The first thing I would say and I am shocked Al didn't say is
LDAP IS NOT AN AUTHENTICATION PROTOCOL!!!! For the the managers and vendors let me repeat ;o) LDAP IS NOT AN AUTHENTICATION PROTOCOL !!!! LDAP has to authenticate as a part of giving secure access to data but that doesn't make it an authentication protocol. A file server has to authenticate you in some way shape or form for you to safely access files too; I don't see people stumbling over themselves to use that as an authentication protocol. The only reason this comes in from the *NIX world like this is because Kerberos can be a serious pain in the ass there. Tough, use a real authentication protocol. If the vendor is using it to authenticate and that is all they are doing my comment to them is get off your ass and use a real auth protocol and with Windows the proper auth protocol is Kerberos. Most Windows folks don't even have a clue to the technical depth and complexity of Kerberos because Microsoft did such a bang up job of burying the details for most things Windows. So if someone doesn't use it, that is their issue, not Microsoft's. Following up of course with the things JoeK said which I fully concur with. If using LDAP to authenticate though, where in the tree you poke doesn't matter, as long as the user is a member of that forest, if you specify their ID and their password, it will authenticate them by passing the traffic to whatever DC is required. However, the app should be smart enough to ask the proper DC out of the box. And when you specify the ID, specify either UPN or Domain\UserID, do not use DN. Why? Because DN's change and if you allow the apps to say, you have to stick with a certain DN then you have lost a bunch of flexibility of AD. Finally, if they don't do basic things like this right, I wonder what your chances are that they do harder things like attribute ranging and paging right. AD is an extremely robust directory service and have tons of failover and location services built into it. It has been out for 6 years in production now, much longer in beta phases, etc and if apps still don't know what they are doing with it I would greatly question the programmers and the vendor. It is outright stupid to make your robust directory lower itself to the standards of a poorly written app. If the app requires and of the following: 1. Fixed DNs 2. All users under a single base 3. someone to change the ranging values 4. someone to change the paging values 5. a fixed hostname 6. Non-nested groups 7. etc etc etc Then really investigate that app because it is a pain in the ass. The only time you should be talking fixed hostnames versus auto service location is in the case of syncronization. That is the one case where it is a bit difficult to bounce between DCs but I have seen apps that can pull this off, though they are less efficient because they have to regather their bearings every time they jump DCs. Most applications do not have this issue. Especially apps doing basic auth/authz/data lookup. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, September 22, 2006 5:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP You might have them try to work with the GC. You should be able to authenticate and find users from any domain via the GC. I think Joe Richards might also suggest that the vendor learn what they are doing and either integrate with AD the right way or don't claim they can. I'll bet they need to talk to a specific domain controller too. I won't put words in Joe's mouth though. :) Joe ----- Original Message ----- From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Friday, September 22, 2006 3:41 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP The application designer is telling me it can only be configured for one source of authentication, so if the use the domain level authentication will that allow to authenticate users in the subdomain? I.e. domain.com child.domain.com If I point the application to use domain.com as authentication source will that also authenticate users from the child domain? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, September 22, 2006 4:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP sub-domain query base: dc=subdomain,dc=domain,dc=com domain query base: dc=domain,dc=com When the search is initiated, it will start looking at the query base and, if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it. If you instead change your query base to dc=domain,dc=com (assuming you have a contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if your app doesn't have that functionality built in. Since you're security conscious, be mindful of the cert and the ports you're using during your testing :) Permissions? That depends on your configuration and your versions. Windows 2000 is pretty much open for searches while 2003 requires authenticated users by default. Al On 9/22/06, Ramon Linan <[EMAIL PROTECTED]> wrote: Hi, I have an application that uses LDAP to authenticate (authenticates against AD). In my AD I have a domain and subdomain or child domain. I assume that both domain and subdomain uses the same LDAP, right? Also, if the application is using a user from the subdomain to query the LDAP, what kind of access will that user have to have to authenticate users at the main domain level. Basically, the application is authenticating fine the users from the subdomain but cant fine the users from the main domain... Thanks for any advice. Rezuma List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
