2 Replies Latest reply on Oct 9, 2008 11:47 PM by gsimone

    Identity Management : Active Directory

    viniciuscarvalho.viniciusccarvalho.gmail.com
    viniciuscarvalho.viniciusccarvalho.gmail.com Sep 2, 2008 9:09 PM

      Has anyone tried the new IdentityManagement with AD? I've tried it with ApacheDS and it works really well (only a minor problem with listRoles method), but it seems that AD and its weird tree does not work at all, starting the way we look at a user (CN=admin,CN=Users,DC=example,DC=com does not work, but admin@example.com instead), the way we look at roles, the way we need to add a user to a role not the opposite


      So we have decided to create a new class ADIdentityStore in order to get it working with ActiveDirectory, only issue so far is that we would need extra parameters on the xml descriptor.


      I just would like to know if someone has got it working with AD (may we just don't know how to set it up :P )


      Regards

      • 185 Views
      • Tags:
        • 1. Re: Identity Management : Active Directory
          shane.bryzak
          shane.bryzak Sep 3, 2008 4:11 AM (in response to viniciuscarvalho.viniciusccarvalho.gmail.com)

          I would have liked to have better support for AD but wasn't able to get access to a windows server, so I couldn't test it.  I understand that Microsoft has quite an unusual (non-standard?) directory structure, which is expected for them I guess.  If you could be a bit more specific about exactly what doesn't work, I'll endeavour to make identity management more AD-friendly.

            • Actions
          • 2. Re: Identity Management : Active Directory
            gsimone
            gsimone Oct 9, 2008 11:47 PM (in response to viniciuscarvalho.viniciusccarvalho.gmail.com)

            I have recently been evaluating the Identity Management for use with  Active Directory.  Microsoft's Active Directory Application Mode (ADAM) has been helpful. It lets me run a mini-active-directory on my Windows XP development system, without requiring domain controllers etc.


            I was able to login to Active Directory (ADAM) using the stock LdapIdentityStore class, but I had to cheat.  The active directory user does not have a roles attribute so I put the distinguished name of a single role in the comment attribute and changed the mapping in components.xml.


            Just a couple of notes in case anyone else decides to go down this path:



            • importing the MS-User.LDF file works but requires some config changes in components.xml




            • Use the ADAM ADSI Edit tool to create your test users and set their passwords.




            • don't forget to configure ADAM such that the 'bind-DN' user is a member of the Administrator role.  This involves adding the user to the members attribute of the Administrator role. If you do not do this, you will not be able to authenticate any users - the authentication will fail when doing the roles search.



            My components.xml fragment similar to the following:


             <security:ldap-identity-store
    server-address="127.0.0.1"
    bind-DN="cn=Admin,cn=People,o=myapp.mydomain.com"
    bind-credentials="admin"
    user-DN-prefix="cn="
    user-DN-suffix=",cn=People,o=myapp.mydomain.com"
    role-DN-prefix="cn="
    role-DN-suffix=",cn=Roles,o=myapp.mydomain.com"
    user-context-DN="cn=People,o=myapp.mydomain.com"
    role-context-DN="cn=Roles,o=myapp.mydomain.com"
    user-role-attribute="comment"
    role-name-attribute="cn"
    user-name-attribute="cn"
    user-object-classes="person,uidObject"
    />  


              • Actions