1

Imagine a Company, only five employees, where a standalone virtual/cloud Remote Desktop Server is enough to serve all of the company's needs. This RDS stores all Programs and Files of the customer. All user accounts are created on the RDS server itself.

Now we want to implement an SSO for VPN access. At other infrastructures, we can access AD using LDAP to use the same user database for each customer on the Firewall.

Is there any possibility to access the RDS local users using LDAP? Couldn't find any tools/services. AD LDS serves users from it's own DB as i know.

768kb
  • 67
  • 2
  • 7

3 Answers3

2

You can use the WINNT provider. Obviously many attributes in AD do not exist for local accounts, but it does work.

http://www.rlmueller.net/WinNT_LDAP.htm

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • This is useful for scripting, but how do I remotely query a server's WinNT provider using port 389 ? – 768kb Nov 12 '13 at 09:13
  • You would not use LDAP, because most member servers/workstations aren't functioning as an LDAP server. An alternative would be WMI. Try "SELECT * FROM Win32_UserAccount WHERE LocalAccount = true" – Greg Askew Nov 12 '13 at 15:29
  • as already mentioned in my question, my firewall needs quering users by ldap. so scripting isn't an alternative. – 768kb Nov 15 '13 at 12:32
  • You can query by LDAP, but there will not be anything listening. Perhaps your question should take into account fundamental capabilities and limitations of the product. – Greg Askew Nov 15 '13 at 13:30
0

The short answer is - it depends.

If you're simply looking to use an LDAP client to access an Active Directory server, then yes - this is possible. The query syntax for LDAP searches is supported by Active Directory (have a look at this technet article).

Similarly, many of the popular programming / scripting languages have LDAP modules or extensions. Since the LDAP query syntax is standardised, you should find that they too support interfacing with AD.

Instances where this may not hold are applications that have a predefined query for looking up information (e.g., application expects attribute "userid" whereas AD might expose "uid" instead).

A good starting place to explore whether this arrangement will work for your environment is to install OpenLDAP client tools and try connecting to AD and querying users. The article linked above has some useful primers on how to get started with that process.

EDIT

This article provides some further configuration and hands-on instructions for testing LDAP to AD connectivity. It is a little dated, and with some searching you might find a better tutorial.

plasmid87
  • 1,968
  • 15
  • 17
  • As I told, I'm searching LDAP for local user accounts not for AD. But thanks for the ideas. – 768kb Nov 12 '13 at 09:10
0

I usually configure a radius service (bundled as Internet Authentication Server or IAS in Windows). I then configure the vpn server to be a radius client to the IAS service.

Radius functions like a system agnostic authentication bridge and is very easy to set up for simple use, even if it looks horrifyingly daunting at first glance (plenty of howtos at google-range though).

ErikE
  • 4,746
  • 1
  • 20
  • 27