3

My problem is that I have a number of network administration applications like SAN switches that do not support nested groups from Active Directory Domain Services (AD DS). These legacy administration applications use either LDAP or LDAPS.

I am fairly sure I can use Active Directory Lightweight Directory Services (AD LDS) and possibly Windows Authorization Manager to work around this issue; however I am not really sure where to start.

I want to end up with:

  • A single group that can be queried over LDAP/LDAPS for all it’s direct members
  • LDAP proxy for user name and password credentials to AD DS
  • Easy way to admin the group, ideally the group would aggregate the nested membership in AD DS.
  • a native solution using freely available components from the Windows stack.

If you have any suggestions or solutions that you have previously used to solve this issue please let me know.

Bernie White
  • 1,024
  • 7
  • 17
  • 3
    +1 This is a very interesting question. In the past we've had to make separate groups for legacy app's LDAP group support. Luckily, most/all of our apps have move past this restriction. A few supported the AD LDAP filter syntax for [LDAP_MATCHING_RULE_IN_CHAIN](http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx) e.g. `(memberOf:1.2.840.113556.1.4.1941:=CN=SomeGroup,DC=example,DC=edu)` but those were very limited. – jscott Oct 01 '12 at 23:13
  • @jscott +1 Yes, I looked at LDAP_MATCHING_RULE_IN_CHAIN but unfortunatley my LDAP clients don't support custom queries or additional filtering, just a group. – Bernie White Oct 01 '12 at 23:25

1 Answers1

3

I had a similar problem at a previous job. We ended up doing what Jscott did, which was to create specific groups just for those special apps. These groups were created in batch-mode once a day (that was as often as we needed) based on what the nested-groups had in them. Unfortunately, I no longer have the source for that, but we leveraged a combination of dsquery and powershell to build these special groups.

$masterList=dsquery group $DNOfNestedGroup

The problem there is that this list will return both users and member-groups. The power-shell logic has to disambiguate and recurse into the child groups, only adding uniquely-new members to the master user list. Once you've build the master user list, you can then use dsadd to create (or update) a group with static membership.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296