Re: adam bind-redirect
- From: mwr <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 28 Apr 2005 10:36:02 -0700
So if we dont have the password of the person
being authenticated (as in windows authentication or
a third party doing authentication) then the proxy-redirect isnt an option.
Correct?
Assuming we can do the bind redirect in another scenario
and we define a custom class in ADAM .
Is it possible to add one of our custom classes as an auxillary class to the
user proxy object? No sure how to do that.
Mike
"Lee Flight" wrote:
> Hi
>
> inline below...
>
> "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:C1FCF03D-C783-494C-86E4-2EAE47B549BB@xxxxxxxxxxxxxxxx
> >I am trying to understand if
> > our organization needs, could benefit from bind redirect/User Proxy Object
> > or perhaps should skip using it.
>
> You might want to review the following with regard to bind proxies
>
> http://groups-beta.google.com/group/microsoft.public.windows.server.active_directory/msg/20cfddc120540fcc?hl=en&lr=&ie=UTF-8
>
> >
> > Our situation is as follows:
> > Our applications are ASP.Net apps running on IIS 6.0 and windows 2003.
> > Our Adam will have a user store where we put custom user attributes.
> > that are not in active directory.
> > We will also be using Azman. The store for Azman will also be an ADAM.
> >
> > Internal Users/Apps.
> > We an internal Active Directory.
> > We will be using integrated security for internal applications
> >
> > External Users/Applications:
> > Authentication is going to be handled by a third party.
> > They have there own SSO solution thats similar to forms authentication.
> > In addition, they have there authenticating agains there own Active
> > Directory.
> >
> > The adam will be located in our domain and we will be setting up a
> > trust between our domain and theres. So we can assign users to roles
> > from Azman.
> >
> > Each environment (Internal/External) will have there own ADAM.
>
> If I read that correctly you are saying have two domains or from
> a security standpoint perhaps two forests with trust between them
> and the ADAM instances for both forests live in just one (the internal)
> forest.
>
> > Comments:
> > 1.If our are web apps are using integrated security we have
> > already authenticated the user in Active Directory. Isnt that
> > what the bind-redirect does (authenticates the user)?
>
> Integrated authentication gives you a Windows security context
> that you can examine to find your roles/groups within the scope of
> the Windows domain.
>
> Bind proxy requires an LDAP simple bind using the credentials
> of the Windows principal and what you get as a result is access
> to the data in the ADAM instance assuimng the ACLs on the data
> have been set appropriately. Optionally, upon successful completion
> of the bind you can retrieve a token from the ADAM instance that
> will contain your domain and ADAM group membership as a list of
> SIDs.
>
> > Doing a bind redirect requires the username and password of the user being
> > authenticated. Correct or not?
>
> Bind redirect requires the distinguishedName or userPrincipalName (if set)
> of the bind proxy object in the ADAM naming context and the Windows
> password of the corresponding AD user.
>
> > The advantage is see by doing a bind redirect is that the user
> > automatically
> > receives membership to the "Users" group in ADAM.
>
> I'm not sure what the advantage is there, often you have to add the Users
> role to the Readers role in a naming context to gain useful access (although
> it can be more fine-grained). In the same way if you read the post at the
> link above and the ADAM Help you will see that adding a Windows group e.g.
> Authenticated Users would give access for your AD accounts with no
> bind proxy.
>
> > ("When a user binds to an ADAM instance through a proxy object,
> > the user receives membership in the Users group on each naming
> > context that is held by the ADAM instance.")
>
> Certainly the bind proxy gets membership of Users role for the naming
> context that contains it and of the Users role of the Configuration
> naming context of the instance.
>
> > 2. The reviewers guide documentation:
> > I think the below statement is misleading or needs to be clarified
> > "With Active Directory Application Mode,
> > you can use bind redirection to provide Active Directory users
> > with access to both ADAM data and Active Directory data,
> > using Active Directory domain credentials as a single sign on (SSO)."
>
> If think a clearer explanation is at the link above. A common
> misunderstanding
> with bindProxy and AD account authentication to ADAM is that in the tailored
> schema situation that the attributes in ADAM will somehow be picked up
> as a pass-through, whereas it is the burden of the application to make the
> join
> between the ADAM and AD attributes.
>
> HTH
> Lee Flight
>
>
>
.
- Follow-Ups:
- Re: adam bind-redirect
- From: Lee Flight
- Re: adam bind-redirect
- References:
- adam bind-redirect
- From: mwr
- Re: adam bind-redirect
- From: Lee Flight
- adam bind-redirect
- Prev by Date: tombstone lifetime
- Next by Date: DNS setup
- Previous by thread: Re: adam bind-redirect
- Next by thread: Re: adam bind-redirect
- Index(es):
Relevant Pages
|
