On 29/01/2020 23:07, Dan Stromberg wrote:
On Wed, Jan 29, 2020 at 1:46 PM Emmanuel Lécharny <[email protected]
<mailto:[email protected]>> wrote:
On 29/01/2020 21:38, Dan Stromberg wrote:
> Does ApacheDS play nicely with Active Directory?
No. No LDAP server that I know of plays nicely with AD. AD was not
designed to play nicely with any other LDAP server, à la Microsoft.
Nod.
> We are considering use of ApacheDS with Nifi and Grafana, but
one of our
> bullet points is an LDAP server that works well with A-D.
>
> Does it?
Well, see above. Please provide some more input for us to evaluate if
ApacheDS is an option for you.
We are selecting an LDAP server for use with Grafana and Nifi, all to
use as part of a product. The product has a web interface, and needs
authentication and possibly authorization.
We're aware that a lot of customer environments will have a
pre-existing commitment to A-D, so it'd be good to be able to do the
basics through that, while not totally ditching the LDAP server we
choose to include.
We're also aware that a lot of Nifi deployments skip the authorization
part of LDAP, instead using Nifi's own idea of what authorization
should look like. We still might need it for Grafana or our
homebrewed portions.
So as soon as the requirement is to be able to authenticate a user on a
AD server through ApacheDS, that can be done. You need to activate the
DelegatingAuthenticator class to be able to do that. You won't be able
to do much more, like deferring requests to AD, or fetching infos from
AD to pretend they are managed by ApacheDS. What you need in this case
would be either a virtual directory, or a mechanism that replicates AD
to ApacheDS. Not simple, and we don't do that anyway.
Sadly, Microsoft never intended AD to be a real LDAP server, it's much
more a NIS server. Typically, it's quite static (if you change anything
in the schema, it's forever), and this is the reason they created AD/AM
which is way more convenient to work with. If you f*ck with AD, you are
good to reinstall your domain...
A virtual Directory could do the trick though (maybe something like
https://www.tremolosecurity.com/myvirtualdirectory/. Never tested it,
just asked google about OSS VD, found that).
Hope it helps...
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
