Re: [ActiveDir] LDAP Directory Server Path

Thu, 08 Jun 2006 19:08:22 -0700

It is hard to provide any additional information that would be useful without some specifics about the actual problems they are facing/what isn't working/what code they are trying. From a firewall perspective, at a bare minimum you need LDAP ports open to your DC, depending on whether you want LDAP or GC and SSL or not. You'll want DNS. You'll probably want Kerberos and RPC to support secure bind. I'd also recommend staying away from Win2K/IIS 5 as a web server if you can avoid it as IIS6 is way better, but that might not be an option.
I also answer a lot of dev-oriented questions on the ADSI microsoft newsgroup. 

One again, I bet everything your guys need to know is in my book too.  :)

Joe Kaplan

----- Original Message ----- 
From: HBooGz

To: ActiveDir@mail.activedir.org
Sent: Thursday, June 08, 2006 11:01 AM
Subject: Re: [ActiveDir] LDAP Directory Server Path


Thanks Joe and Al.


In all honesty, I'm far from a programmer and i wouldn't go so far as to say 
I'm an Active Directory expert like most on this list.



I'm going to pass your information to my developers who are working on a web 
app in .Net with the hopes of authenticating users against our AD. I've read 
some articles that indicate to create a username ( w/ domain admin rights ) 
and put that into the code to use for the authentication. Although I'm not a 
developer i just don't feel good about this approach.



Before i mentioned DMZ. My environment is relatively small and the web 
applications are sitting on a Windows 2000 server in a single hop DMZ 
environment.



any more information that could help me or the developers, who are at a 
stand-still, would be appreciated.


Thanks,






On 6/7/06, Joe Kaplan <[EMAIL PROTECTED]> wrote:
Just to elaborate a little on what Al said, when using an ADSI-based model
like S.DS, the adspath contains the provider, optional server info and a
distinguished name of an object to search.  When you don't specify a server
part in the path (a serverless bind), LDAP infers a domain from the current
security context and then uses the locator to find a DC in that domain.  You
have to be careful with serverless binds though, especially in web apps, as
the security context may be local machine instead of domain, so it may not
be possible to infer a domain.  In some cases, it may be necessary to supply
a domain name or even the DNS name of a specific DC.  Using your previous
example, you may need to specify the "harry.org" part of the path.  A lot of
it depends on the environment.

I also recommend using a tool like ldp.exe or adfind to help with LDAP
programming.  These tools are very useful for executing ad hoc LDAP ops and
modeling queries.

In general, you want to be careful with using ADSI or S.DS for
authentication in an app.  It doesn't scale well for this type of thing.  If
you must use LDAP-based auth (which is generally best avoided; use Windows
auth instead), using something like the ActiveDirectoryMembershipProvider or
calling System.DirectoryServices.Protocols directly will get you better
scalability (if that's important).

We actually did write a whole book about this stuff and it doesn't suck, so
won't hesitate to recommend it for these types of questions.
www.directoryprogramming.net.

Joe K.
----- Original Message -----
From: Al Mulnick
To: ActiveDir@mail.activedir.org
Sent: Wednesday, June 07, 2006 3:09 PM
Subject: Re: [ActiveDir] LDAP Directory Server Path


Totally different questions.
The ldap path is what is needed to connect to the directory via .net (there
are many examples in the language dialect you're development staff are
planning to use; Joe Kaplan is a good person to search for as he does this
frequently and I believe has even taken the time to write a book about it.

Accessing it from a 'DMZ' <depending on what that means to you> is a
different animal altogether and has a lot more to do with architecture,
routing, physical connections, and name resolution.  Architecture is a huge
part of that equation. There's nowhere near enough information in your
posts, nor would I think it appropriate that you share that amount of
information with outsiders, to even begin to answer that question in a
usable manner.

To see/use that syntax, minus the protocol portion, have a look at tools
like LDP.EXE.  Also search the Microsoft site for things like .net examples
and ldap syntax and .net examples. You'll see what I mean.

Al


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




--

HBooGz:\> 


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx














    











					Reply via email to