I'm evaluating an SA appliance and we want to do domain authentication (by "domain" I simply mean we use Active Directory).
I notice there are options to do "proper" AD/NT authentication where the SA joins the domain, which is what I have it setup with right now, and I notice you can do LDAP authentication where you'd point it to your domain controllers, set your base DN's and away you go presumably.
My question is, why is one "better" than the other?
For example I'd really like to be able to limit the base DN so that only users in OU's under a certain parent OU could login, and I don't seem able to do this using AD authentication whilst I can do it using LDAP authentication.
I guess there are pros and cons to both, I'm unsure what they are in the real-world though?
AD authentication and authorization is very limited. Especially on the authorization component where you limited to groups. Using LDAP gives you a LOT more flexibility. You can map and use pretty much any user attribute you want for the role assignment piece.
I am sure there is some reason for using AD, but I can't think of it
We are a reseller and we pretty much always use LDAP on our installs.
Thanks for the reply. I'm trying to set this up (to be fair I've not spoken to the resller yet) and I'm nearly there but I'm missing a trick.
We have a domain, "DC=domain,DC=co,DC=uk" so far as everything else that uses LDAP is concerned.
Within that we have OU's such as:
"OU=Users,DC=domain,DC=co,DC=uk"
and
"OU=Groups,DC=domain,DC=co,DC=uk"
which also contain OU's so our actually staff may be in
"OU=Staff,OU=Users,DC=domain,DC=co,DC=uk"
and our groups in
"OU=Global Groups,OU=Groups,DC=domain,DC=co,DC=uk".
I seem to have managed to get authentication working, but as an example I can't browse/search groups when doing role mapping - I clearly have it setup wrong but I'm not quite sure from the documentation what is "right"?
Send me your email in a private message and I can send you some screen shots of a simple LDAP setup that might help.