How to send AD users creditials from LDAP client to ADAM and authenticate using AD

[Tony]

Hello all!

I am quite new to the LDAP/ADAM world and I went through the exercises
in "active directory application mode step-by-step" reviewer's guide
and I can understand it. However, I still have a few questions I hope
you can help me with.

According to the ADAM documentation, ADAM can accept authentication,
or bind, requests from ADAM security principals and Windows (local and
domain) security principals. I am interested in exactly how a LDAP
client can authenticate a user using ADAM via Active Directory domain
controller. Is this different then ADAM bind redirection? How does a
LDAP client send credentials of AD users to ADAM? Is it simply
"domain\userid" and then "password"?

When I bind In Ldp.exe, there is a field "domain" in the bind window
where I can specify which domain the username is from. However, what
about for my old LDAP-enabled application…….it is not aware of the
"domain" field as in Ldp.exe. Is there a way to do it? Simply typing,
"domain\username" as the user and send it to ADAM via my old
LDAP-enabled application doesn't seem to work, please help!

Best regards,

Tony

 

[Dmitri Gavrilov [MSFT]]

The distinction is pretty simple: if LDAP client performs a simple bind
(ldap_simple_bind_s), then you are binding as an ADAM user (or as a proxy).
If you do secure bind (ldap_bind_s), then you are authenticating as a
Windows user.

When ADAM processes a secure bind, it simply calls AcceptSecurityContext,
and lets the OS and the client negotiate the auth.

If your LDAP-enabled application does a simple bind, then your only option
is to use proxy binds to forward the bind to the OS. In this case, ADAM does
see username and password, and it forwards them to the OS via a LogonUser
call.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

[Tony Chan]

Dmitri,

The distinction is pretty simple: if LDAP client performs a simple bind
(ldap_simple_bind_s), then you are binding as an ADAM user (or as a proxy).
If you do secure bind (ldap_bind_s), then you are authenticating as a
Windows user.

Where can you forward the bind to via proxy? Does the SID of a user from an
"Active Directory or Local Windows" determine where the bind the proxy
forwards to?
Do I have to create a proxy for each user like in the Step-by-step
reviewer's guide?
And, when is the proxy created? Can it be dynamic? So far I only how to
create it manually one user at a time.

If the LDAP client is using a secure bind (ldap_bind_s), when you say "then
you are authenticating as a Windows user", does it limit to the local
machine where the ADAM resides? Or does it also mean it could be users from
an Active Directory or Local machine user?

Thanks!!!

Tony

 

[Dmitri Gavrilov [MSFT]]

Answering inline...

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Dmitri,





Where can you forward the bind to via proxy? Does the SID of a user from an
"Active Directory or Local Windows" determine where the bind the proxy
forwards to?

Yes, ADAM uses LsaLookupSids to map the sid to domain\username. It can be
either a local user or a user from AD, or a user from a trusted
domain/forest. LsaLookupSids can resolve all of these.

Do I have to create a proxy for each user like in the Step-by-step
reviewer's guide?
And, when is the proxy created? Can it be dynamic? So far I only how to
create it manually one user at a time.

You have to create them manually. That said, you can write an ADSI script
that does it for you. You can also use MIIS to sync ADAM and AD.

If the LDAP client is using a secure bind (ldap_bind_s), when you say "then
you are authenticating as a Windows user", does it limit to the local
machine where the ADAM resides? Or does it also mean it could be users from
an Active Directory or Local machine user?

Local user or AD user (if the ADAM machine is joined to a domain), or a user
from a trusted domain/forest. Basically, any user that can logon to ADAM
machine.