Re: adam bind-redirect

Question?
If we dont have the password of the authenticated user.
Can we use an administrative password to do the bind-redirect

"Dmitri Gavrilov [MSFT]" wrote:

> Lee is correct. You won't be able to do a proxy bind if you don't have the
> password.
>
> In any case, you are better off doing a secure bind as the currently
> impersonated user. This is the safest approach. This will work only if ADAM
> runs on the same box where IIS is. Or if you enable delegation.
>
> Re schema extension -- you can design any class you want. Then, you add
> msDS-bindProxy (a class in the base ADAM schema) as an aux class, and off
> you go. The userProxy class supplied in the LDF file is a "sample". You can
> either modify it as you want, or make another class like that. Up to you.
> ADAM only cares about msDS-bindProxy being an aux class of your proxy class.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
> news:Pine.GSO.4.55.0504281900480.14446@xxxxxxxxxxxxxxxxxxxxxx
> >
> > Hi
> >
> > inline below...
> >
> > On Thu, 28 Apr 2005, [Utf-8] mwr wrote:
> >
> >> So if we dont have the password of the person
> >> being authenticated (as in windows authentication or
> >> a third party doing authentication) then the proxy-redirect isnt an
> >> option.
> >> Correct?
> >
> > As Bind redirect requires the distinguishedName or userPrincipalName
> > of the bind proxy object in the ADAM naming context and the Windows
> > password. I do not see how you could impersonate that in a simple LDAP
> > bind, maybe others with more dev expertise know different...
> >
> >> Assuming we can do the bind redirect in another scenario
> >> and we define a custom class in ADAM .
> >> Is it possible to add one of our custom classes as an auxillary class to
> >> the
> >> user proxy object? No sure how to do that.
> >
> > Yes you should be able to do that, I think what a number of folks
> > do in practice is design the bindProxy that they want and then modify
> > the MS-UserProxy to meet that and import that into ADAM.
> >
> > Lee Flight
>
>
>
.

Relevant Pages

  • Re: Query AD from DMZ via LDAP?
    ... You could use ADAM with passthrough authentication or bind proxy objects, ... Determining group memberships would be a bonus. ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... a third party doing authentication) then the proxy-redirect isnt an option. ... could benefit from bind redirect/User Proxy Object ... >> Our Adam will have a user store where we put custom user attributes. ... > Integrated authentication gives you a Windows security context ...
    (microsoft.public.windows.server.active_directory)
  • Re: Random logon failure with ADAM Bind Proxy
    ... There was a similar problem discussed here a while ago, see "ADAM user ... I have been using ADAM bind proxy to authenticate users against AD. ... a.ADAM bindproxy authentication was working fine. ... DirectoryEntry user = new DirectoryEntry(userDN, ...
    (microsoft.public.windows.server.active_directory)
  • Re: adam bind-redirect
    ... could benefit from bind redirect/User Proxy Object ... The store for Azman will also be an ADAM. ... > They have there own SSO solution thats similar to forms authentication. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Random logon failure with ADAM Bind Proxy
    ... to the Readers role for an ADAM NC and it worked fine for binding ADAM ... In this thread the original poster is using bind proxies so it might be ... Readers role, he could add the Users role to the Readers role which would ... > Could he also just bind to RootDSE in order to force an authentication? ...
    (microsoft.public.windows.server.active_directory)
Loading