View
239
Download
0
Category
Preview:
Citation preview
BlackShield ID™
QUICKStart Guide
Integrating Active Directory Lightweight
Services
© 2010 CRYPTOCard Corp. All rights reserved. http://www.cryptocard.com
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Trademarks
CRYPTOCard, CRYPTO‐Server, CRYPTO‐Web, CRYPTO‐Kit, CRYPTO‐Logon, CRYPTO‐VPN, CRYPTO‐MAS, BlackShield ID are either registered trademarks or trademarks of CRYPTOCard Inc.
Microsoft Windows and Windows XP/2000/2003/2008/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.
Publication History
Date Description Version
August 9, 2010 Initial release 1.0
Solution Overview
Summary
Product Name Active Directory Lightweight Directory Service
AD LDS Server Side Software Active Directory Lightweight Directory Service
AD LDA Client Side Software N/A - Solution is server based only
Pre-Requisites System must be joined to a domain
CRYPTOCard Product Requirements
CRYPTOCard BlackShield ID Professional 2.x +
Support Token types KT-1, KT-2, KT-4, KT-5, RB-1, MP-1
Server OS Windows 2008 R2 x64
Server Type Member Server
i
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Table of Content
Active Directory Lightweight Directory Services Installation ................................................................................ 1
Creating an instance ........................................................................................................................................ 1
Preparing AD LDS Schema Synchronization .......................................................................................................... 4
Active Directory Schema Analyzer Overview .................................................................................................. 4
Launching and using “ADSchemaAnalyzer” utility .......................................................................................... 4
Loading Active Directory/AD LDS Schema LDF Files .............................................................................................. 7
Loading AD LDS Synchronization Schema LDF Files ........................................................................................ 8
Editing/Customizing AD LDS Synchronization Config File ...................................................................................... 9
Creating AD LDS Synchronization Config File .................................................................................................. 9
Option 1 ........................................................................................................................................................... 9
Option 2 ......................................................................................................................................................... 10
Installing custom AD LDS Synchronization Config File .................................................................................. 12
First time Synchronization ............................................................................................................................. 13
Disabling SSL Authentication in AD LDS ............................................................................................................. 13
Creating AD LDS User for BlackShield ID ............................................................................................................ 16
Configuring AD LDS to auto synchronize ............................................................................................................ 19
ADAM Multi Domain Support ............................................................................................................................ 20
Creating an OU for additional Domains ........................................................................................................ 20
Create an OU within the existing AD LDS instance for the second domain information ............................... 20
Displaying Currently Loaded Configurations ................................................................................................. 21
Batch File Example ........................................................................................................................................ 21
Configuring BlackShield to use AD LDS proxy user ............................................................................................. 22
Caveats ............................................................................................................................................................ 22
ii
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Active Directory Lightweight Directory Services Installation
Microsoft Active Directory Lightweight Directory Services (formerly Microsoft Active Directory Application Mode) is part of Windows 2008 R2. To install Active Directory Lightweight Directory Services (AD LDS) go to:
1. Launch Server Manager 2. Select Roles on the left pane 3. Click Add Roles on the right pane 4. When the wizard spawns, click Next 5. Place a checkmark in Active Directory Lightweight Directory Services 6. Click Add Required Features, then Next, and Next again 7. Click Install
Creating an instance
The following instructions are used to create an instance (virtual LDAP domain) which BlackShield will use to query its user information from. The user information is populated into your instance from your main LDAP server (Active Directory).
To create a new AD LDS instance:
• Click Start • Select All Programs • Select Administrative Tools • Then select Active Directory Lightweight Directory Services Setup Wizard • The Active Directory Lightweight Directory Services Setup Wizard will spawn. Click next to
begin creating new AD LDS instance.
On the Setup Options dialogue, to create “A unique instance” or replicate the information from an existing AD LDS instance.
Since this is the first time through AD LDS, select “A unique instance”, and then click Next.
Figure 1
Active Directory Lightweight Directory Service (AD LDS) Integration 1
QUICKStart Guide BlackShield ID Authenticating On-line Identities
On the Instance Name page, provide a name for the instance. Choose a name that will be easily recognizable as it will be used when creating the Windows service.
In this instance, “BlackShield” will be used as the instance name. Provide a Description for the instance name.
Click Next to continue.
Figure 2
By default, LDAP and LDAPS use port 389 and 636 respectively. If the default LDAP ports have been modified, please change the port numbers accordingly.
Click Next to continue
Note: If installation is performed on a domain controller, or a second AD LDS is being created then the ports will default to 50000 and 50001 respectively.
