I would think that you really just want to run a stand along LDAP directory for authentication, and use referrals from AD to the LDAP server.
Take a look at http://www.openldap.org ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Michael Penland [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 14, 2002 12:50 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Providers vs Extensions ?? > > > Yes some users are autenticated on the daomain when they log on > to there PC but some users and groups in the database will > not be a part of > the domain users or Domain Groups. they may communicate > through the web or > dial in. > These users will be authenticated to the W2k domain through > a pre-created account with the apropiate DACL. > as the anonymous user. > Example: IWO_System_User. > > As well some members in the data base will have no direct > assosiation to the > domain > other than being listed in the database. > They may have assosiated contacts or devices, or the > combination of both. > > I want these to be listed as well. Maybe extending the Person > > Contact > object. > > basicaly I want to replicate the entire user, group and > device objects along > with there > specific properties and methods to ADSI so they are replicated and > browseable > across the domain. > > MGP > > ----- Original Message ----- > From: "Gil Kirkpatrick" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, October 14, 2002 12:15 PM > Subject: RE: [ActiveDir] Providers vs Extensions ?? > > > Hi Michael, > > > > If you could say more about your application requirements, > any comments > you > > get would be more meaningful. But in any case... > > > > 1) Why do you want to bypass W2K authentication and use > your own database > > for authentication? I'm assuming your users have to > authenticate into a > W2K > > domain anyway, so why force them into another set of credentials? > > > > 2) Generally speaking, if you want to store additional information > > associated with AD objects such as users, groups, and computers, you > should > > simply extend the schema for those three classes, and store > and retrieve > the > > additional data using ADSI/LDAP. It's quite simple and fits > well. It does > > not require modifying the provider, just the schema. > > > > 3) "I don't want the users to have to log on to a DC..." > I'm confused by > > this. Are you implying that your users are not > authenticating into a W2K > > domain already? If they are authenticating to the domain, > they are already > > "logged on to a DC". In any case, the default ACLs in W2K > (not in .Net > > Server though) are set to allow unauthenticated users to > list things like > > users and computers, so this should not be a problem. > > > > 4) Creating a new provider (I assume you mean ADSI > provider?) is a large > > task, and unless you have a really wacky database, I can't > imagine why you > > would bother. If your database is relational, there should > be an ADO or > ODBC > > provider for it already. If not, writing an OLE DB provider > for it would > be > > a much simpler solution. But then the question is why do > you need to use a > > wacky database? > > > > Hope this helps, > > > > -gil > > > > -----Original Message----- > > From: Michael Penland [mailto:[EMAIL PROTECTED]] > > Sent: Monday, October 14, 2002 8:35 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Providers vs Extensions ?? > > > > All, > > I know there are some true experts out here? > > My question is: > > I am creating an application that is maintained by a > > data base. The database handles Authentication, storing the > Users, Groups, > > and Device specific information pertaining to those users or groups. > > I don't want the users to have to log on to a DC for use of the > > application, but I > > want to list the users, and groups in the Active Directory > for browsing, > > status information and replication. > > 1. (a.) Do I extend the LDAP providers Person Object, as well as the > schema > > to accomidate the added properties and functionality. > > 1. (b.)Do I extend the LDAP provider creating a New DN > under the rootDSE > and > > add as OU's the Users, Groups and Devices. > > 2. Do I write a provider that extend the ADSI Directory to > provide the > > Objects and functionality of my application. If so, could I > then also > extend > > the LDAP Provider > > to access my Provider. Thus giving my application acces > from the LDAP > > provider as well. > > > > All suggestions are appreciated. > > > > MPenland > > > > VIRUS FREE SMTP! > > MarinaOne > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > VIRUS FREE SMTP! > > MarinaOne > > > > > > > VIRUS FREE SMTP! > MarinaOne > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
