Authenticating against AD from accounts created via website
 

Hi all. I have a bit of a unique issue (or not) and wanted to ask the community if anyone may have a solution. This is going to be a long one, so please bear with me.

First, users will visit a website and register using their email address as the username, and whatever password they wish, of course. We'd like use an authentication service, such as Active Directory, to grant them access to apps via Terminal Services (which is replacing Citrix) which will serve up the necessary content for these folks. The reason it has to go through the extra layer of authentication is for this ability to launch applications as requested through a web interface. Once the user successfully logs on, if we have deemed that user should have permission, they'll tie into Active Directory which then grants the Terminal Services app. The web server that serves this web interface is RedHat so Apache will send the query to AD (Windows 2008 R2). So, I went into Active Directory and enabled the Identity Management for Unix service/role/feature. Still haven't quite ironed out that process, but, for now at least, it seems that the issue is that somehow the auth method is forcing Windows 2000 logon criteria which limits the username to 20 characters. Since a domain was established, there are also two @ symbols to contend with which complicates things further as this is not well tolerated. Our dev seems to think it should be a fairly easy thing to convert the first @ symbol with an underscore, but this is still creating problems when handed off to AD because it's forcing that Windows 2000 limitation.

If anyone has any input/suggestions, it would be much appreciated. At this point, we're fairly certain we'll have to stick with AD because it seems so much cheaper to move to Terminal Services over Citrix to present requested apps to the user, but we're open to any/all feedback.

Thanks for your time.

Not 100% familiar with authentication and websites however Active Directory plays nice with LDAP. I know there is a mod for apache servers called mod_auth_ldap. It might be worth the time to look into and see if you can't use ldap to interface with active directory. If I am reading this correctly. Sorry if I am not.

I also know there are several configurations on a linux box as well as utilities necessary to allow active directory - for example winbind, nsswitch - etc...

After looking some more I found this web site about mod_ldap_auth. It might be helpful.

http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

Our dev already has that module installed, but it seems that, for whatever reason, they can't get past a limitation somehow indirectly imposed on the accounts created in AD. Somehow it's forcing Windows 2000 logon names which has a 20-character limit. So, we're having to contend with that as well as the fact that AD doesn't seem to work like LDAP does in that one is able to create containers that can be associated with other TLD's.

Or would this question be better served in another forum?

Try Enterprise Linux. I'm going to consult a developer here that works w/web authentication. I believe they use a similar setup for authentication.

Thanks kb. Because we haven't been able to find a viable solution in the Linux realm, it appears as though we're moving off of Red Hat and onto Microsoft-only solution which is IIS/Tomcat. If nothing else, it may end up becoming less of an administrative burden since technical resources will be limited. I'd still be interested in the outcome of your conversation with your dev.