Figure 3
On the Application Directory Partition page. Then select Yes, create an application directory partition.
Create a partition with the name in the following syntax:
DC=blackshield,dc=domain,dc=com
e.g.: DC=blackshield,dc=intel,dc=com)
Click Next to continue.
Figure 4
Active Directory Lightweight Directory Service (AD LDS) Integration 2
QUICKStart Guide BlackShield ID Authenticating On-line Identities
On the File Locations page, verify the default file location is acceptable.
After verifying, click Next to continue.
Figure 5
On the Service Account Selection page, select the Network service account radio button.
Click Next to continue.
Figure 6
On the AD LDS Administrators page, select Currently logged on user DOMAIN\Administrator
Click Next to continue.
Figure 7
Active Directory Lightweight Directory Service (AD LDS) Integration 3
QUICKStart Guide BlackShield ID Authenticating On-line Identities
On the Importing LDIF Files page, select the following:
MS‐InetOrgPerson.LDF
MS‐User.LDF
MS‐UserProxy.LDF
Click Next to continue.
Click Next again to create the AD LDS instance.
Click Finish once the instance has been created.
Figure 8
Preparing AD LDS Schema Synchronization
The previous steps will have created and prepared your AD LDS instance to accept LDAP information. During the setup of the AD LDS instance, you told it to load 3 LDF files. These 3 LDF files provide the AD LDS instance information pertaining to particular LDAP object classes, attributes and help it understand as to what its default schema should look like. However, the three provided LDF files do not provide ALL needed information. You are required to use a utility provided by Microsoft called ADSchemaAnalyzer.
Active Directory Schema Analyzer Overview
ADSchemaAnalyzer is a utility that will analyze your current LDAP schema and then analyze what is currently in the local AD LDS schema. It will create an LDF file with all the missing object classes and attributes in AD LDS so that your synchronization can be performed successfully.
Launching and using “ADSchemaAnalyzer” utility
To start the ADSchemaAnalyzer, launch a command prompt and navigate to:
C:\Windows\ADAM
Then type in:
ADSchemaAnalyzer
The AD DS/LDS Schema Analyzer will appear.
Figure 9
Active Directory Lightweight Directory Service (AD LDS) Integration 4
QUICKStart Guide BlackShield ID Authenticating On-line Identities
In the AD DS/LDS Schema Analyzer click on File.
Then select Load target schema…
Figure 10
Enter in the following information for your Active Directory Server:
Server:[port] – IP or DNS of Active Directory:Port
Username – Username (ex. Administrator)
Password – Password for user
Domain – Domain name (ex. Intel.com)
Under Bind type, select Secure.
Under Server type, select AD DS/LDS.
Click OK when all the information has been entered.
Figure 11
At the bottom of the AD DS/LDS Schema Analyzer, the application is attempting to load the AD schema and all its attributes.
The base schema must now be loaded. Figure 12
Active Directory Lightweight Directory Service (AD LDS) Integration 5
QUICKStart Guide BlackShield ID Authenticating On-line Identities
In the AD DS/LDS Schema Analyzer, click on File.
Then select Load base schema…
Figure 13
Enter in the following information for the local AD DS/LDS instance:
Server:[port] – 127.0.0.1:389
Under Bind type, select Secure.
Under Server type, select Auto.
Click OK when all the information has been entered.
Figure 14
For the local AD DS/LDS instance, Only the server & port are required.
After clicking the Ok button, the application will compare the two schemas and once it is finished, it will display “Done completing schema”.
Figure 15
Active Directory Lightweight Directory Service (AD LDS) Integration 6
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Within the AD DS/LDS Schema Analyzer, click on the Schema menu.
Then select Mark all non‐present elements as included
Note: A pop up will appear display the total amount of “non‐presents elements were marks as included”.
Figure 16
Within the AD DS/LDS Schema Analyzer:
Click on the File
Then select Create LDIF file...
In the Save As window, provide a name for the LDF file. Provide the file with a recognizable name as will be used in the next section. Save the LDF file in the default directory.
Figure 17
Loading Active Directory/AD LDS Schema LDF Files
To load the custom LDF file that was created in the previous section, a command will be required to be executed from the command prompt within the ADAM directory.
On the AD LDS system, launch a command prompt and navigate to:
C:\Windows\ADAM
Then issue the following command:
ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext -f (custom LDF filename).ldf
Active Directory Lightweight Directory Service (AD LDS) Integration 7
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Note: The (custom LDF filename).ldf is to be replaced to the filename of the LDF file that was created in the previous section.
After executing the command, it will show the following text output:
Connecting to "localhost"
Logging in as current user using SSPI
Importing directory from file "(custom LDF filename).ldf"
Loading entries....................................
