1

I have the following situation: I have a web site that needs to authenticate users, some of these will be internal users that are stored in an active directory domain, but there will be other users (ie customers and contractors) that I do not want to store in AD, but still would like to have them maintained in a central LDAP database.

So, I thought it would be nice to authenticate the webserver against the local LDAP, and if a user was not found, have it transparently pass the query on to the AD LDAP server.

Is this possible? I've looked through LDAP documentation and I'm still not too sure about all the options available.

I'd be using OpenLDAP on linux.

gbjbaanb
  • 3,892
  • 1
  • 23
  • 27

2 Answers2

2

You could store them in an ADAM partition (now called AD LDS in 2008 speak). Then you can have all your users (internal and external) in one directory service. You would not need to manage openldap and you can use the same tools used to manage your existing users to manage your extenal ones without putting the external user in your current forest. You can find an ADAM overview here:Create Custom Directories with ADAM

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • I was going to suggest this as well. You don't need a flat AD structure, you can mix it up and obtain the results you're looking for – Matt Simmons Jun 01 '09 at 03:36
  • Well, not ADAM specifically, but creating an OU for contractors and the like, and authenticating them against their LDAP OU, but however you do it, I would stick with active directory – Matt Simmons Jun 01 '09 at 03:38
  • nice answer, I'll check it out. But I don't admin the AD server, and its seen a a 'essential corporate service' so its not easily modified without many people's sign off :( As a result, I do not manage the corporate users at all, and corporate IT services do not have any remit over my customer logins. (I'm sure you've known the situation ;) – gbjbaanb Jun 01 '09 at 10:56
1

Yes, you can setup OpenLDAP to act as a caching proxy LDAP server, back-ended by AD.

See this for example (but just do a search for "can openldap proxy ldap requests to active directory" and you'll have plenty to look through".

khosrow
  • 4,163
  • 3
  • 27
  • 33