Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Metadirectory for RSA ClearTrust

10 views
Skip to first unread message

Charles McCabe

unread,
Feb 18, 2005, 3:20:43 PM2/18/05
to
I hope someone is willing to entertain my questions here ; )

Right now we use a product called ClearTrust from RSA. It attaches to our
Active Directory via LDAP for user authentication to various [web]
resources. We use the uPN for user identification and, because users are
stupid and lazy, we append the domain portion of the name for them via the
web form; the user enters john.smith and we submit
john....@subdomain.ourdomain.com. ClearTrust then attempts an LDAP bind
to AD to determine if the name and password are valid.

Now, in typical corporate fashion, I have to get this authentication
working for not one, but 4 forests in 90 days.

Here are the requirements:

[Almost] user-transparent.
[Almost] no downtime.
No significant changes to source directories.

To me, this sounds like I need a metadirectory, but I have no experience
here. This is how I feel the metadir working (stop me when I don't make
sense):

User enters name and chooses domain on logon form.
ClearTrust tries to auth to metadir.
Metadir looks at domain and forwards (referral, right?) to the right
source directory. How does this work? Is this a standard LDAP thing?
ClearTrust attempts auth at referred directory.

Is it possible to sync all records into the metadir, instead? You can't
do this with the AD passwords via LDAP, right?

Any guidance is much appreciated . . . products, standards, problems, etc.
. . are all open game.

Thanks,
Chaz


Charles McCabe

unread,
Feb 18, 2005, 6:08:46 PM2/18/05
to mcca...@consultingprof.com
Getting a little more specific as I keep reading . . . can an OpenLDAP (or
LDAP in general) server contain a referral to a parallel naming context?
For example, can my LDAP server, responsible for somedomain.com, provide a
referral to someotherdomain.com?

Thanks,
Chaz

Charles McCabe

unread,
Feb 18, 2005, 10:51:37 PM2/18/05
to kim.i...@asg.com, mcca...@consultingprof.com
The ClearTrust auth servers have to be told where to go looking for the
name, so to expound on the CT side of things:

User tries to access a URL that is protected by the CT agent (installed on
webserver). CT agent redirects the user to the logon form. User enters
name/pw in form.
CT agent passes name/pw to the CT auth server. Auth server looks at it's
config and tries the LDAP bind to the configured directory. On successful
bind and permissions, user is given a cookie and redirected back to
original URL.

So, the problem is that CT can only go looking in one place for the user
(actually two, but that's another story and not really helpful anyway).
It can, apparently, handle LDAP referrals, so if one LDAP directory can
refer to others that are "parallel", this might be pretty simple ; )

Does that make sense?

Thanks,
Chaz

On Sat, 2005-02-19 at 01:56 +0100, Kim Iversen wrote: Hi,
>
> To me it seems that the only thing needed is for RSA ClearTrust to
> resolve the name entered in the login form to a full distinguished name
> (DN). With a DN, it's a standard LDAP feature to do a (simple or SSL)
> bind to a specific LDAP server - being AD, eDirectory, SunOne or
> whatever.
>
> I don't know what should be the reason for creating an additional
> directory (like a meta directory) since all information (like the DN) is
> already at hand in AD.
>
> The only catch with regards to the DN is if two (or more) users have
> identical userid's on the same domain (which is actually possible) - in
> this case, a DN lookup would return more than one DN ... which one
> should be used to do the LDAP bind then ... ?
>
> Anyway ... I solved this by returning the list of DN's to the requesting
> application. Then it's up to the requestor (being a user or application)
> to decide what to do next.
>
> Maybe this helps ... maybe I misunderstood something - if I did, I
> apologize !
>
> Thanks
>
> Kimi

0 new messages