Easier Microsoft Active Directory Connectivity in OpenSSO Express 8

1 minute read

It’s nice to see your RFE’s implemented, and that’s exactly what happened with OpenSSO issue # 4053: Active Directory configuration should use AD domain name rather than LDAP host/port. I saw Kohsuke’s blog entry on More Active Directory integration in Java a little while ago and realized that we could take exactly the same approach in OpenSSO - prompt the admin for the Active Directory domain name rather than a host name and port number. As Kohsuke mentions, this has a number of advantages - every AD admin knows the domain name, while many would likely have to go look up an individual host name, not to mention the LDAP port number. Since we use the domain name to look up an individual AD controller via DNS, it also means that the admin doesn’t need to update OpenSSO’s configuration as AD controllers come and go - OpenSSO will always get a valid host name from DNS. So, when configuring OpenSSO Express 8, you can now just specify the AD domain name. As improvements go, this one is pretty small, but, as I think everyone agrees, the cumulative effect of all these little improvements in OpenSSO over the past two or three years has been HUGE…




hi, pat. can I still specify the host and port to connect to AD? actually, in my environment, the data store is ADAM not AD, but the schemas are identical to AD.

Robert Kelly

Hi Pat, I had a slight issue with the new feature. We have multiple AD Sites and it picked a server in a remote site vs. a local one.

Before the LDAP lookup, a Site lookup should really be performed, probably based on the subnet the server is in and then finding out which LDAP servers are in that site. In a domain with multiple Sites, you could end up configuring an AD connection to a server in a remote site over a potentially slow link vs. your local servers.

Leave a Comment

Your email address will not be published. Required fields are marked *