Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
cspanburgh

Avatar / Picture

Senior Member
Registered:
Posts: 202
Reply with quote  #1 

 A former forum member is in a bit of trouble.  

On the west coast there were quite a few companies who tried the mixed route of Windows and Linux servers and I myself have dealt with this.   It was always frustrating because I just did not know enough even though I was the only guy in the room at the time with some Unix knowledge.

In the kingdom of the blind the one eyed man is king but in the end he still only has one eye.
So any help on this is appreciated.


 

We are dealing with a case where the vendor is converting their application to use AD for authentication (to determine if you are a member of a specific security group that has been given privileges in their application) instead of local users or an OpenLDAP server.  Our customer is being told the only way to do this is to spell out where the users are located in AD, spell out where the groups are located in AD, and also provide the base DN.  Seems to me we could just provide the base DN and they should be able to do lookups based on that?

 

Here is what they require:

  • SERVER_HOST: LDAP Server hostname. For example "adserver1"

  • ROOT_DN: Distinguished name for the user for LDAP querys. For example CN=SPASS,CN=Users,DC=lab,DC=gmv

  • ROOT_PWD: Password for the user of LDAP querys.

  • USERS_BASE_DN: Users location. For example "OU=SPASS,DC=lab,DC=gmv"

  • USERNAME_ATTRIBUTE: Attribute of the User object that contains the username of the user to be authenticated. For example "sAMAccountName".

  • PROFILES_DN: Location of groups for the application profiles: For example "OU=hifly,OU=GMV,OU=SPASS,DC=lab,DC=gmv"

  • PROFILE_MEMBERS_ATTRIBUTE: Attribute of the Profile group where are the members (users). For example "member"

  • GROUP_NAME_ATTRIBUTE: Attribute name (key) that stores the name of the group. For example "cn".

    One more thing, these Linux boxes are already members of Active Directory. 


__________________
Curt Spanburgh
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 199
Reply with quote  #2 
Curt,

from what you quoted here, there's no indication that they'll be doing one-level lookups so if the AD is not very large you might be able to get off with specifying your domain as the base DN for both users and groups. That's if they're indeed doing tree lookups.

If the AD is huge and segmented (security-wise) the searches can take a long time and besides, your lookup user might not be permitted to read all branches of a tree. So restricting the lookup scope by specifying a base DN as close to the objects you're hoping to find as possible helps achieve two things: 1. speed up the lookups and 2. enable the AD admins to specify permissions for the lookup user.

FWIW

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
cspanburgh

Avatar / Picture

Senior Member
Registered:
Posts: 202
Reply with quote  #3 
Thank you.   I think that may be helpful to Mike.   I have not connected Windows system to Unix for quite a while.

What about isolating the authentication to one OU?

__________________
Curt Spanburgh
0
jsclmedave

Administrator
Registered:
Posts: 435
Reply with quote  #4 
From one of our Linux experts.

"AD auth in linux varies wildly depending on the infrastructure and application and distro LDAP config in the app is usually what ppl do in the situation posted there. 
and that config is just whatever the vendor says."

Bolton, Tim 11:11 AM - yeah that's what I thought  not sure why they want the User path...  Who cares?  Get the Group Members and If there let them in..
 
"Well, ldap traffic is pretty damn chatty, so i would imagine knowing the user base dn cuts down on that some"


What Vendor is this if you dont mind saying...   We created some scripts to allow access to our BMC BladeLogic tool.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
cspanburgh

Avatar / Picture

Senior Member
Registered:
Posts: 202
Reply with quote  #5 

Mike's Reply.    Thanks Curt!  This is just the kind of information I was looking for to throw back at them!

 


__________________
Curt Spanburgh
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 183
Reply with quote  #6 
If security is a factor here: you will want to use LDAPS to avoid plaintext passwords going over the network. If that is technically not possible, just make sure that all involved know what is going on.
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 49
Reply with quote  #7 
most linux apps i know, support ldap or ad through ldap. They don't do lookup and need specific accounts/groups in ad with specific dn and an account to access ldap/ad. I think it's the easiest implementation of ldap/ad support? I would take my losses and just confige the applications as the vendor wants.

It also means that you should prevent chnging ou or groupnames names btw. And it also means you probably want to configure a domain name instead of a specific ad server.

__________________
-----
Home is where is sleep
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: