Fedora directory users - Nov 2006 - Authentication through Active Directory

Hi all,

I''m in an account of a bigger company, which uses Microsoft Active 
Directory for User Management and Authentication.
Now we need to save some additional information for a subset of all 
employees, but the AD-Administrators do not want to include the required 
attributes in the company ad. Our plan is now to install "Fedora 
Directory Server" to hold these additional information. The users, which 
uses a special application, should now connect to this server to 
retrieve the necessary information, but the authentication should stay 
in the AD.

Is it possible, and if yes how, to configure "Fedora Directory Server"
to pass the authentication information to the AD and only let the 
specific user bind to the directory server if the AD-Authentication is OK?

Thanks in advance

Joerg Schoppet

Joerg Schoppet wrote:
> I''m in an account of a bigger company, which uses Microsoft Active
> Directory for User Management and Authentication.
> Now we need to save some additional information for a subset of all 
> employees, but the AD-Administrators do not want to include the 
> required attributes in the company ad. Our plan is now to install 
> "Fedora Directory Server" to hold these additional information.
The
> users, which uses a special application, should now connect to this 
> server to retrieve the necessary information, but the authentication 
> should stay in the AD.
>
> Is it possible, and if yes how, to configure "Fedora Directory
Server"
> to pass the authentication information to the AD and only let the 
> specific user bind to the directory server if the AD-Authentication is 
> OK?
Hmm...I think what you are trying to implement is a form of Directory 
Federation.
You might be able to achieve what you want with FDS and its AD sync feature.
In that case, passwords are synchronized from AD to FDS (and vice versa)
so your requirement for authentication ''against AD'' would be
met except that
authentication would be done by FDS, using the AD password. If you want to
proxy authentication directly to AD that might be possible without code 
changes in
FDS, but I''m not sure.

Another option you might look at is to deploy Microsoft''s ADAM, which
is a Federation add-on for AD. It was designed to meet your exact needs
(application wants to use AD for directory services, but AD admins refuse
to allow the schema to be extended).

David Boreham wrote:
> Joerg Schoppet wrote:
>
>> I''m in an account of a bigger company, which uses Microsoft
Active
>> Directory for User Management and Authentication.
>> Now we need to save some additional information for a subset of all 
>> employees, but the AD-Administrators do not want to include the 
>> required attributes in the company ad. Our plan is now to install 
>> "Fedora Directory Server" to hold these additional
information. The
>> users, which uses a special application, should now connect to this 
>> server to retrieve the necessary information, but the authentication 
>> should stay in the AD.
>>
>> Is it possible, and if yes how, to configure "Fedora Directory 
>> Server" to pass the authentication information to the AD and only
let
>> the specific user bind to the directory server if the 
>> AD-Authentication is OK?
>
> Hmm...I think what you are trying to implement is a form of Directory 
> Federation.
> You might be able to achieve what you want with FDS and its AD sync 
> feature.
> In that case, passwords are synchronized from AD to FDS (and vice versa)
> so your requirement for authentication ''against AD'' would
be met
> except that
> authentication would be done by FDS, using the AD password. If you 
> want to
> proxy authentication directly to AD that might be possible without 
> code changes in
> FDS, but I''m not sure.
>
> Another option you might look at is to deploy Microsoft''s ADAM,
which
> is a Federation add-on for AD. It was designed to meet your exact needs
> (application wants to use AD for directory services, but AD admins refuse
> to allow the schema to be extended).
>
>
The Pass Through Authentication plugin should also work with ADS because 
it doesn''t rely on proxied authentication unlike the Chaining Backend 
plugin or the loop detection control.  PTA is the magic that allows the 
uid=admin,..,o=Netscaperoot user to log in and configure all FDS servers 
in an instance group even though o=Netscaperoot only exists in the 
configuration instance.  I''ve seen it work with ADS too though. 
Details:
    
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/pasthru.html#1095869

You may need a FDS build from the tip, the PTA doesn''t correctly handle
bind responses with server controls.  I''m not sure about ADS''
use of
controls in bind responses.

Ulf Weltman wrote:
> The Pass Through Authentication plugin should also work with ADS
Right. Windows Sync would need to be deployed _without_ passsync
otherwise I''m not quite sure what would happen when it does its binds
to check the password for loops.

FDS + Winsync + PTA - passsync might work for this application.