Note: Loading entries make take a while depending on how many attributes are being loaded.
Once the command has complete, a message in the command line as follows. (Number of entries may be vary)
Figure 18
Loading AD LDS Synchronization Schema LDF Files
To load the custom LDF file that was created in the previous section, a command will be required to be executed from the command prompt within the ADAM directory.
On the AD LDS system, launch a command prompt and navigate to:
C:\Windows\ADAM
Then issue the following command:
ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-AdamSyncMetaData.ldf
After executing the command, it will show the following text output:
Connecting to "localhost"
Logging in as current user using SSPI
Importing directory from file "MS‐AdamSyncMetaData.ldf"
Loading entries.....
Active Directory Lightweight Directory Service (AD LDS) Integration 8
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Once the command has complete, a message in the command line as follows. (Number of entries may be vary)
Figure 19
Editing/Customizing AD LDS Synchronization Config File
AD LDS requires a special file in order to determine the information it should synchronize from LDAP. In a nutshell, this file will ultimately contain connection information to the target LDAP server, and the destination AD LDS instance. It will also contain information as to what attributes will be synchronized.
Creating AD LDS Synchronization Config File
This section will provide steps on how to create an AD LDS Synchronization file. The file that will be created will indicate to AD LDS the objects and attributes that will be synchronized from an LDAP server. This file is loaded into AD LDS using a special command, and then is used by any subsequent automated synchronization.
There are two options to creating a customized AD LDS Synchronization file. First option is to copy the MS‐AdamSyncConf.xml and modify the necessary information or second option is to copy the Sample AD LDS Synchronization XML Config File in Section 4.1.2, modify the necessary information, and save it to a file.
Option 1
The MS‐AdamSyncConf.xml file is located in c:\Windows\ADAM. Make a copy of the file to the desktop, and open the file with a text editor.
There are 6 lines that are required to be modified within the synchronization file. The lines are:
<source-ad-name>Your-DC-hostname</source-ad-name> Hostname of Active Directory Server (ensure it’s resolvable by DNS)
<source-ad-partition>dc=yourdomain,dc=com</source-ad-partition>
Instance path of Active Directory tree (Ex. dc=intel,dc=com)
<source-ad-account>Administrator</source-ad-account>
Username of user who has Domain Administrative privileges
<account-domain>yourdomain.com</account-domain> Domain name of Active Directory (Ex. intel.com)
Active Directory Lightweight Directory Service (AD LDS) Integration 9
QUICKStart Guide BlackShield ID Authenticating On-line Identities
<target-dn>dc=blackshield,dc=cryptocard,dc=com</target-dn>
Local AD LDS instance (See Figure 14 on page 6 for local AD LDS DN)
<base-dn>dc=yourdomain,dc=com</base-dn> Remote LDAP Distinguished Name (Active Directory Server
An optional but non critical line that can be modified is the description.
Here is Microsoft's explanation of the values in the event the above explanation is not adequate or is not clear. The following is taken out of the ADAM quick start guide produced by Microsoft.
<source-ad-name>SeattleDC1</source-ad-name> Replace the value of <source‐ad‐name> with the name of the source Active Directory domain controller
<source-ad-partition>dc=fabrikam,dc=com</source-ad-partition>
Replace the value of <source‐ad‐partition> with the distinguished name of the source domain
<source-ad-account>administrator</source-ad-account>.
Replace the value of <source‐ad‐account> with the name of an account in the Domain Admins group of the source domain
<account-domain>fabrikam.com</account-domain>. Replace the value of <account‐domain> with the fully qualified name of the source domain
<target-dn>o=microsoft,c=US</target-dn>. Replace the value of <target‐dn> with the name of the partition of the target ADAM instance
<base-dn>dc=fabrikam,dc=com</base-dn> Replace the value of <base‐dn> with the base distinguished name of the source domain
Option 2
Copy the AD LDS Synchronization XML Config file below into a notepad. Then modify the following section’s below that is in bold. For more information and explanation, please see previous section.
