Re: Authentication through Active Directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David Boreham wrote:

Joerg Schoppet wrote:
I'm in an account of a bigger company, which uses Microsoft Active Directory for User Management and Authentication. Now we need to save some additional information for a subset of all employees, but the AD-Administrators do not want to include the required attributes in the company ad. Our plan is now to install "Fedora Directory Server" to hold these additional information. The users, which uses a special application, should now connect to this server to retrieve the necessary information, but the authentication should stay in the AD.
Is it possible, and if yes how, to configure "Fedora Directory Server" to pass the authentication information to the AD and only let the specific user bind to the directory server if the AD-Authentication is OK?
Hmm...I think what you are trying to implement is a form of Directory Federation. You might be able to achieve what you want with FDS and its AD sync feature. 
In that case, passwords are synchronized from AD to FDS (and vice versa)
so your requirement for authentication 'against AD' would be met except that authentication would be done by FDS, using the AD password. If you want to proxy authentication directly to AD that might be possible without code changes in 
FDS, but I'm not sure.

Another option you might look at is to deploy Microsoft's ADAM, which
is a Federation add-on for AD. It was designed to meet your exact needs
(application wants to use AD for directory services, but AD admins refuse
to allow the schema to be extended).
The Pass Through Authentication plugin should also work with ADS because it doesn't rely on proxied authentication unlike the Chaining Backend plugin or the loop detection control. PTA is the magic that allows the uid=admin,..,o=Netscaperoot user to log in and configure all FDS servers in an instance group even though o=Netscaperoot only exists in the configuration instance. I've seen it work with ADS too though. Details: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/pasthru.html#1095869
You may need a FDS build from the tip, the PTA doesn't correctly handle bind responses with server controls. I'm not sure about ADS' use of controls in bind responses. 


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux