110 likes | 432 Views
ILLiad and Active Directory. Active Directory is Microsoft's own proprietary implementation of LDAP. Can ILLiad authenticate against AD? Yes, ILLiad can authenticate against AD if properly configured. . What is a Domain?.
E N D
ILLiad and Active Directory • Active Directory is Microsoft's own proprietary implementation of LDAP. • Can ILLiad authenticate against AD? Yes, ILLiad can authenticate against AD if properly configured.
What is a Domain? • A Windows domain is an organizational unit that contains various resources. User Accounts Computer Accounts Groups Printers
Global Catalogue Server • A Global Catalogue Server (GC) can be thought of as server that maintains a master index of all the resources in AD.
Authentication Methods • Single Domain Authentication • Authentication against one Windows domain. • ILLiad authenticates against a Domain Controller. • Multiple Domain Authentication • Authentication against multiple Windows domains. • ILLiad authenticates against a Global Catalogue Server.
Customization Manager LDAP Keys
Single Domain Example • Username & Password are for a generic user in the library domain. LDAPBindStye:Two Step LDAPInitialBindDN:cn=Username, dc=library, dc=somedomain, cn=edu LDAPInitalBindPassword:Password LDAPPortNo: 389 LDAPSearchFilter:userprincipalname=$uid@library.somedomain.edu LDAPSearchPrefix:cn= LDAPSearchScope:SubTree LDAPSearchSuffix:dn=somedomain, dn=edu LDAPSecureSSL:Yes LDAPSecureSSLPort:636 LDAPServerName:library.somedomain.edu LDAPSupport:Yes
Multiple Domain Example • Username & Password are for a generic user in the library domain. LDAPBindStye:Two Step LDAPInitialBindDN:cn=Username, cn=users, dc=library, dc=somedomain, cn=edu LDAPInitalBindPassword:Password LDAPPortNo: 3268 LDAPSearchFilter: (&(samaccountname=$uid)(|(description=ONID User)(description=ILLiad User))) LDAPSearchPrefix:cn= LDAPSearchScope:SubTree LDAPSearchSuffix:dn=somedomain, dn=edu LDAPSecureSSL:Yes LDAPSecureSSLPort: 3269 LDAPServerName: global_catalogue.somedomain.edu LDAPSupport:Yes
Active Directory User Attributes • Label in AD Users and Computers • LDAP provider property name User logon name pre-Windows 2000 logon name Account disabled? Logon Hours… Logon On To… (Logon Workstations) User must change password at next logon User cannot change password Password never expires Store password using reversible encryption Account expires end of (date) userPrincipalName sAMAccountName userAccountControl logonHours userWorkstations pwdLastSet userAccountControl userAccountControl userAccountControl accountExpires
Resources • Active Directory Attributes http://www.rlmueller.net/UserAttributes.htm • ILLiad Customization http://a4567.bates.edu/wiki/ILLiadCustomization • Windows 2000 LDAP Authentication http://www.stbernard.com/products/docs/ip_technotes/ldapwin2k.pdf