LDAP supports what are called referrals - basically a next hop resolver. If one LDAP server doesn't contain the data, it will push the request to the server(s) listed as referrals. Think of it as an alternate LDAP server to query.
------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Michael Penland [mailto:[EMAIL PROTECTED]] > Sent: Monday, October 14, 2002 2:14 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Providers vs Extensions ?? > > > Good article. > Explain to me what you mean by referrals from AD to the LDAP server. > > MGP > > ----- Original Message ----- > From: "Roger Seielstad" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, October 14, 2002 1:44 PM > Subject: RE: [ActiveDir] Providers vs Extensions ?? > > > I would think that you really just want to run a stand along LDAP > directory > > for authentication, and use referrals from AD to the LDAP server. > > > > Take a look at http://www.openldap.org > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > -----Original Message----- > > > From: Michael Penland [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, October 14, 2002 12:50 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] Providers vs Extensions ?? > > > > > > > > > Yes some users are autenticated on the daomain when they log on > > > to there PC but some users and groups in the database will > > > not be a part of > > > the domain users or Domain Groups. they may communicate > > > through the web or > > > dial in. > > > These users will be authenticated to the W2k domain through > > > a pre-created account with the apropiate DACL. > > > as the anonymous user. > > > Example: IWO_System_User. > > > > > > As well some members in the data base will have no direct > > > assosiation to the > > > domain > > > other than being listed in the database. > > > They may have assosiated contacts or devices, or the > > > combination of both. > > > > > > I want these to be listed as well. Maybe extending the Person > > > > Contact > > > object. > > > > > > basicaly I want to replicate the entire user, group and > > > device objects along > > > with there > > > specific properties and methods to ADSI so they are replicated and > > > browseable > > > across the domain. > > > > > > MGP > > > > > > ----- Original Message ----- > > > From: "Gil Kirkpatrick" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Monday, October 14, 2002 12:15 PM > > > Subject: RE: [ActiveDir] Providers vs Extensions ?? > > > > > > > Hi Michael, > > > > > > > > If you could say more about your application requirements, > > > any comments > > > you > > > > get would be more meaningful. But in any case... > > > > > > > > 1) Why do you want to bypass W2K authentication and use > > > your own database > > > > for authentication? I'm assuming your users have to > > > authenticate into a > > > W2K > > > > domain anyway, so why force them into another set of > credentials? > > > > > > > > 2) Generally speaking, if you want to store additional > information > > > > associated with AD objects such as users, groups, and > computers, you > > > should > > > > simply extend the schema for those three classes, and store > > > and retrieve > > > the > > > > additional data using ADSI/LDAP. It's quite simple and fits > > > well. It does > > > > not require modifying the provider, just the schema. > > > > > > > > 3) "I don't want the users to have to log on to a DC..." > > > I'm confused by > > > > this. Are you implying that your users are not > > > authenticating into a W2K > > > > domain already? If they are authenticating to the domain, > > > they are already > > > > "logged on to a DC". In any case, the default ACLs in W2K > > > (not in .Net > > > > Server though) are set to allow unauthenticated users to > > > list things like > > > > users and computers, so this should not be a problem. > > > > > > > > 4) Creating a new provider (I assume you mean ADSI > > > provider?) is a large > > > > task, and unless you have a really wacky database, I can't > > > imagine why you > > > > would bother. If your database is relational, there should > > > be an ADO or > > > ODBC > > > > provider for it already. If not, writing an OLE DB provider > > > for it would > > > be > > > > a much simpler solution. But then the question is why do > > > you need to use a > > > > wacky database? > > > > > > > > Hope this helps, > > > > > > > > -gil > > > > > > > > -----Original Message----- > > > > From: Michael Penland [mailto:[EMAIL PROTECTED]] > > > > Sent: Monday, October 14, 2002 8:35 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] Providers vs Extensions ?? > > > > > > > > All, > > > > I know there are some true experts out here? > > > > My question is: > > > > I am creating an application that is maintained by a > > > > data base. The database handles Authentication, storing the > > > Users, Groups, > > > > and Device specific information pertaining to those > users or groups. > > > > I don't want the users to have to log on to a DC > for use of the > > > > application, but I > > > > want to list the users, and groups in the Active Directory > > > for browsing, > > > > status information and replication. > > > > 1. (a.) Do I extend the LDAP providers Person Object, > as well as the > > > schema > > > > to accomidate the added properties and functionality. > > > > 1. (b.)Do I extend the LDAP provider creating a New DN > > > under the rootDSE > > > and > > > > add as OU's the Users, Groups and Devices. > > > > 2. Do I write a provider that extend the ADSI Directory to > > > provide the > > > > Objects and functionality of my application. If so, could I > > > then also > > > extend > > > > the LDAP Provider > > > > to access my Provider. Thus giving my application acces > > > from the LDAP > > > > provider as well. > > > > > > > > All suggestions are appreciated. > > > > > > > > MPenland > > > > > > > > VIRUS FREE SMTP! > > > > MarinaOne > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > VIRUS FREE SMTP! > > > > MarinaOne > > > > > > > > > > > > > > > > > VIRUS FREE SMTP! > > > MarinaOne > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > VIRUS FREE SMTP! > > MarinaOne > > > > > > > VIRUS FREE SMTP! > MarinaOne > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
