"I agree that a vendor should have a minimum qualification to meet to be able to call it AD Integrated. " Aye, something like the wildly successful XP Logo program that ensures all the apps we use are written well and don't need administrative rights to run. </sarcasm>
________________________________ From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Sat 9/23/2006 7:31 AM To: [email protected] Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP Sorry Sir! (I see you hit the other reasons quite well. The DN is such a PITA to begin with if you're trying to use LDAP to authenticate and authorize a user). That's often the biggest complaint I have when somebody tries to integrate with AD via LDAP. That and you end up having to dumb it down so the app will talk to AD. I agree that a vendor should have a minimum qualification to meet to be able to call it AD Integrated. Otherwise, it's just ldap and they should call it that. I'll try to be quicker on the draw sir! :) On 9/22/06, joe <[EMAIL PROTECTED]> wrote: LOL. You should have sent this before I started typing. ;o) Why wasn't it in your first answer, you always take that one right out in the first paragraph and when I read your response I was like hey who the heck are you? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, September 22, 2006 8:55 PM To: [email protected] Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP I won't put words in his mouth either, but I'll certainly say the same thing. I had to hold back a shudder when I responded earlier 'cause ldap and authentication might be ok in the same paragraph, but never in the same sentence (except to point out that it should not be in the same sentence :) Would it work if you used the parent domain in a contiguous namespace design? Depends on how they wrote the code. If it won't follow referrals then likely it will fail. Try the GC (that is so lame a workaround, but it'll likely work) as Joe suggests and at the same push back on the vendor to get it right or give you your money back else give you a more solid workaround (ADAM?) There. Nothing for joe to tell them about fixing their lame app. -ajm On 9/22/06, Joe Kaplan <[EMAIL PROTECTED]> wrote: You might have them try to work with the GC. You should be able to authenticate and find users from any domain via the GC. I think Joe Richards might also suggest that the vendor learn what they are doing and either integrate with AD the right way or don't claim they can. I'll bet they need to talk to a specific domain controller too. I won't put words in Joe's mouth though. :) Joe ----- Original Message ----- From: Ramon Linan To: [email protected] Sent: Friday, September 22, 2006 3:41 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP The application designer is telling me it can only be configured for one source of authentication, so if the use the domain level authentication will that allow to authenticate users in the subdomain? I.e. domain.com <http://domain.com/> child.domain.com <http://child.domain.com/> If I point the application to use domain.com <http://domain.com/> as authentication source will that also authenticate users from the child domain? Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, September 22, 2006 4:19 PM To: [email protected] Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP sub-domain query base: dc=subdomain,dc=domain,dc=com domain query base: dc=domain,dc=com When the search is initiated, it will start looking at the query base and, if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it. If you instead change your query base to dc=domain,dc=com (assuming you have a contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if your app doesn't have that functionality built in. Since you're security conscious, be mindful of the cert and the ports you're using during your testing :) Permissions? That depends on your configuration and your versions. Windows 2000 is pretty much open for searches while 2003 requires authenticated users by default. Al On 9/22/06, Ramon Linan < [EMAIL PROTECTED]> wrote: Hi, I have an application that uses LDAP to authenticate (authenticates against AD). In my AD I have a domain and subdomain or child domain. I assume that both domain and subdomain uses the same LDAP, right? Also, if the application is using a user from the subdomain to query the LDAP, what kind of access will that user have to have to authenticate users at the main domain level. Basically, the application is authenticating fine the users from the subdomain but cant fine the users from the main domain... Thanks for any advice. Rezuma List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
<<winmail.dat>>
