Re: Using ADAM for authenticating non-AD users

Thank you very much Joe, much appreciated. I will talk to the vendor and go
from there.

jremmc


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OwVr58xGHHA.1216@xxxxxxxxxxxxxxxxxxxxxxx
ADAM could work for this. In order to authenticate both AD and ADAM
users, you would either need to create bindProxy objects for the AD users
or the app would need to be clever enough to do LDAP simple bind for the
ADAM users and LDAP secure (GSS-SPNEGO SASL) for the AD users.

It is easier from an ADAM management standpoint to use the second approach
because you don't need to create the bindProxy objects and keep them in
sync, but the vendor app may not be capable of that. You'd need to verify
that with their application developers.

If they can only do LDAP simple bind to authenticate users, then you would
need bindProxy objects for your AD users in order to authenticate them.
That probably means using ADAMSync (or something more high powered like
MIIS or IIFP) to accomplish that. It is totally doable though. Your ADAM
users would just be normal users that you provision however you want.

ADFS can also solve this problem, but the vendor app would need to be able
to integrate with it. Once again, you'd need to approach them about
getting this support. ADFS provides two mechanisms that apps can use for
integration, Windows token and "claims-based". Claims-based integration
requires .NET 2.0 as the app platform, while Windows token can (probably)
work with any app that runs on IIS. However, both of these assume an app
running on IIS. I'm not sure about any support for WS-Federation clients
on other platforms like Apache or WebSphere.

The real beauty of ADFS is that it gives you the potential to allow your
customers to authenticate to this site using their own organization's
credentials instead of ones you create, assuming they can set up a
federation server too. ADFS can be used to solve all sorts of web
identity integration things, but that cross organization authentication
capability is really the bread and butter of why it exists. If you don't
need that or can't do it, it might be overkill. ADFS does provide a way
for you to integrate your AD and ADAM stores as well though.

Best of luck!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"jremmc" <jremmc@xxxxxxxxxxxxxx> wrote in message
news:O%23I0NAxGHHA.4112@xxxxxxxxxxxxxxxxxxxxxxx
We are a small company. We now find a need to give some customers some
access to some data in one of our 3rd party apps that maintain its own
list of users but can use an ldap directory instead. (The app can
authenticate against its own list or an ldap directory, but not both.) We
do not want to add the customers to our AD. We need a simple (not
Enterprise $$) solution. From what I read of ADAM, it sounds like ADAM
will do the trick?

If so, then what we do is create the customer acccounts in ADAM, point
the app to it, and ADAM will use its db to authenticate them while at the
same time passing the authentication request to AD for all AD accounts
(employees). Yes? (I know there's much more involved in actually setting
up ADAM but what I want to do boils down to that.)

I also read about ADFS, which totally confused me, but I don't think that
is what we want.

Thanks,
jremmc





.