LDAP and Windows ADDS

Contains tips for configurators working with Aware IM
Post Reply
craigd
Posts: 17
Joined: Fri Nov 16, 2018 7:07 am
Location: Canada

LDAP and Windows ADDS

Post by craigd »

(my first post!)
Wanted to share my experiences with LDAP. I run an enterprise IT environment (~450 staff, ~1400 students). Yes, … it's a school board. I have multiple AwareIM BSVs all referencing the same user environment.


LDAP to find users
I'll try to not duplicate the user guide but rather to point out the steps I took that might not be mentioned.
In this scenario you want AwareIM to FIND users in AD rather than in an existing BO (like say the RegularUser BO).
First in AD I need to create a special LDAP user that I will use to both BIND and SEARCH in AD. Create a standard user object and create a new security group - called ldapbindusers. Add the new user to this group. Then make this the primary group and remove the user from the 'domain user' group. This way the special LDAP doesn't have standard AD permissions. Next I created the LDAPUser BO, set persistence to LDAP, set the servername/binduser credentials and choose the correct DN and parent DN. Bingo.

I can now create a query to look up these users, etc.

However, this isn't all there is. There are a few problems.
1) no security. the connection between AwareIM and AD is not encrypted. Seems that AwareIM doesn't allow for SSL LDAP (port 636). So use stunnel. Set up an stunnel between the AD/LDAP server and the AwareIM server. See stunnel for further details. Now the path is encrypted. Good, my user details (and later passwords) are not in the wild.

2) my LDAP users exist in AwareIM but they're not quite right. Let's say I need to reference an LDAP user (maybe a student for an incident form) but don't need this student to ever log in. But I want to send this student an email. Hmmm, .. the SEND rule doesn't allow me to specify the TO: address. SEND expect to find the TO: field called EmailAddress in the BO. But LDAP users don't have a field called EmailAddress. They have a 'mail' property and some others that might hold an address (proxy,... UPN, etc), but I can't reference them in the SEND rule. So one option is to use the RegularUser object and populate it with the LDAP user's properties. That gets a bit tricky. Now when I look up a user for the aforementioned incident form, I have to decide to look up in RegularUser or 'add' the user with an LDAP lookup (plus process to create a RegularUser BO based on the successful LDAP lookup). But I don't do this just once, I have 4 places where I can add LDAP users. This gets messy quickly.

3) I proceed down an alternate path. I setup a powershell script to run nightly to export a list of all my AD user objects into a CSV file. The PS script runs with the LDAP bind user credentials. I then have a scheduled process import these user's nightly. The users are imported directly into the RegularUser BO and I use the ObjectGUID identifier in AD as the key in the RegularUser BO. Now anywhere in my application where I need to lookup a user I can just use the RegularUser BO and I can also send them email.

LDAP to login
4) Lastly, I set up login via AD/LDAP. No surprise here. This works fine after I've created all the LDAP user's stuff above. One item that isn't noted in the documentation, is that when identifying the LDAP user name attribute we are also selecting the attribute users will log in with as their USER name. I settled on UserPrincipalName (which in my case is also the user's email address) as I want to some day move to SAML login and the UserPrincipalName property will be the claim sent from the SAML IdP indentifying the user.

So, couple of comments that I'll add to the 8.3/9.0 wish list:
1. SSL support for LDAP
2. SEND rule supports TO: expression
3. Centralize LDAP/SAML configuration. I create multiple BSVs for the same users. Instead of duplicating the lookup/login scaffolding inside each BSV it would be helpful if I could specify this all just once in AwareIM and have each BSV use this scaffolding.

(BTW thanks for all the great posting by all the regulars. I've learned lots and lots from YOU)
Craig
Post Reply