Possible to have Per-user referrals to external LDAP?

[ohaya]

Hi,

I'm trying to understand how LDAP referrals work, and to see if they
might be used to solve a problem that I'm trying to address.

We have a Win2K Server that is a DC.

We also have a separate machine running Sun Directory Server (DS), and
the Directory Server is populated with a number of users that don't
exist in the AD.

What we want to do is create entries in the AD (under Users)
corresponding to some of the users in the DS, under "Users", but have
these AD entries be referrals to the the corresponding entry in DS.


The reason that we want to do this is that we have some client software
that is doing LDAP lookups, but it was originally setup to do the
lookups from just one LDAP repository, and we now have a need to have
that software be able to search the AD, and then the DS.

What I'm thinking, if it's possible is to create these kind of dummy
referrals in the AD, and let the LDAP referral mechanism do the work.

For example, if we started with:

AD:
user1
user2
user3

DS:
user4
user5

We would create these new referral entries for "user4" and "user5" in
AD, pointing to the appropriate place on the DS:

AD:
user1
user2
user3
user4 (REF: ldap://foo.foo.com/uid=user4,ou=People,dc=foo,dc=com)
user5 (REF: ldap://foo.foo.com/uid=user5,ou=People,dc=foo,dc=com)

DS:
user4
user5

From the above, am I understanding the concept of LDAP referrals
correctly? Or, are LDAP referrals only used at a LDAP server or tree
level?

And, if referrals can be used on a per-user basis, how can we do this,
and, to test it, is there any way to just add the ObjectClass=referral
and REF attribute to a Users object in AD??

Thanks in advance!!

Jim

 

[Guest]

Windows Active Directory does not have that ability.

However, Windows Server 2003 R2, when it is available, has some new
interoperability features added to Active Directory for working with
UNIX/Linux networks. In R2, you can associate a UNIX/Linux account with an
Active Directory account. I believe the cross-reference can point to an LDAP
server, and not just standard UNIX accounts, but don't quote me on that. When
a user logs into Active Directory, their UNIX credentials will be attached to
that user and should allow a pass-through type of authentication, depending
if the software supports it.

I don't know if this helps on what you are looking to do. I haven't
evaluated it myself, but you should look into it. You can download the R2
beta free from Microsoft. I believe the final R2 is to be released by the end
of this year, but that may have changed.

 

[ohaya]

Brandon,

Thanks for the reply.

The new entries that we want to add to AD (the ones with the referrals)
aren't going to be used for logging in or anything like that.

Basically, and putting in a simpleminded way (which is about all I know
enough to do ) is to take a User in AD, and, from what I can tell, add
an additional ObjectClass=referral and one additional attribute (REF).

My impression (again, this is a simplified view) is that if we could do
that, when we did an LDAP search which finds that User object that
matches, an LDAP referral would be sent back to the LDAP client, and
then the LDAP client could follow the referral to the DS.

So, is there now way to add the ObjectClass and the REF attribute to an
existing object in Users?

Thanks,
Jim

 

[Guest]

Considering Active Directory is LDAP compatible and the schema can be
extended, I suppose you could add such ObjectClass attribute. I would not
know programtically how to do so. If you know how to do this, I suggest that
you do this in a test environment of course. Once the schema has been
modified, it cannot be undone.