Can I get AD to authenticate via another LDAP server?

I need to set up an AD. The larger organisation I'm in has its own LDAP service which handles authentication and some other details. I would like to get AD to use that LDAP info just for authentication purposes. Is this possible?


Solution 1:

I honestly depends on how much time, expertise, and money you have to spend. FIM (Forefront Identity Manager) is a fine option if you're just looking to sync basic attributes, including username/pass. However that's not what my university does, we've always needed a bit more flexibility than IDM solutions have ever really offered, which is why we've developed our own in-house middleware written in perl using LDAPS. This allows us to script updates of what we want, when we want, and where we want with as much flexibility as we need. We also force all users to use a web portal for password changes, so that our directories do not get out of sync. We are currently syncing a SUN ONE LDAP system to our MS Active Directory and have been since 2002.

TL;DR If you're short on time and expertise, but not money use FIM it will do what you want. If not you're more than welcome to write your own middleware in coding language of choice to do the same thing.

Solution 2:

The only way I know to do this is to create an LDAP-backed Kerberos system, and establish a Kerberos-trust between the non-Windows Kerberos realm and the Windows domain (which is also a Kerberos realm). The key steps:

  • Setting up the new Kerberos realm
    • Get LDAP as an auth-source for the realm
    • Because this is AD, the realm will need the Kerberos DNS SRV records created.
  • Setting up the trust
    • As AD will be trusting the Kerberos realm, this will be a one-way trust
    • Users with those credentials will have to use a Kerberos-supporting access method for authentication. AD's LDAP supports this, as does SMB (though I haven't tried it with a non-MS Kerb realm).

Kerberos is the glue that allows AD to use an external LDAP server for authentication.

Solution 3:

I've never done what you're describing, at least not with just LDAP and not in production.

AD domains are more than just authentication and require a lot more than just an LDAP directory to work, so I think you'd need to deploy Samba or something to make what you're describing happen (though you can get Samba to use LDAP as its backing store). I'm not sure what the state of Samba domain controllers is these days but I'd start looking here (samba.org docs).

I have gone the other way (making the LDAP stuff authenticate against AD & storing the "other stuff" in AD's LDAP store), and that's relatively easy -- I'd recommend this if at all practical, but without knowing more about your situation I can't say if it's the right move or not...

Solution 4:

Microsoft FIM, previously ILM, will allow credential synchronization between LDAPs. You'll still need to run full-blown AD, but you can have it sync the credentials with the already existing LDAP. It should be transparent to the user.