opensso
  1. opensso
  2. OPENSSO-4053

Active Directory configuration should use AD domain name rather than LDAP host/port

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: current
    • Fix Version/s: OpenSSO-8.1
    • Component/s: authentication
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      4,053

      Description

      Currently we prompt the admin for an LDAP hostname/port for AD configuration.
      This is an issue, since AD administrators don't tend to work in terms of
      hostname/port. We should instead prompt for AD domain. We should even be able to
      dispense with the admin username/password if all we are doing is authenticating
      users via an LDAP bind.

      Kohsuke Kawaguchi's blog has much more detail -
      http://weblogs.java.net/blog/kohsuke/archive/2008/06/more_active_dir.html

      "This allows users to avoid hard-coding LDAP server name, and so they won't need
      to update your config as domain controllers come and go. SRV records also return
      information about fallback servers and round-robin mechanism (like MX records),
      and your program can do the right thing."

        Activity

        Hide
        superpat7 added a comment -

        Target -> 8.1

        Show
        superpat7 added a comment - Target -> 8.1
        Hide
        dillidorai added a comment -

        Making it an RFE.

        Show
        dillidorai added a comment - Making it an RFE.
        Hide
        superpat7 added a comment -

        Created an attachment (id=7542)
        Test harness to show AD domain name -> LDAP server name

        Show
        superpat7 added a comment - Created an attachment (id=7542) Test harness to show AD domain name -> LDAP server name
        Hide
        superpat7 added a comment -

        Just added an attachment that shows how this works. My sample uses JNDI for LDAP
        access, you could obviously use LDAP JDK instead. The main thing is going from
        AD domain name -> LDAP host/port.

        NOTE - you would NOT do this once and cache the LDAP host/port - you would
        resolve the AD domain name each time you want to make a connection. This way,
        you take advantage of DNS-based round robin/fault tolerance etc in the AD domain.

        Show
        superpat7 added a comment - Just added an attachment that shows how this works. My sample uses JNDI for LDAP access, you could obviously use LDAP JDK instead. The main thing is going from AD domain name -> LDAP host/port. NOTE - you would NOT do this once and cache the LDAP host/port - you would resolve the AD domain name each time you want to make a connection. This way, you take advantage of DNS-based round robin/fault tolerance etc in the AD domain.
        Hide
        pluo added a comment -

        reassign

        Show
        pluo added a comment - reassign
        Hide
        goodearth added a comment -

        Is this related to the installation configuration page or the Data Store
        configuration page or Authentication configuration page (most probably
        authentication as you've filed it against authentication category). We have to
        implement based on that description. Pls. let me know.

        If needed to be in all places for AD configuration, then we will discuss with
        console team,Qingwen, Heng-Ming for the appropriate console page changes.

        Show
        goodearth added a comment - Is this related to the installation configuration page or the Data Store configuration page or Authentication configuration page (most probably authentication as you've filed it against authentication category). We have to implement based on that description. Pls. let me know. If needed to be in all places for AD configuration, then we will discuss with console team,Qingwen, Heng-Ming for the appropriate console page changes.
        Hide
        superpat7 added a comment -

        Anywhere we configure AD as a store, we should prompt for domain rather than
        host + port

        Show
        superpat7 added a comment - Anywhere we configure AD as a store, we should prompt for domain rather than host + port
        Hide
        goodearth added a comment -

        ok, I'll file two more issues against Configurator, IdRepo (for the Data Store
        configuration page change) and leave this one for Authentication. Console team
        would be consulted for the appropriate changes.
        -Sujatha.

        Show
        goodearth added a comment - ok, I'll file two more issues against Configurator, IdRepo (for the Data Store configuration page change) and leave this one for Authentication. Console team would be consulted for the appropriate changes. -Sujatha.

          People

          • Assignee:
            qcheng
            Reporter:
            superpat7
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: