Re: ADAM hierarchy differs from AD hierarchy
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Fri, 25 May 2007 11:50:46 +0100
Answers inline...
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
"Nicolouw M. Kruger via WinServerKB.com" <u33094@uwe> wrote in message
news:729c2a26fcaeb@xxxxxx
Hi
Am starting this new thread after our first phase with ADAM as per
"ADAM Design Question: userProxy and Groups" on this forum
We now want to integrate our working ADAMs with another LAN AD (LAD) that
has
a different hierarchy to the legacy Application AD (AAD) that we are
integrated with at present. We are using userProxyFull between our ADAMs
and
the AAD. The application binds via userPrincipalName (UPN) and all is
working
fine with AAD bind redirection, etc. Now with this LAD we see it has an OU
hierarchy that is quite different to the AAD hierarchy which is actually
quite flat, i.e. just the "CN=Tom Jones, CN=Users, DC=domainX, DC=regionY"
and all users sit within that base DN.
Now I'm wondering is there not an AD functionality to create a "virtual
view"
in the LAD that is similarly flat to the way the AAD appears to me? In
other
words, I do not want to move the existing users from within their OU
structure (mostly branches of the company) in the LAD but just want to
create
another view of all users across all OU's in a "flat" container that is
totally virtual. I'm then hoping to do my integration work from ADAM to
this
virtual view instead of the real OU/branch containers.
AD doesn't have any concept of virtual attributes or views, nor is there
really a product such as Sun's Directory Proxy Server to provide virtual
directory views.
You could utilise MIIS/ IIFP and have a replica of the objects in a flat
ADAM instance and use that, but that's a lot of overhead for little gain.
Although using an ADAM instance which has everything in the metaverse is a
very fat and poor way of doing what Directory Proxy Server does : )
Alternatively I presume I must re-build the current ADAM hierarchies to
match
the "branch" hierachy of the LAD, right? The challenge is that the Groups
now
in ADAM does not exist in the LAD and never will; they are Application
Groups
and the LAD Groups are altogether different. So, I need to construct these
hierarchies and re-build all the existing Groups (as from original AAD) to
now point to the DN of the user as per the DN structure of the LAD instead
of
the DN structure as in present AAD. Note that the Groups in AAD are now
redundant since the Groups are now in ADAM with only the user still
"living"
in the AAD.
Why do the structures need to match. The bindProxy isn't mapped to the AD
object via DN, it's retrieved via SID, so where the objects lie is
irrelevant isn't it?
Re-reading your paragraph it's not clear to me what you are trying to
achieve here. Care to elaborate? I'm not familiar with your previous
posts.
We want the user to "live" in the LAD - that is the challenge.
Finally, just double checking my understanding of how the authentication
process works as initiated from LDAP client into ADAM and then through the
bind redirection to the backend AD. We do the simple bind using two
methods
from what I can see. When the user starts first login then the application
binds with the full DN of the App ID e.g. "CN=ADAMapp, CN=Users,
DC=domainX,
DC=regionY". ADAM then takes this full DN and authenticates against AD
using
that and the event logs do show the SAM name of that account, i.e.
ADAMapp.
When you bind to ADAM, ADAM locates the object that you bind with (there are
multiple supported formats) and then, if the object is a proxy, uses the SID
to retrieve the AD account and authenticates against AD using the
sAMAccountName and the password passed with the simple bind.
As for what is audited, *I think* the ADAM instance audits the simple bind
and both the workstation and the DC audit the [Windows] logon using the AD
credentials by the ADAM server.
Secondly, once the App has checked OK, it then search (this is JBoss doing
this) for the user using the UPN in ADAM, e.g. "tjones" which ADAM then
finds
in its repository, but it then passes through the full DN for that user to
AD
since in the Windows event log I can see the full DN for that user,
although
I have also observed log entries agains the UPN that the user logged in
with
e.g. "tjones"
I don't believe this is the case. The DN might well be there for info.
purposes (I'd need to test and can't now) but the authentication isn't using
the DN as it's not performing a simple bind -it's doing Windows Kerberos or
NTLM authentication using whichever SSPI is negotiated.
Your advice/pointers will once be much appreciated...
Nicolouw
--
Nicolouw Kruger (CISSP)
J2EE Security and Solutions Architect
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-ad/200705/1
.
- Follow-Ups:
- Re: ADAM hierarchy differs from AD hierarchy
- From: Nicolouw M. Kruger via WinServerKB.com
- Re: ADAM hierarchy differs from AD hierarchy
- References:
- ADAM hierarchy differs from AD hierarchy
- From: Nicolouw M. Kruger via WinServerKB.com
- ADAM hierarchy differs from AD hierarchy
- Prev by Date: Re: List and monitor what changes were/are being done to group policy since fresh install?
- Next by Date: Permissions Chart ?? or web site ??
- Previous by thread: ADAM hierarchy differs from AD hierarchy
- Next by thread: Re: ADAM hierarchy differs from AD hierarchy
- Index(es):
Relevant Pages
|
