Recently, I was running with a shopper that had has an business application it truly is outsourced to an Application Service Provider ASP. Because this program is outsourced and using a very separate authentication database from their internal Active Directory AD forest, they’ve been experiencing a number of account lockout issues because of password alterations between AD and the external software. In addition, the exterior application also depended on user data that was stored in Active Directory. To replicate the information to the exterior program there have been a couple of manual steps that had to be completed which frequently ended in data validity adjustments between the two methods.
In an effort to unravel these issues, the client wanted to have the external application both use AD for authentication and as the direct source for one of the crucial data displayed in the external software. At first, the ASP advised having the external application talk without delay to the consumers AD forest. However, there are a few purposes why allowing an out of doors entity access for your AD environment isn’t such an excellent idea. First, as a result of an program will require read access for your listing. This also implies that an outside vendor would have access to more company data then their application needed unless you messed with the default AD permissions structure. Two, such an answer would also require a right away connection between the outside vendor’s programs and your AD domain controllers.
This means that you have to then trust the exterior vendor’s techniques and their defense practices are sound. Naturally, this is not an answer that would fly with most IT safety departments. The first item is really really easy to implement. You just wish to install an AD LDS example on a host it really is a website member. The only catch is that you just need to have a Server Authentication certificates in place on the host in order that the bind redirection will work.
The final thing, while it may be most time consuming, is also really easy to implement because the answer is based on your means to create a directory replication script. The ensuing script for this client was a PowerShell script that used a CSV based mappings file to reflect data from AD to AD LDS. If I’m feeling randy, I will post some code samples. It turned out that the second item was the most challenging item to implement. Not unimaginable, but rather it took a little research into understanding how to extend the AD LDS schema. I make this observation for two purposes.
One, I don’t constantly do directory schema extensions as MS tends to provide these. Two, in my view, there are no clear cut examples or reasons into how to increase the AD or AD LDS schemas. Maybe here is why so many corporations get into tons trouble when looking to add attributes into AD. There is no doc truly mentioning why you shouldn’t be doing this as individually AD LDS may be used in its place or how to extend the schema correctly if you really want to try this. And so, this brings us to why I’m scripting this blog entry in the 1st place. My whole intent was to share a few concepts that may prove useful if you are looking to write your individual ADAM schema extension.
First, when adding in a new attribute or object class you need to have a unique characteristic ID for the article it truly is being added. In other words, you are looking to have an OID. OIDs or object identifiers are practically unique IDs that are used to identify an object. Second, each item that you’re adding must even have its own unique GUID. Meeting this requirement at the start sounds easy as you can use any variety of tools to generate GUID guidgen. com or UUIDGEN.
EXE. But, when writing the LDIF file that will be used to increase your schema the GUID has to be Base64 encoded.