Active Directory Authentication using OpenLDAP - c

I am writing a authentication module in C to authenticate users using Active Directory Service and get that users groups list (i.e. memberOf attribute).
I have only the Active directory Server URI and the DOMAIN\Username and Password that the user use to login to a Windows workstation (Windows is configured to connect to the same Active directory Service for authentication)
The program that requires the above authentication module is written in C for a Linux platform and can use OpenLDAP for communicating with AD service.
Is there a way to do this?
It is prefered if the solutions provided did not require a directory wide search for the user's directory entry after the LDAP bind (most certainly not a search that may result in multiple entries).

Related

Nextcloud with Samba via LDAP

I want to connect my samba active directory server with my nextcloud. I cant find ANY information if samba4 has ldap or not? or how i could install openldap with it so that my active directory accounts and passwords are the same as in the nextcloud.
How to configure LDAP on an Samba4 Active Directory Server?
• Samba4 does have support for LDAP server but it has to be integrated with Active Directory or OpenLDAP to provide a schema and other related attributes to be used with other applications dependent on it for authentication.
• And since, configuring OpenLDAP as a backend for the Samba4 server is considered as legacy because it is best integrated with its own LDAP server in AD mode. But still if you want to configure OpenLDAP in the backend with Active Directory providing authentication to external applications, the directory schema will still be AD schema. So, you will have to update external applications accessing the directory using, such as you must do it when you use the Samba internal LDAP server. Additionally, you will have to import attributes manually from the old LDAP server that are not included in the AD schema. Even though, if you want to configure OpenLDAP as the backend with Active Directory, please find the detailed steps in link below: -
https://ubuntu.com/server/docs/samba-openldap-backend
• Also, please note that it is not planned to support OpenLDAP as backend for Samba AD as a significant part of the complexity of the AD DC is in the LDB modules such as creating a general-purpose OpenLDAP back end requires rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment wherein specific problems include the metadata required for both DRS replication and dirsync, schema manipulation, transactions, and access control lists. Please find the below link for detailed steps on configuration of ADDC on Samba4 server and integrating it with internal LDAP server: -
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
• Also, on connecting your Samba4 AD server with nextcloud, you can do it so readily as Nextcloud ships with an LDAP application to allow LDAP users (including Active Directory) to appear in your Nextcloud user listings which will authenticate to Nextcloud with their LDAP credentials, so you don’t have to create separate Nextcloud user accounts for them. Please find the below link on detailed information for its configuration: -
https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html

How does ADFS communicate with AD?

How does Active Directory Federation Service (ADFS) connects to a classic on-premise Active Directory Domain Service or simply known as (AD)?
Is it via the protocol HTTP?
AD FS connects to AD as a "standard" active directory supplicant for Username/Password or Certificate Authentication, and as a Kerberos relying party for Kerberos authentication. This means that it uses a variety of protocols to authenticate clients and retrieve user information. Most primarily, Kerberos is used for authentication and LDAP is used for user attribute retrieval.
The full list of ports used for AD Directory Services is quite long, and can be found at Service overview and network port requirements for Windows - Active Directory.
Generally, the AD and AD FS servers are considered to be on the same security level. ADFS Proxies (which are essentially layer-7 firewalls in their own right) are used in the DMZ to provide insulation between active directory and a potential attacker.

Active Directory usage by ADFS, LDAP

I have few very specific questions to come to a understanding on Active Directory usage:
ADFS are the services/software to enable SSO login to applications using a single url for users stored in Active Directory. Right?
LDAP is a protocol that exposes other functionalities like fetching users, deleting user, authentication user via bind method etc. stored in Active Directory. Right?
Then can't LDAP and ADFS both work on the same Active directory? This link:
LDAP support in ADFS got me confused in where it is referring to LD and AD as separate entities.
Can't I apply both the mechanisms on same AD? I only have knowledge of LDAP. Trying to learn ADFS.
ADFS provides SSO capabilities for SaaS services and Modern LOB applications. Traditionally, it uses identities stored in Active Directory Domain Services to validate the credentials for a user. In 2016, we also added support to include identities stored in any 3rd party LDAP directory.
Irrespective of where the identity is stored ADFS offers SSO across the applications that trust it.
Hope this clarifies.
Thanks //Sam (Twitter: #MrADFS)
AD stores users, groups and credentials.
To access an attribute in AD, you use the LDAP protocol via e.g. the C# Directory Services API.
ADFS handles authentication against AD and also adds a federation layer on top of AD.
The correct way to access AD attributes via ADFS is to use claims-based authentication whereby you configure ADFS to provision the attributes (as claims) into the token and then extract them on the client side.

Difference between an AD server and a CAS server

This is perhaps a dumb question, but I am entirely new in this area and I apologize in advance if it is.
I understand the relationship between Active Directory and LDAP (i.e. LDAP is a protocol that a database based system like Active Directory may use to perform authentication tasks).
However, what does a Central Authentication Service (CAS) Server need to have in addition to an AD to support SSO? Essentially, I'm trying to find out what's the difference between an LDAP server that runs AD and a CAS server.
Essentially Active Directory is a directory server by Microsoft that is accessible over LDAP. LDAP is an open standard protocol for accessing directory servers.
CAS is a server for authenticating users and providing single sign on across disparate clients. CAS can use Active Directory as a source for authentications. CAS can also use LDAP to authenticate users against LDAP capable directory servers.
Have you seen this page? It will hopefully illustrate the overall architecture for you.
https://apereo.github.io/cas/4.2.x/planning/Architecture.html

Windows Phone 8 and Active Directory Authentication

I have a windows phone 8 app, I want to link the app user's accounts with their accounts in an active directory.
Is there a way/SDK/service that enables the users to communicate with the active directory server to make use of the roles and identities ?
thanks
A newer approach is to use Azure Active Directory to host (or mirror) your AD roles and identities then make them accessible via an API for apps to consume...
Setting up an Active Direct Forest in Azure
Setting up REST Services (can be used with Windows Store apps)
Calling REST Services from a Windows Phone 8 app
Other options include...
Exposing and communicating with Active Directory's LDAP service
Using LDAP Authentication with PHP for Active Directory

Resources