| Author | Messages | |
ClydeBurns
Posts:11
 | | 04/04/2008 9:10 PM |
| Is it possible to change the default behavior of an application partition in ADAM to allow for 2 userProxy objects to point to the same objectSID in active directory? Or barring that set up something in ADAM so that one simple bind can be used against two application partitions in the same ADAM instance?
I have been asked to help move an application from authenticating against a 3rd party LDAP to AD. The current usage of the application is that each user has two accounts. They have some interesting requirements I have been challenged to meet them. Essentially having two user accounts share "a password" and only being able to bind to a single LDAP server.
Any tips or redirects in the right direction are greatly appreciated.
Thanks
Clyde Burns
-----------------------------------------
This message is confidential, intended only for the named
recipient(s) and may contain information that is privileged or
exempt from disclosure under applicable law. Any patient health
information must be delivered immediately to intended recipient(s).
If you are not the intended recipient(s), you are notified that the
dissemination, distribution or copying of this message is strictly
prohibited. If you receive this message in error, or are not the
named recipient(s), please notify the sender at either the e-mail
address or telephone number above and discard this e-mail. Thank
you.
| | | |
| dmitrig
Posts:59
| | 04/04/2008 10:10 PM |
| You can easily get this if you have two app NCs.
Within a single app NC, we don't allow duplicate objectSids.
Your "one simple bind used against two app partitions" does not make sense to me. You can issue simple binds to either of the partitions, as long as you supply the full DN. Well, you can supply the UPN as well (which can be an arbitrary string), but you need to ensure that the UPNs are unique across the two partitions.
If you *must* put the two proxies into the same app NC, then one idea is to use sidHistory in AD. If you manage to stamp an additional sid on each AD user, then you can point your two proxies at that sid and objectSid.
But what a weird scenario...
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Burns, Clyde R.
Sent: Friday, April 04, 2008 6:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM and AD - tweaking default behavior of userProxy
Is it possible to change the default behavior of an application partition in ADAM to allow for 2 userProxy objects to point to the same objectSID in active directory? Or barring that set up something in ADAM so that one simple bind can be used against two application partitions in the same ADAM instance?
I have been asked to help move an application from authenticating against a 3rd party LDAP to AD. The current usage of the application is that each user has two accounts. They have some interesting requirements I have been challenged to meet them. Essentially having two user accounts share "a password" and only being able to bind to a single LDAP server.
Any tips or redirects in the right direction are greatly appreciated.
Thanks
Clyde Burns
| | | |
| joe
Posts:84
| | 04/04/2008 10:35 PM |
| Would it work to just have two different logon names for the same object in
ADAM, or do you really need two separate objects in ADAM?
I ask because you could use the displayName attribute for one user name and
the userPrincipalName for the other and thus make the same bind proxy object
in ADAM look like two different account names with the same password.
Joe K.
----- Original Message -----
From: "Burns, Clyde R. " <Clyde.Burns@nortonhealthcare.org>
To: <ActiveDir@mail.activedir.org>
Sent: Friday, April 04, 2008 8:07 PM
Subject: [ActiveDir] ADAM and AD - tweaking default behavior of userProxy
Is it possible to change the default behavior of an application partition in
ADAM to allow for 2 userProxy objects to point to the same objectSID in
active directory? Or barring that set up something in ADAM so that one
simple bind can be used against two application partitions in the same ADAM
instance?
I have been asked to help move an application from authenticating against a
3rd party LDAP to AD. The current usage of the application is that each user
has two accounts. They have some interesting requirements I have been
challenged to meet them. Essentially having two user accounts share "a
password" and only being able to bind to a single LDAP server.
Any tips or redirects in the right direction are greatly appreciated.
Thanks
Clyde Burns
-----------------------------------------
This message is confidential, intended only for the named
recipient(s) and may contain information that is privileged or
exempt from disclosure under applicable law. Any patient health
information must be delivered immediately to intended recipient(s).
If you are not the intended recipient(s), you are notified that the
dissemination, distribution or copying of this message is strictly
prohibited. If you receive this message in error, or are not the
named recipient(s), please notify the sender at either the e-mail
address or telephone number above and discard this e-mail. Thank
you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ClydeBurns
Posts:11
| | 04/06/2008 3:47 AM |
| Unfortunately for me their active directory aware app can only use one bind for the entire application. Trying to use one bind against two partitions. I was casting about for any solution. Thank you for the tip on sidhistory. I will have to run thru that in the lab.
Clyde Burns
________________________________
From: ActiveDir-owner@mail.activedir.org on behalf of Dmitri Gavrilov
Sent: Fri 4/4/2008 10:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADAM and AD - tweaking default behavior of userProxy
You can easily get this if you have two app NCs.
Within a single app NC, we don't allow duplicate objectSids.
Your "one simple bind used against two app partitions" does not make sense to me. You can issue simple binds to either of the partitions, as long as you supply the full DN. Well, you can supply the UPN as well (which can be an arbitrary string), but you need to ensure that the UPNs are unique across the two partitions.
If you *must* put the two proxies into the same app NC, then one idea is to use sidHistory in AD. If you manage to stamp an additional sid on each AD user, then you can point your two proxies at that sid and objectSid.
But what a weird scenario...
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Burns, Clyde R.
Sent: Friday, April 04, 2008 6:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM and AD - tweaking default behavior of userProxy
Is it possible to change the default behavior of an application partition in ADAM to allow for 2 userProxy objects to point to the same objectSID in active directory? Or barring that set up something in ADAM so that one simple bind can be used against two application partitions in the same ADAM instance?
I have been asked to help move an application from authenticating against a 3rd party LDAP to AD. The current usage of the application is that each user has two accounts. They have some interesting requirements I have been challenged to meet them. Essentially having two user accounts share "a password" and only being able to bind to a single LDAP server.
Any tips or redirects in the right direction are greatly appreciated.
Thanks
Clyde Burns
-----------------------------------------
This message is confidential, intended only for the named
recipient(s) and may contain information that is privileged or
exempt from disclosure under applicable law. Any patient health
information must be delivered immediately to intended recipient(s).
If you are not the intended recipient(s), you are notified that the
dissemination, distribution or copying of this message is strictly
prohibited. If you receive this message in error, or are not the
named recipient(s), please notify the sender at either the e-mail
address or telephone number above and discard this e-mail. Thank
you.
| | | |
|
|