IBM WebSphere Portal & multiple Active Directories with trusted relationship - active-directory

There are two active directory user registrys with trusted relationship, where users of one directory included in the groups of another directory. I need to configure IBM WebSphere Portal 6.1 on WAS7 that he used those related directories. But when federated repository is configured and I am trying to find users via group there are only those users who are in the same directory as the group. It works like it is independent registrys without trusted relationship.
Is it possible to configure portal server that he understood the trusted relationship of user registrys?

The solution was the usage of Global LDAP search port 3268 (3269) instead of default LDAP ports 389(636) and standalone repository.

Enable following referrals for both WAS security settings and WIM. You will have to edit security.xml and wimconfig.xml manually to accomplish all required changes.

Related

Can you sync different AD domains under one Azure AD domain?

My problem is that we have 2 On-Premises Active Directory domains:
mycompany.com
mycompany-dev.com
Some people are present in both of these AD-s. I want to sync them with Azure Active Directory so that they are all represented once, and all have the #mycompany.com suffix (instead of #mycompany.onmicrosoft.com). I also don't want some users to have #mycompany-dev.com in their azure AD account login name, so I want to do some sort of mapping I guess.
Is this possible with Azure AD Connect, or do I have to implement a synchronization method manually?
You can sync multiple on-premises domain to Azure AD. Kindly check the link and you will get a detailed information about different topologies supported

May I sync users/groups from Active Directory though SCIM (or any protocol)

I found it's possible to sync users/groups from Azure AD to local App though SCIM. But it seems not available in local AD, and seems not available in ADFS.
How I can sync from local AD, or is there any tools I can use?
You would need a SCIM Product which you can create yourself or Purchase from several vendors.
Assuming you wish to take entries out of your local Microsoft Active Directory and "SCIM Them" into something else, you would probably want a SCIM Client and then put them into your SCIM Service Provider.
You would need to use something to get the entries out of Microsoft Active Directory and then use SCIM to put them into ???.
You could also use the Microsoft DirSync Control using LDAP
There are many IDM vendors that create product with this functionality.

Sonarqube groups along with LDAP AD groups is over-riding all membership locally configured in SonarQube

We are using LDAP plugin v1.4 & Sonarqube v4.5.7.
LDAP user configuration is working fine but if we enable group configuration it is overriding all membership locally configured in SonarQube including default local groups – sonar-users, sonar-administrators (these 2 groups are not available in Active Directory, practically tough to manage them in our LDAP setup). No new users are added to sonar-users group automatically and added users are removed when they login.
Because of this new users are not able to login to Sonar until admin configures his AD group ID he is part of in Sonar backend. Is there any solution to handle this?
Also, in this scenario,
1. Is there a way to exclude these 2 groups from AD syncup
2. How to add users automatically to sonar-users with AD group configuration
Our LDAP settings are stnadard settings available in LDAP plugin documentation.
Thanks a lot for any help on this topic.
As described in the docs (emphasis added),
When group mapping is configured (i.e the below ldap.group.* properties are configured), membership in LDAP server will override any membership locally configured in SonarQube. LDAP server becomes the one and only place to manage group membership (and the info is fetched each time the user logs in).
To turn group mapping off, remove the ldap.group.* properties.

Import ActiveDirectory LDIF into OpenDJ/OpenDS?

I need to test a LDAP synchronization service.
For that reason, I've installed OpenDJ (formerly OpenDS) LDAP server on my developer machine (ApacheDS requires admin privileges for starting/stopping a service - I don't have them & I don't get them).
OpenDS allows me to populate the LDAP with 2000 sample entries.
Unfortunately, they aren't very AD conformant:
I need an ActiveDirectory properties structure:
I used an LDIF-generator from here to generate the ActiveDirectory entries.
Then I tried importing them with Apache Directory Studio:
But on importing, I get this error: [LDAP: error code 65 - Entry
cn=Trang Eastus,ou=Product Testing,dc=example,dc=com violates the
Directory Server schema configuration because it includes attribute
sAMAccountName which is not allowed by any of the objectclasses
defined in that entry]
How can I import a ActiveDirectory schema with Apache Directory Studio ?
Or more generically asked, how can I get these entries in there, ASAP ?
Active Directory attribute types are not standard, so they do not come bundled in OpenDJ.
So you first need to modify OpenDJ's schema to allow adding Active Directory attributes.
I suspect you would have the same kind of problems with other LDAP servers like OpenLDAP.
I don't think Active Directory exposes its schema in an LDAP compliant way. What most users are doing when synchronizing data between AD and other LDAP servers such as OpenDJ is mapping AD attributes and objectclasses to LDAP attributes and objectclasses.
This said, you should be able to reconstruct a "user" LDAP objectclass based on Microsoft documentation of their schema. The best source I found is this table : http://www.kouti.com/tables/userattributes.htm. I don't think anyone has been down that route and efforts.
Beware, in LDAP worlds, the hierarchy of person objectclasses is person, organizationalPerson, inetOrgPerson. In MS AD world, the objectclass user is in the middle : person, organizationalPerson, user, inetOrgPerson.

Programmatically set connectionString for ActiveDirectoryMembershipProvider

One can use
new PrincipalContext(ContextType.Domain,null)
without providing any connection strings for the Active Directory.
When using ActiveDirectoryMembershipProvider you must provide an LDAP endpoint in web.config.
The site I'm working on will be deployed on multiple sites and I don't want to have to fill the details in the web.config for each deplyoment.
How To: Use Forms Authentication with Active Directory in Multiple Domains on MSDN specifies 3 (!) membership providers to deal with 3 domains which is not impressive. However, this article is from 2005 and it deals with a different tasks then what I'm after.
The question:
Is is possible to use ActiveDirectoryMembershipProvider in a way that the LDAP end point is not hard-coded in the web.config?
I would prefer to use ActiveDirectoryMembershipProvider rather than PrincipalContext to have (potentially) the ability to call ChangePassword etc.
No, it is not possible to use ActiveDirectoryMembershipProvider without specifying a target LDAP server.
The connection string must be specified, and the string must contain a server (contains ADS_FORMAT_SERVER)
You must create a connectionStrings Element (ASP.NET Settings Schema)
entry in the Web.config file that identifies the Active Directory
server, Active Directory domain, or ADAM application partition to use.
The provider will only operate at domain scope, or in a subscope
within a domain.
If you want to support an active directory forest, and losing forms authentication is an option, consider using Windows Authentication. Windows Authentication will use NTLM and Kerberos to get the user's identity within a forest, and you can still change a users password via impersonation. See WindowsIdentity.Impersonate().

Resources