|
Al,
It was a 2 year integration until separation, which wasn't exactly short
term. 
During that time, there were still shared projects between the old
and the new organizations, with shared data that needed to be accessed by
both. it is easy for the apps that could be cut over, but that 2 year
integration did not allow that for all apps.
To be honest, looking back, this was a very simple project to implement
from a technical standpoint using MIIS and ADAM. If I get a chance, I'll
try and write up the public details, and maybe it would be clearer to understand
how/why this was done.
Thanks,
Jef
----- Original Message -----
Sent: Friday, September 29, 2006 9:47
AM
Subject: Re: [ActiveDir] ADAM bind
Redirection with a NULL password
Curious about your scenario here Jef.
Corportate
Spinoff:
We needed to split off a portion of our users into a new
company, and an
entirely new forest. To solve the issue of apps only
binding to a single
NC, we used MIIS to populate an ADAM instance that
contained active users
from both forests during the TSA.
That
seems like a lot of short term work that should be avoided. Since
they're spinning off, aren't they, presumably delaying the inevitable
separation and not deploying their own version of the app else looking for a
different one? That would be time better spent from what I've
seen. Just curious though.
Al
On 9/29/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Tony,
I
have to wonder what is classified as a "special circumstances", since
I
suppose they are all sort of special.
I have used Bind
Redirection with MIIS/IIFP for quite a few scenarios:
Corportate
Spinoff:
We needed to split off a portion of our users into a new
company, and an
entirely new forest. To solve the issue of
apps only binding to a single
NC, we used MIIS to populate an ADAM
instance that contained active users
from both forests during the
TSA.
Corporate Acquisitions:
Similar situation, where we needed to
combine users into a single NC.
Having more than 1 user domain, and
an app that can ONLY bind to a single
Domain/NC.
Custom Schema
extensions for an application that is not an enterprise
class
application. You may not want to extend AD for a small subset of
users.
Extend the ADAM schema for the application, but proxy the user
authentication back to the main AD.
It also helps with audit and
compliance, where you are really only managing
a single user principle,
but proxying apps to it.
Unfortunately, LDAP seems to be the
defacto standard for applications. With
that, simple bind
seems to be the way of choice. I would say, many are
Java
apps where I think someone wrote a "howto" many years ago, and I
keep
seeing the same thing come in as "Authentication".
Some big
name apps from Lotus/IBM, Documentum all have/had issues with
only
pointing to a single NC, so I don't want to say it's only
smaller
developers. Many of the companies I've worked at, have
had more than a
single domain, so I am surprised that so many
"enterprise" apps assume a
single NC for authentication.
I can't
solve the problems at the app level, but I try to solve it at
the
centralized directory level.
Thanks,
Jef
----- Original Message -----
From:
"Tony Murray" <[EMAIL PROTECTED]>
To: <
[email protected]>
Sent: Thursday, September 28, 2006
9:27 PM
Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL
password
> My impression from reading the on-line documentation is
that the use of
> ADAM Proxy Objects and bind redirection is frowned
upon anyway.
>
> "Proxy users are designed for special
circumstances and should only be
> used as a last resort, when Windows
principals cannot be used directly."
>
> and
>
>
"ADAM bind redirection should be used only in special cases where an
>
application can perform a simple LDAP bind to ADAM but the
application
> still needs to associate the user with a security
principal in Active
> Directory."
>
> From
> http://technet2.microsoftcom/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true
>
> Is there no way for the application to use the
recommended alternative,
> i.e. where ADAM receives a SASL bind
request and forwards the request to
> Active
Directory?
>
> Tony
>
> ---------- Original Message
----------------------------------
> From: "Jef Kazimer" <[EMAIL PROTECTED]>
> Reply-To: [email protected]
>
Date: Thu, 28 Sep 2006 21:17:39 -0500
>
>
Eric,
>
> The problem stems from lack of ability to modify the
application to
> correct
> the behavior. If I had the
ability to force this, I would simply require
> null/blank not to be
passed to the ADAM server from the application.
>
> I've been at
odds about the DCR myself, for all the reasons you mentioned.
> Yet,
without the ability to control the applications, the only thing I can
> control is the directory itself. Without a mechanism to
disable such
> behavior, I am without recourse
unfortunately.
>
> So far, I've been able to avoid this problem,
because the 2 apps I had
> this
> happen with, the developer was
able to modify the authentication dialog.
> I
> have had other
apps with other issuers, where modification was not
>
possible.
> These did not suffer this poor design issue, but I wonder
if I will get
> such
> an app eventually. I suppose
I am just trying to solve a problem, I have
> not been forced to solve
by this method, which means it cane wait.
>
> I could go into
how it would be nice to have enterprise application
> minimum
>
standards, and application owners involve infrastructure staff BEFORE
an
> app
> is purchased, instead of after when it doesn't work,
but I won't :)
>
> Jef
>
>
> ----- Original
Message -----
> From: "Eric Fleischman" <[EMAIL PROTECTED]>
>
To: <
[email protected]>
> Sent: Thursday, September 28,
2006 8:48 PM
> Subject: RE: [ActiveDir] ADAM bind Redirection with a
NULL password
>
> One solution would be to ACL all objects such
that SELF can read them,
> then have the app, after it has
authenticated as the user, try and read
> something on the user
itself. This way you know you are in fact that
> user (or someone else
that has read access, which presumably won't work
> as
anonymous).
>
> In terms of your DCR...could such a bit be put
in? I guess. But DCRs
> that are filed with the intentional intent of
going again an RFC
> typically have a rough time getting through even
with a very strong
> business impact. And you have a workaround
already in the app, and
> another solution I mentioned above. Just
setting expectations...
>
>
~Eric
>
>
>
> -----Original Message-----
>
From: [EMAIL PROTECTED]
>
[mailto:[EMAIL PROTECTED]]
On Behalf Of Jef Kazimer
> Sent: Thursday, September 28, 2006 5:53
PM
> To: [email protected]
>
Subject: [ActiveDir] ADAM bind Redirection with a NULL password
>
> Since there has been talk of LDAP "Authentication" as of late, I
figured
> I'd
> post my issue of poorly developed applications
allowing a null password
> to
> an ADAM instance using Bind
Redirection.
>
> http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry
>
>
I'd be curious if a bit flip to shut down this possibility could be put
> in
> control of the directory Admin, instead of relying on
the developers.
>
> Thanks,
>
> Jef
Kazimer
>
> List info : http://www.activedir.org/Listaspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.activedir.org/ml/threads.aspx
> List info : http://www.activedir.org/Listaspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
>
List info : http://www.activedir.org/Listaspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.activedir.org/ml/threads.aspx
>
>
>
>
>
>
>
________________________________________________________________
>
Sent via the WebMail system at mail.activedir.org
>
>
>
>
> List info : http://www.activedir.org/Listaspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
List
info : http://www.activedir.org/Listaspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.activedir.org/ml/threads.aspx
|
