is the AD LDAP interface domain trust aware?
David Burghgraeve
We're thinking out a concept for our company with forests and/or
child-domains.
We now have a single domain (internationally) for all of our client
infrastructure needs. As we also incorporated our Linux Websphere Java
Applications in this same Active Directory Domain (Windows2003 NATIVE mode)
with Authentication and authorisation through LDAP,
we're now heading to a situation that our company growth & complexity
doesn't match our "one domain security" setup anymore.
If I create a new domain beside or as a child domain (transitive trusts),
can I use LDAP query's on this 2 domain situation on one domain controller
(as LDAP config cannot choose it's LDAP server, is a fixed security config)
Joe Richards [MVP]
of years ago I worked a little with integration analysts at a Fortune 5 company
trying to do it.
Depending on the information you need to pull, you may be ok as long as you only
let websphere hit Global Catalogs. Basically the info has to be in the GC. If
the information is not in the GC, you will need to query a DC of the proper
domain to get the information needed.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Joe Kaplan (MVP - ADSI)
support. Essentially, you build the forest you need for your Windows stuff,
and then for your apps that need a flat namespace, you sync the appropriate
goo to ADAM and do your authentication and authorization against it.
Using the GC first is probably better if it will work as it doesn't require
any of that additional complexity, but I can definitely imagine some
situations where using ADAM would make things much more simple (or even just
"possible").
Joe K.
"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:O47RQnbS...@TK2MSFTNGP14.phx.gbl...
Joe Richards [MVP]
definitely would have pushed for it.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
David Burghgraeve
But as the forest grows, I think the number and usage of universal groups
will grow rapidly, because the Websphere responsables will try to keep to a
single application infrastructure, and each application uses groups in the
domain for the Authorisation checks => big impact on the client
infrastructure ?
So following your advice, I'm left with these solutions:
1) indeed the usage of ADAM as a collector Directory. As I understand
you'll need the MIIS for the synchronistaion part => $$$ or is this
possibility included in ADAM?
Can LDAP really do the authentication check too (userid/password/change
password)?
2) The usage of two Load-balanced Windows2003 IIS servers that are doïng
all of the Authentication and Authorisation (using native windows security).
By doing that
I can eliminate the weaknesses of LDAP/Websphere. The big disadvantage is
that the company strategy is "being indipendable of any software supplier"
and won't be able to easly change it's application infrastructure in the
future.
Joe Richards [MVP]
of MIIS for syncing AD and AD/AM or you can look at the R2 Beta which has an
AD/AM syncher included.
1b. Yes, if the machine the AD/AM instance is installed on is a member of a
domain of the forest, you can secure auth with forest security principals
against AD/AM. That is one of the huge wins when using AD/AM versus openldap or
some other ldap directory.
2. This was actually a solution we were thinking about as well. We eventually
turned it down due to he security team's concerns about writing it securely as
it would have been handling clear text passwords. There were also concerns about
budget and long term maintenance. If you have high confidence of the ability to
put it together and maintain it securely, that may be one of your best options.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net