I would have liked to have better support for AD but wasn't able to get access to a windows server, so I couldn't test it. I understand that Microsoft has quite an unusual (non-standard?) directory structure, which is expected for them I guess. If you could be a bit more specific about exactly what doesn't work, I'll endeavour to make identity management more AD-friendly.
I have recently been evaluating the Identity Management for use with Active Directory. Microsoft's Active Directory Application Mode (ADAM) has been helpful. It lets me run a mini-active-directory on my Windows XP development system, without requiring domain controllers etc.
I was able to login to Active Directory (ADAM) using the stock LdapIdentityStore class, but I had to cheat. The active directory user does not have a roles attribute so I put the distinguished name of a single role in the
commentattribute and changed the mapping in components.xml.
Just a couple of notes in case anyone else decides to go down this path:
- importing the MS-User.LDF file works but requires some config changes in components.xml
- Use the ADAM ADSI Edit tool to create your test users and set their passwords.
- don't forget to configure ADAM such that the 'bind-DN' user is a member of the Administrator role. This involves adding the user to the members attribute of the Administrator role. If you do not do this, you will not be able to authenticate any users - the authentication will fail when doing the roles search.
My components.xml fragment similar to the following:
<security:ldap-identity-store server-address="127.0.0.1" bind-DN="cn=Admin,cn=People,o=myapp.mydomain.com" bind-credentials="admin" user-DN-prefix="cn=" user-DN-suffix=",cn=People,o=myapp.mydomain.com" role-DN-prefix="cn=" role-DN-suffix=",cn=Roles,o=myapp.mydomain.com" user-context-DN="cn=People,o=myapp.mydomain.com" role-context-DN="cn=Roles,o=myapp.mydomain.com" user-role-attribute="comment" role-name-attribute="cn" user-name-attribute="cn" user-object-classes="person,uidObject" />