That additional bit about multidirectory integration sounds suspiciously like the 'virtual directory' products on the market. I had always thought of this as a solution in search of a problem, but someone recently pointed out to me some interesting scenarios where it could be useful. For example, the backends don't always have to be LDAP - you could mix and match sources but make it look like it's all in a single directory. If you have some faster-changing data about your users in a SQL database, for example, you could have it returned as attributes of the user when a LDAP query is made to the virtual directory. In this case, the virtual directory (I hate the obvious acronym) would aggregate the data from your directory and your SQL store on the fly. There are some other interesting possibilities as well, including the scenario the original poster was looking for. Alas, not for free however. Dave
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server Not sure what the OP has in mind, but I was thinking about exposing a directory without exposing any additional surface area for possible exploitation without the overhead of syncing data. Eventually I could see the proxy even refusing certain types or sizes of operations. Say you don't allow any modify ops or searching with specific attributes or result returns of x size can be stopped, etc. It could also proxy the access rights even. You call it anonymously, it calls the real directory with creds and only returns things that the anonymous person should see but doesn't require you to open the real directory up for anonymous access in fear you do something wrong. Another thing that would be interesting is multidirectory integration. I.E. You can use one proxy that can route to several different directories without need of referrals. So that the proxy knows where to look for something in certain ranges. That would start getting very complicated though. Just thunking... joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 03, 2005 1:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server Maybe I misunderstood the requirement then. If you're thinking something like ISA as a proxy for LDAP, then ADAM isn't the ticket. If you want something that can be a projected LDAP store, then ADAM would do it. I wouldn't guess that a proxy would be too terribly difficult to write, but I'd have to wonder what the benefit would be vs. projecting the data to a store where the data is needed. What did you have in mind? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server Well AD/AM isn't an LDAP proxy but agree that this is probably the best way to solve this as I don't know of any LDAP Proxies for Windows, especially any free ones. I wonder how hard that would be to write? I think the auth piece would be the hard part. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, February 02, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] proxy ldap and/or server AD/AM would be what you're looking for most likely. http:/www.microsoft.com/ad should have a link. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro Sent: Wednesday, February 02, 2005 4:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] proxy ldap and/or server Hello I need to find and tto est a product (free-ware if it is possible) that in Windows Environment (not LINUX or other O.S.) works like a LDAP proxy. Specifically I need from outside (tunnelling by VPN) to interrogate the LDAP repository in Active Directory WITHOUT opening the ports directly to Domain Controllers (389, 3268 ec.). I should think to use an LDAP Server or likes that is installed on a computer that 'works' as a replicator or agent proxy LDAP. On this computer I could open those ports. Some suggestions ? Thanks PS: I cannot install Exchange on that computer. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/