliably they must use the DNS service used by AD and *only* that service. Therefore a pre-requisite step is getting DHCP set-up to ensure that happens.

If you only have a single Domain Controller, and wish DNS to be available if that falls down, you need another DNS server which can hold a copy of the DNS zone used by AD. The simplest solution there is a second Domain Controller, but that is not the only option, please say if you wish to explore the other options.

a. Create a user account in the AD Domain for the user
b. Join the system to the domain
c. Log on as the new (domain) user

So far so good, but I'm sure you'll notice that the user profile settings (desktop, wallpaper, etc, etc) have gone. You can get these back and there are a number of choices for doing this. Which is most appropriate depends on the size of your estate.

d. Ensure you have an administrator account available on the computer (which is neither the old or new user account).
e. Reboot the computer (this is done to unload all user registry hives)
f. Log on as the administrative account
g. Go to C:\Users, you should see one folder for the old local user, and another for the new user.
h. Copy everything (including hidden and system files) from the old local user folder to the new one.
i. Log off your administrator account
j. Log on as the new user (again). Now you have old user profile under the new user.

There are ways to automate steps d to j, whether or not there's point in learning that depends on how many you need to do. The threshold is pretty low, 10 or more and you might want to consider automation.

This completes migration of the local user account into the Domain. You will find that the user can log on whether you're connected to the domain or not (cached credentials).

2. Intranet


I imagine this uses relatively simple LDAP authentication. This simple needs updating with new settings.

However, depending on what you use for an Intranet this must be done with care, especially if the Intranet links content to users.

What can you tell us about the Intranet and it's LDAP configuration?

In an ideal situation having a test copy of the Intranet would be good, especially if you're a little unsure of the impact we may have by changing things.

3. Internet


Is this another web service (in a similar manner to your Intranet)? Or something else?

Regardless of which, if it's using LDAP authentication we need to find the settings so they can be changed.

As with the Intranet, if this is a fixed system you're not quite sure about having a copy would be great to test against.

4. VPN


What do you use for this?

For instance, Cisco AnyConnect can be configured to use an LDAP server for authenticating VPN clients. Adding a new LDAP server, then switching over the authentication server for the client would be relatively easy, provided you created all of the users you need in AD first.

Chris
0
 
LVL 1

Author Comment

by:mshakeb
ID: 39998273
any other ways, is there any third party utility which can sync with LDAP.
0
 
LVL 1

Accepted Solution

by:
mshakeb earned 0 total points
ID: 40855520
got the solution,  we are using ADFS 2012 service for passwords
0
 
LVL 1

Author Closing Comment

by:mshakeb
ID: 40865054
ADFS service
0

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now