cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication - AD/NT vs. LDAP?

Highlighted
Contributor

Authentication - AD/NT vs. LDAP?

I'm evaluating an SA appliance and we want to do domain authentication (by "domain" I simply mean we use Active Directory).

I notice there are options to do "proper" AD/NT authentication where the SA joins the domain, which is what I have it setup with right now, and I notice you can do LDAP authentication where you'd point it to your domain controllers, set your base DN's and away you go presumably.

My question is, why is one "better" than the other?

For example I'd really like to be able to limit the base DN so that only users in OU's under a certain parent OU could login, and I don't seem able to do this using AD authentication whilst I can do it using LDAP authentication.

I guess there are pros and cons to both, I'm unsure what they are in the real-world though?

5 REPLIES 5
Highlighted
Valued Contributor

Re: Authentication - AD/NT vs. LDAP?

AD authentication and authorization is very limited. Especially on the authorization component where you limited to groups. Using LDAP gives you a LOT more flexibility. You can map and use pretty much any user attribute you want for the role assignment piece.

I am sure there is some reason for using AD, but I can't think of it Smiley Happy

We are a reseller and we pretty much always use LDAP on our installs.

Highlighted
Contributor

Re: Authentication - AD/NT vs. LDAP?

Thanks for the reply. I'm trying to set this up (to be fair I've not spoken to the resller yet) and I'm nearly there but I'm missing a trick.

We have a domain, "DC=domain,DC=co,DC=uk" so far as everything else that uses LDAP is concerned.

Within that we have OU's such as:

"OU=Users,DC=domain,DC=co,DC=uk"

and

"OU=Groups,DC=domain,DC=co,DC=uk"

which also contain OU's so our actually staff may be in

"OU=Staff,OU=Users,DC=domain,DC=co,DC=uk"

and our groups in

"OU=Global Groups,OU=Groups,DC=domain,DC=co,DC=uk".

I seem to have managed to get authentication working, but as an example I can't browse/search groups when doing role mapping - I clearly have it setup wrong but I'm not quite sure from the documentation what is "right"?

Message Edited by hutchingsp on 05-13-2009 09:51 AM
Highlighted
Valued Contributor

Re: Authentication - AD/NT vs. LDAP?

Send me your email in a private message and I can send you some screen shots of a simple LDAP setup that might help.

Highlighted
Contributor

Re: Authentication - AD/NT vs. LDAP?

Thanks Kevin - just in case anyone else finds themselves in a similar predicament, it was a missing "member" in the "Member Attribute" in the groups search fields.
Highlighted
Contributor

Re: Authentication - AD/NT vs. LDAP?

When running LDAP, you have to add AD groups to the "Groups Catalog" In Role Mapping, Groups, Add a group. In the catalog screen, you need to do a search, and find the group you want, then add it to the Catalog. If you set your nesting parameter in the LDAP authentication, it will expand any nested groups automatically.