最近,我与一个客户端,有有被外包给应用服务提供商(ASP)的企业应用程序的工作。因为这个应用程序是外包的,用他们的内部Active Directory(AD)森林一个完全独立的身份验证数据库,他们已经经历了多次的,因为AD和外部应用程序之间的差异密码帐户锁定问题。此外,外部应用程序还依赖于存储在Active Directory中的用户数据。将数据复制到外部应用有若干的一个需要完成手动步骤,其经常导致在两个系统之间的数据的有效性的差异。
在努力解决这些问题,客户希望有外部应用程序都使用AD进行身份验证,并作为直接来源的一些数据显示在外部应用程序。起初,ASP建议直接具有外部应用程序的谈话到客户端AD林。不过,也有一些原因让你的AD环境外部实体的访问是不是个好主意。首先,因为应用程序需要对目录进行读取访问。这也意味着,外部供应商将有机会获得更多的企业数据,那么他们的应用程序所需的(除非你使用默认的AD权限结构混乱)。二,这样的解决方案也将需要外部供应商的系统和你的AD域控制器之间的直接连接。这意味着,你必须信任,然后与外部供应商的系统及其安全做法是合理的。当然,这是不是会与大多数IT安全部门飞翔的解决方案。
因此,为了满足客户的需求,溶液中提出了基于AD LDS。该解决方案涉及以下项目:
- The userProxyFull object class would be used to represent replicated user objects in AD LDS. The userProxyFull and userProxy object classes are special object classes that allow AD LDS to process bind requests to objects based on these classes and then redirect the authentication requests back to Active Directory.
Note:
是的,微软抱怨说,都是过来人使用考虑到他们最初仅用于遗留应用这些对象类。不过,唯一的可行的选择是,然后使用某种身份管理解决方案复制用户的密码信息。虽然这些都是伟大的解决方案,我通常会建议他们大多数部署,部署这些解决方案会在这种情况下,已经矫枉过正。此外,它是要注意重要的是,使用这些对象类也要求AD LDS服务器是域成员。
- In addition, to the AD LDS schema being extended using the default MS-User.LDF and MS-UserProxyFull.LDF files. The AD LDS schema would have to be extended to include custom attributes as defined by the client for the userProxyFull object class.
- Lastly, a replication script would be developed to replicate user objects and data from AD to AD LDS based on a predetermined attribute mapping scheme.
The first item is actually very easy to implement. You just need to install an AD LDS instance on a host that is a domain member. The only catch is that you need to have a Server Authentication certificate in place on the host so that the bind redirection will work. The last item, while it may be most time consuming, is also very easy to implement because the solution is based on your ability to create a directory replication script. The resulting script for this client was a PowerShell script that used a CSV based mappings file to replicate data from AD to AD LDS. If I’m feeling randy, I will post some code samples.
原来,第二项是实现最困难的项目。不是不可能的,而是采取了一些研究,了解如何扩展AD LDS架构。我说这话是有两个原因。一,我通常不会做目录架构扩展(如MS趋向于提供这些)。二,在我看来,有没有明确的例子或解释到如何扩展AD或AD LDS架构。也许这就是为什么这么多企业试图将属性添加到AD时陷入这么多麻烦。没有文件明确说明为什么你不应该这样做(在我看来AD LDS应该改为使用)或如何正确扩展架构,如果你真的需要做到这一点。
And so, this brings us to why I’m writing this blog entry in the first place. My whole intent was to share a couple of concepts that may prove useful if you want to write your own ADAM schema extension. First, when adding in a new attribute or object class you need to have a unique attribute ID for the item that is being added. In other words, you need to have an OID. OIDs or object identifiers are basically unique IDs that are used to identify an object. Second, each item that you are adding needs to also have its own unique GUID. Meeting this requirement at first sounds easy as you can use any number of tools to generate GUID (guidgen.com or UUIDGEN.EXE). But, when writing the LDIF file that will be used to extend your schema the GUID must be Base64 encoded. Fun!
Well, that is not entirely true because if you don’t specify the schemaIDGUID parameter in your LDIF file then AD LDS or AD will actually generate a unique GUID for you. But, that isn’t a best practice because if you are trying to programmatically control extend rights for your custom schema extensions then it is recommended that the same GUID be used across directories. In other words, your final LDIF that you use must have a Base64 encoded value for the schemaIDGUID.
有几种方法可以完成这个任务。你可以写或下载应用程序编码的GUID(这是大多数IT专业人员不会做)。或者,您也可以按照下列步骤操作:
- Create a development instance of ADAM.
- 创建您的LDIF file without the schemaIDGUID defined.
- Extend the development instance of AD LDS with the LDF file.
- 火起来的ADSchemaAnalyzer,然后设置你的开发AD LDS实例,目标和基础架构(似乎有些奇怪,但它的工作原理)。
- 找到您刚刚创建的属性,将其标记为包括,然后生成一个LDIF文件。
- Last, update your custom LDIF file with the schemaIDGUID from the ADSchemaAnalyzer LDIF file.
Example:
#属性:MyCustom属性
DN:cn= MyCustom-Attribute,cn=Schema,cn=Configuration,dc=X
一changeType:ntdsschemaadd
对象类:的attributeSchema
#
属性ID:1.3.6.1.4.1.311.21.8.some_numbers
attributeSyntax: 2.5.5.12
isSingleValued:TRUE
rangeLower: 1
rangeUpper: 1000
adminDisplayName: MyCustom-Attribute
adminDescription: MyCustom-Attribute
# schemaIDGUID: 1234-Look-A-GUID
schemaIDGUID :: xLLovJTaNEyBASE064
oMSyntax: 64
searchFlags: 16
ldapDisplayName,可:MyCustomAttribute
systemOnly: FALSE
DN:
一changeType:修改
添加:schemaUpdateNow
schemaUpdateNow: 1
-
# Now you need to update the userProxyFull object class
#包括您的自定义属性。
DN:CN =用户代理 - 全,CN =架构,CN =配置,DC = X
一changeType:ntdsschemamodify
add: mayContain
mayContain中都未:1.3.6.1.4.1.311.21.8.some_numbers
-
DN:
一changeType:修改
添加:schemaUpdateNow
schemaUpdateNow: 1
如果你喜欢这个,看看泰森一些其他职位:
- Using social networks to establish a publicly verifiable level of trust…
- Which browser is more secure IE8, Safari 4, Firefox 3.5, Chrome 4, or Opera 10?
- When a computer science degree matters, and when it doesn't
- 从什么时候起计算成为云/需要的宣言?
- Why would one phish using a Certificate Authority (CA) as bait?
- 我会信任你,如果每个人都信任你?
- Here is a good question: Is scripting programming or just systems administration?
- Fun with PowerShell 2.0 Eventing!
- 创建ASP.NET Web应用程序自定义404页,手柄链接重定向
或者,如果你愿意,你还可以检查出一些泰森的最新出版物:
最后,请访问微软子网for more news, blogs, and opinions from around the Internet. Or, sign up for the双周微软通讯. (Click on News/Microsoft News Alert)