Can non-windows platform application use Active Directory of W2003?



kevin tho via WinServerKB.com
07-09-2005, 11:52 PM
Hi,

I have a Squid proxy server in my network and am wondering if it's possible
to use Active Directory of W2003 for authentication. For the moment, I am
using LDAP which is independent of Windows Active Directory, thus users
have to remember two passwords, one for windows and one for proxy. Is it
possible to integrate both to use Active Directory for single sign on?

Thanks.

Best regards,
kevin

--
Message posted via http://www.winserverkb.com

Imhotep
07-09-2005, 11:52 PM
kevin tho via WinServerKB.com wrote:

> Hi,
>
> I have a Squid proxy server in my network and am wondering if it's
> possible
> to use Active Directory of W2003 for authentication. For the moment, I am
> using LDAP which is independent of Windows Active Directory, thus users
> have to remember two passwords, one for windows and one for proxy. Is it
> possible to integrate both to use Active Directory for single sign on?
>
> Thanks.
>
> Best regards,
> kevin
>


I do not know why it would not be possible. "Active Directory" *IS* LDAP
with MS specific schemas). I installed an open source helpdesk software
about two months ago (Red Hat) that is now fully integrated with AD on
2003.

So, yes...

-Im

kevin tho via WinServerKB.com
07-09-2005, 11:52 PM
Hi,

Thanks for the reply. Can you elaborate more on the way to do? For my
current proxy server, users will be authenticated in LDAP server, which
caters for authentication for proxy and qmail users. I would like to
integrate the current LDAP with Active Directory of W2003 such that when
users log on, their permissions (eg. internet user/qmail user or both and
mail quota etc) are valid after log on. What is the way to integrate these
attributes into Active Directory?

Thanks.

Best regards,
kevin

--
Message posted via http://www.winserverkb.com

Paul Adare
07-09-2005, 11:52 PM
In article <dc46f9924e9d43b1be7fd401efabfb0e@WinServerKB.com>, in the
microsoft.public.security news group, kevin tho via WinServerKB.com
<forum@WinServerKB.com> says...

> Thanks for the reply. Can you elaborate more on the way to do? For my
> current proxy server, users will be authenticated in LDAP server, which
> caters for authentication for proxy and qmail users. I would like to
> integrate the current LDAP with Active Directory of W2003 such that when
> users log on, their permissions (eg. internet user/qmail user or both and
> mail quota etc) are valid after log on. What is the way to integrate these
> attributes into Active Directory?
>

That would be entirely dependant on the application. You should check
the documentation for the applications in question, and any
email/support lists for these applications.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".

Imhotep
07-09-2005, 11:52 PM
kevin tho via WinServerKB.com wrote:

> Hi,
>
> Thanks for the reply. Can you elaborate more on the way to do? For my
> current proxy server, users will be authenticated in LDAP server, which
> caters for authentication for proxy and qmail users. I would like to
> integrate the current LDAP with Active Directory of W2003 such that when
> users log on, their permissions (eg. internet user/qmail user or both and
> mail quota etc) are valid after log on. What is the way to integrate
> these attributes into Active Directory?
>
> Thanks.
>
> Best regards,
> kevin
>


As long as you can configure your application on what to query via LDAP (AD)
it should not be a problem. Remember AD uses SAMAccount for account names.
Basically what I did was this. I downloaded a LDAP query tool. And did some
research on what AD uses for accounts. Next I changed the parameters in RT
(an open source helpdesk system) to query on SAMAccount for the
usernames...it takes some time playing with different combinations but, it
can be done.

Do this:

1) Do a google search on AD and what fields AD uses for what.
2) Download a ldap browser (their are many)
3) Join the newsgroup for your application

-Im

kevin tho via WinServerKB.com
07-09-2005, 11:52 PM
Hi IM,

Are you meaning that the LDAP query of the open source software is to be
editted to query SAMaccount of Active Directory? I searched through Google
and couldn't find LDAP query tool, and am wondering if LDAP query tool you
mean is the query tool that is with the open source software, like Squid.

Thanks.


Best regards,
kevin

--
Message posted via http://www.winserverkb.com

kevin tho via WinServerKB.com
07-09-2005, 11:52 PM
Hi,

Managed to find quite some LDAP browser. Is LDAP browser the LDAP query
tool you mean?

Thanks.

Best regards,
kevin

--
Message posted via http://www.winserverkb.com

kevin tho via WinServerKB.com
07-09-2005, 11:52 PM
Hi,

I think I get what you're trying to say. I'll use LDAP browser to query
Active directory and include LDAP authentication as external program in
Squid. I'm a newbie in this and really appreciate your help.

Thanks.

Best regards,
kevin

--
Message posted via http://www.winserverkb.com

Imhotep
07-09-2005, 11:52 PM
kevin tho via WinServerKB.com wrote:

> Hi,
>
> Managed to find quite some LDAP browser. Is LDAP browser the LDAP query
> tool you mean?
>
> Thanks.
>
> Best regards,
> kevin
>


Yes, they are the same browser/query tool...

-Im

Imhotep
07-09-2005, 11:52 PM
kevin tho via WinServerKB.com wrote:

> Hi IM,
>
> Are you meaning that the LDAP query of the open source software is to be
> editted to query SAMaccount of Active Directory? I searched through
> Google and couldn't find LDAP query tool, and am wondering if LDAP query
> tool you mean is the query tool that is with the open source software,
> like Squid.
>
> Thanks.
>
>
> Best regards,
> kevin
>

What I was saying is this. You need to verify youhave the right query
script. For example here is a real LDAP query script for Apache (https) to
allow people to login to a web server I maintain...

"ldap://xxxx.yyyy.com:389/ou=Users,ou=HTTPS,ou=Servers,dc=xxxxx,dc=com?uid?sub
(objectClass=*)"

This script, for APACHE, says look in the LDAP directory Users,HTTPS,Servers
in the domain "xxxxx.com" for all the "uid" in the all of the ObjectClass
objects...

So once again,

1) Join the newsgroup for squid, they have very good support there
2) Install a LDAP browser/query tool, on a desktop, to test your scripts and
to find the objects that you will authenticating your users with (in
windows it is SAMAccount, I believe)
3) Before going "live" test your configuration out
4) Have some fun or a smoke, you choose :-)

-Im

Imhotep
07-09-2005, 11:52 PM
kevin tho via WinServerKB.com wrote:

> Hi,
>
> I think I get what you're trying to say. I'll use LDAP browser to query
> Active directory and include LDAP authentication as external program in
> Squid. I'm a newbie in this and really appreciate your help.
>
> Thanks.
>
> Best regards,
> kevin
>


No problem. We were all newbies at one time..

-Im

kevin tho via WinServerKB.com
07-09-2005, 11:52 PM
Hi IM,

Thanks for your detailed reply. I have another question. Is there any way
to add attributes into Active Directory of W2003? For instance, I would
like to add attributes like email type:LAN only/external and email quota
for qmail so that these attributes will be valid when users log on. Is
that possible?


Best regards,
kevin

--
Message posted via http://www.winserverkb.com

Paul Adare
07-09-2005, 11:52 PM
In article <d3be3825d0ce4aefab66154f08662685@WinServerKB.com>, in the
microsoft.public.security news group, kevin tho via WinServerKB.com
<forum@WinServerKB.com> says...

> Thanks for your detailed reply. I have another question. Is there any way
> to add attributes into Active Directory of W2003? For instance, I would
> like to add attributes like email type:LAN only/external and email quota
> for qmail so that these attributes will be valid when users log on. Is
> that possible?
>

Yes. Search the microsoft.com web site for extending the schema.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
Scientists were excited this week at having isolated a brief sound which
occurred immediately before the Big Bang.
Apparently, the sound was, "uh oh".

Torgeir Bakken \(MVP\)
07-09-2005, 11:52 PM
kevin tho via WinServerKB.com wrote:

> Hi IM,
>
> Thanks for your detailed reply. I have another question. Is there any way
> to add attributes into Active Directory of W2003? For instance, I would
> like to add attributes like email type:LAN only/external and email quota
> for qmail so that these attributes will be valid when users log on. Is
> that possible?
Hi,

From: laco...@hotmail.com
Newsgroups: microsoft.public.adsi.general
Subject: Add Attributes to your Active Directory Schema and Manage
their Permissions Efficiently
Date: 16 May 2005 13:01:23 -0700
Message-ID: <1116273683.892401.112780@f14g2000cwb.googlegroups.com>

<quote>
In case anyone is interested, we wrote a short paper on Active
Directory attributes and their security. The paper shows how to create
a new Active Directory attribute, add it to an existing container (user
class), and configure its security using Active Directory control
access rights.

To perform each of the steps, the paper employs four different
techniques: administration via the GUI, administration via the command
line, scripting using the COM ADSI interfaces in VBScript, and
programming using the DirectoryServices library in Visual Basic .NET.

Add Attributes to your Active Directory Schema and Manage their
Permissions Efficiently
Philippe Lacoude & Rajnish Sinha
Washington, D.C.
April 2005 (Version 1.1)
http://www.lacoude.com/docs/public/Attributes.aspx

</quote>

--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx


Can non-windows platform application use Active Directory of W2003?