<?xml version="1.0"?>
Active Directory Lightweight Directory Service (AD LDS) Integration 10
QUICKStart Guide BlackShield ID Authenticating On-line Identities
<doc>
<configuration>
<description>BlackShield AD LDS Sync File</description>
<security-mode>object</security-mode>
<source-ad-name>Your-DC</source-ad-name>
<source-ad-partition>dc=yourdomain,dc=com</source-ad-partition>
<source-ad-account>Administrator</source-ad-account>
<account-domain>yourdomain.com</account-domain>
<target-dn>dc=blackshield,dc=cryptocard,dc=com</target-dn>
<query>
<base-dn>dc=yourdomain,dc=com</base-dn>
<object-filter>(objectClass=*)</object-filter>
<attributes>
<include></include>
<exclude>extensionName</exclude>
<exclude>displayNamePrintable</exclude>
<exclude>flags</exclude>
<exclude>isPrivelegeHolder</exclude>
<exclude>msCom-UserLink</exclude>
<exclude>msCom-PartitionSetLink</exclude>
<exclude>reports</exclude>
<exclude>serviceprincipalname</exclude>
<exclude>accountExpires</exclude>
<exclude>adminCount</exclude>
<exclude>primarygroupid</exclude>
<exclude>userAccountControl</exclude>
<exclude>codePage</exclude>
<exclude>countryCode</exclude>
<exclude>logonhours</exclude>
<exclude>lockoutTime</exclude>
</attributes>
</query>
<schedule>
<aging>
<frequency>0</frequency>
Active Directory Lightweight Directory Service (AD LDS) Integration 11
QUICKStart Guide BlackShield ID Authenticating On-line Identities
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update>
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>
Once all changes have been made, please save the file to C:\Windows\ADAM, with a .xml extension. Please provide a name that is recognizable as the xml file will be used in the next section.
Installing custom AD LDS Synchronization Config File
The following instruction will explain how to install the custom configuration file that was created in the previous section. The custom configuration file should be placed in C:\Windows\ADAM.
Launch a command prompt and navigate to:
C:\Windows\ADAM
Then type in the following command:
ADAMSync /install localhost:389 %windir%\ADAM\(custom sync filename).xml
After running the command, the prompt will move to the next line and display Done.
Active Directory Lightweight Directory Service (AD LDS) Integration 12
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Note: If there is a second XML file to add a second domain, then please use the same command above, but specify the appropriate file name.
First time Synchronization
After installing the custom XML configuration file, a sync must occur between the LDAP Server specified in the custom XML config file to the AD LDS instance. The following instructions in this section will require the creation of a directory to store a sync file, and then running the command to start the sync.
A directory needs to be created for the AD LDS synchronizations logs. Create a directory on the C:\ drive named ADLDS‐Logs.
Launch a command prompt and navigate to:
C:\Windows\ADAM
Then type in the following command:
ADAMSync /fs localhost:389 "dc=blackshield,dc=cryptocard,dc=com" /log C:\ADLDS-Logs\sync.log
Note: (Optional) Additional Domain:
... "OU=Domain2,dc=cryptoserver,dc=sparks,dc=com" /log C:\ADAMLogs\syncDomain2.log
Synchronization of data Active Directory to the newly created AD LDS instance can take from 5 minutes to 5 hours depending on how many users exist within Active Directory. Please monitor the AD LDS Sync log in C:\ADLDS‐Logs\sync.log as it can grow in size rapidly and cause low disk space.
Disabling SSL Authentication in AD LDS
By default, SSL authentication is enabled AD LDS. The instructions in this section will show how to disable SSL authentication into AD LDS. This is needed to allow BlackShield to bind (authenticate) to the AD LDS instance without requiring a certificate. To disable SSL authentication, the ADSI Edit tool will be needed.
Active Directory Lightweight Directory Service (AD LDS) Integration 13
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Note: If SSL authentication is required to access an AD LDS instance from a remote system, then please skip this section. Please also note that AD LDS should have a valid certificate loaded.
To launch the ADSI Edit tool go to:
Start | All Programs | Administrative Tools | ADSI Edit
In the ADSI Edit Application:
Right click on ADSI Edit on the left pane
Select Connect to …
Figure 20
In the Connection Settings window, perform the following:
Select the Select a well known Naming Context radio button, and select Configuration in the dropdown menu.
Select the Select or type a domain or sever: (Server | Domain [:port]) radio button, and then enter in localhost:389 in the field below.
Enter in a name for the connection settings. (Ex Local AD LDS Instance)
Click OK button
Figure 21
In the ADSI Edit application, expand the newly added object, and then:
Expand CN=Configuration,CN=
Then Expand CN=Services
Then Expand CN=Windows NT
Right click on CN=Directory Service
Select Properties
Figure 22
Active Directory Lightweight Directory Service (AD LDS) Integration 14
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Note: Refresh the ADSI Edit application if the expand button does not show up.
In the CN=Directory Service Properties Window scroll down and fine the msDS‐Other‐Settings attribute, and highlight it.
Then select Edit
Figure 23
Select RequireSecureProxyBind=1 under the Values section.
Select the Remove button.
The RequireSecureProxyBind=1 value is then goes to Value to add field. Change the value from 1 to 0.
