1

What is the difference between an ActiveDirectory object with a ObjectClass of UserProxy and a ObjectClass of User? Does an application binding against these objects need to do so differently in any way?

Most of my Google searches for UserProxy refer to "ActiveDirectory Application Mode (ADAM)". Is UserProxy specific to ADAM?

Thanks.

Sam
  • 720
  • 2
  • 8
  • 18
  • what are you trying to do? – tony roth Mar 19 '12 at 03:01
  • @tony roth, we sell a COTS product that has LDAP integration and one particular customer is returning password mismatch error even though the ActiveDirectory logs show authentication was successful. When we compared this customer's data to other customers, this is one difference that stood out. We weren't familiar with `UserProxy`. I have no idea if it's related to the problem, but I was curious about the difference. – Sam Mar 19 '12 at 19:57
  • @tony roth, fyi, we resolved the issue we were running into and as we expected it had nothing to do with `User` vs `UserProxy` `ObjectClass`. Good to have this new information though that Mathias provided. – Sam Mar 21 '12 at 00:05

1 Answers1

3

Yes, userProxy is specific to ADAM/LDS and is just an object of the user class containing the ms-DS-Bind-Proxy auxillary class and no password.

When a user matching a userProxy object in an ADAM/LDS partition is authenticated using a simple bind, the request is proxied to an Active Directory partition containing the actual user object. Thus, the userProxy object's objectSID has to match the SID of an existing enabled user object in an Active Directory partition that the ADAM/LDS partition can proxy requests to.

That way an ADAM/LDS application can authenticate AD users without storing/caching passwords.

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95