Superpatterns Pat Patterson on the Cloud, Identity and Single Malt Scotch

15Sep/096

Easier Microsoft Active Directory Connectivity in OpenSSO Express 8

It's nice to see your RFE's implemented, and that's exactly what happened with OpenSSO issue # 4053: Active Directory configuration should use AD domain name rather than LDAP host/port. I saw Kohsuke's blog entry on More Active Directory integration in Java a little while ago and realized that we could take exactly the same approach in OpenSSO - prompt the admin for the Active Directory domain name rather than a host name and port number.

As Kohsuke mentions, this has a number of advantages - every AD admin knows the domain name, while many would likely have to go look up an individual host name, not to mention the LDAP port number. Since we use the domain name to look up an individual AD controller via DNS, it also means that the admin doesn't need to update OpenSSO's configuration as AD controllers come and go - OpenSSO will always get a valid host name from DNS.

So, when configuring OpenSSO Express 8, you can now just specify the AD domain name. As improvements go, this one is pretty small, but, as I think everyone agrees, the cumulative effect of all these little improvements in OpenSSO over the past two or three years has been HUGE...

Filed under: OpenSSO Leave a comment
Comments (6) Trackbacks (0)
  1. Can I specify an AD forest, rather than DomainController, or can I not see the forest for the (LDAP) trees? :)

  2. Hi Jonathan – you specify a *domain*, not an individual domain controller. I guess if you have the inter-domain trusts set up correctly in the forest, then it will all work…

  3. hi, pat. can I still specify the host and port to connect to AD?
    actually, in my environment, the data store is ADAM not AD, but the schemas are identical to AD.

  4. Hi hzhao, Yes, you can still specify AD hostname and port if you want to.

  5. Hi Pat,
    I had a slight issue with the new feature.
    We have multiple AD Sites and it picked a server in a remote site vs. a local one.

    Before the LDAP lookup, a Site lookup should really be performed, probably based on the subnet the server is in and then finding out which LDAP servers are in that site.
    In a domain with multiple Sites, you could end up configuring an AD connection to a server in a remote site over a potentially slow link vs. your local servers.

  6. Hi Robert – I’m no longer working on OpenSSO (I left Sun a couple of months ago now), but I’ll pass your comment on to the OpenSSO team. Thanks!


Leave a comment

No trackbacks yet.