Al, Thanks for the feedback. In reality, I don't think that the code, etc. for ADAM SecPrinc vs. AD related will be that bad. If the account is supposed to exist, then the user object is going to have to be in ADAM one way or the other.
So, check first for a user object with a password in ADAM. Fail that, check for a userProxy object. Succeed and on to AD for AuthN (with the SID and Password in tow) or fail with the "username does not exist or incorrect password" message (or something equally ambiguous). However, I could be horribly wrong.... (Like _that's_ never happened before....) -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Sunday, March 06, 2005 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM - Clarification Nuts! I had to go back and read the part about the internal users also gaining access with internal credentials. So to me this screams multiple instances of a directory 1 for internal and one for external users. The internal users DB would use SASL bind techniques and would have to be able to talk to the AD for authentication. The external users would only use simple bind techniques. Saying that, I haven't tried it, but I'm wondering if you could mix and match: some that are AD proxy objects (I know you said it's out, but..) and some that are not. What would the messy code look like then? Another option is to use password synchronization. The downside is that you would be putting passwords for internal resources into the DMZ under the current concept. The identity store is not the important factor here; the solution requirements and your security policy are what will likely drive this to some sort of unique solution. ADAM is just a lot easier and more integrated to work with than the other identity stores. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Sunday, March 06, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM - Clarification I wouldn't use SASL for this myself. I don't believe I'd want my customer data in the windows SAM as that could run into scalability issues (that's why we went with AD in a distributed fashion vs. local SAM right?) >From your description, a simple bind is the way to go. You'll want to secure the transmission of course and lock down which machines can gain access to the server/port hosting the ADAM instance. For what it's worth, this would be the same as in the case of using SunLDAP or OpenLDAP because they are just doing a bind to an identity store and then possibly looking at the group membership for authorization purposes. My $0.04 anyway, al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 05, 2005 11:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM - Clarification All - We have a Web Portal solution that has the option to use LDAP v3 for AuthN calls. Obviously, we want to use AD for our internal customers, and implement user objects that would not reside in AD for our external customers. In my mind, this screams ADAM. I can create the user objects in ADAM for the external customers. And, I've read thoroughly the Tech Refs and some other words from Joe Kaplan on the subject. I also took a look at ~Eric's blog for a post or two, which were helpful. The problem - to the point - is this. The Portal web server, where the LDAP AuthN calls come from is in the external perimeter. There are four options that are indicated in the docs: # Anonymous bind (no password) # Simple LDAP bind (ADAM security principal with password) # SASL binding (Windows security principal in local computer or AD) # Bind redirection (security principal is in ADAM, but has a reference to an AD security principal) Bind redirection (userProxy) has a domain membership requirement for the machine on which ADAM resides. Given that the security requirements won't allow this, this one is out. However, I can't seem to find anything that indicates the requirements for SASL bind. Is this an option? The bottom line is that I want to use ADAM, but have run into this brick wall. What options do I have, as I've exhausted the resources that I have at my disposal, at this point in time at least :) Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
