That is pretty simple if your users are in a single domain, however our directory is separated in 4 domains: EAME, APAC, AMR and B2B domains.
So we tried to figure out a way to authenticate against all those domains.
1. The AD authentication step of OWSM does not allow multiple domain search
2. The LDAP authentication can be used to authenticate against a AD. And the LDAP query can search against multiple directory.
3. In the same way, AD authorization cannot be used against multiple domain
4. Then LDAP authorization cannot be used because AD directory use the attribute "member" instead of "uniqueMember" for LDAP directory.
So to fix this issue we had to build a custome step within OWSM. We decompile LDAPAccessControlStep and built ILayerLdapAccessControlStep. It is the same piece fo code but "uniqueMember" is replaced by "member".
No comments:
Post a Comment