Click the Add button.
Click OK.
Figure 24
Active Directory Lightweight Directory Service (AD LDS) Integration 15
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Creating AD LDS User for BlackShield ID
With the AD LDS instance configured, a user must now be created so when BlackShield connects to the AD LDS instance. The user will be created as a user that is part of the AD LDS instance. This user is outside of the synchronization that is occurring between the source Active Directory and destination AD LDS instance.
To start the Ldp application, launch a command prompt and navigate to:
C:\Windows\ADAM
Then type in:
Ldp
The Ldp application will appear.
Figure 25
In the Ldp application Click on Connection
Then select Connect…
Figure 26
In the Server field, enter in localhost.
Then click on the OK button.
Figure 27
Active Directory Lightweight Directory Service (AD LDS) Integration 16
QUICKStart Guide BlackShield ID Authenticating On-line Identities
In the Ldp application Click on Connection
Then select Bind…
Figure 28
Under the Bind type section, select Bind as currently logged on user.
If Encrypt traffic after bind is checked off, please remove the checkmark.
Click the OK button
Figure 29
After clicking the OK button, the right pane, will output at the bottom.
The last line should read:
Authenticated as: Domain\Username
Figure 30
Active Directory Lightweight Directory Service (AD LDS) Integration 17
QUICKStart Guide BlackShield ID Authenticating On-line Identities
In the Ldp application, Click on View, then select Tree.
Click the dropdown menu BaseDN field and select DN of the AD LDS Instance. See Figure 14 on page 6 for more information.
Click the OK button.
Figure 31
Figure 32
In the Ldp instance, select Browse.
Then select Add child.
Figure 33
Enter in the following in the DN field:
cn=adamproxy,dc=blackshield,dc=cryptocard,dc=com
Under Edit Entry, enter in the information in there respective fields:
Attribute: ObjectClass
Values: userProxy
Click the Enter button.
Note: the cn=adamproxy within the DN field is the user that is being created.
Figure 34
Active Directory Lightweight Directory Service (AD LDS) Integration 18
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Open up a command prompt and type in:
whoami /user
The command prompt will display the username, along with the user’s SID. Copy the SID as it will be needed to be added as an attribute in the Add Child window.
Figure 35
In Edit Entry section of the Add Child window, enter in the information in there respective fields:
Attribute: ObjectSID
Values: S‐1‐5‐21‐140381145‐1539809123‐3681150278‐500
Click the Enter button
Figure 36
Once the ObjectSID attribute and its value has been added into the Entry List, click the Run button.
Configuring AD LDS to auto synchronize
To have AD LDS auto synchronize based on a schedule, a batch file will need to be created either through Scheduled Task or the AT command.
Add the following command into the batch file to automate the sync:
ADAMSync /sync localhost:389 "DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSync.log
A time interval will need to be set within Scheduled Task or using the AT command on how often you would like this command to run. In turn, this is specifying how often AD LDS will synchronize user information from LDAP to the AD LDS instance.
[Optional Second Domain]
Active Directory Lightweight Directory Service (AD LDS) Integration 19
QUICKStart Guide BlackShield ID Authenticating On-line Identities
ADAMSync /sync localhost:389 "OU=Domain2,DC=cryptoserver,DC=Domain,DC=com" /log C:\adamlogs\autoSync.log
Note: ADAMSync /sync localhost:389 "OU=Domain2,DC=cryptoserver,DC=Domain,DC=com" /log C:\adamlogs\autoSyncDomain2.log must have an associated XML synchronization file installed prior to telling it to sync pointing to the OU=Domain2 as a <target‐dn>.
ADAM Multi Domain Support
It may come to a point where AD LDS will be required to connect to more than 1 Active Directory domain. This can be achieved by manually loading in a separate synchronization XML file into the ADAM instance which is configured to pull information from a second domain.
Creating an OU for additional Domains
An OU needs to be created with the AD LDS instance and then information will be synced to the OU.
Create an OU within the existing AD LDS instance for the second domain information
Open ADAM ADSI Edit
Connect to the Distinguished Name (DN) of your AD LDS instance:
(ex. DC=blackshield,DC=cryptocard,DC=com)
Right click the base DN (top of the domain) and select New | Object
Select OrganizationalUnit
Give the OU a name of Domain2
In the second domain's XML synchronization file, edit the:
<target‐dn>OU=Domain2,dc=blackshield,dc=cryptocard,dc=com</target‐dn>
Note: A second MS‐AdamSyncConf.xml will need to be created with the new settings pointed at a new domain referencing a <target‐dn> of the new ADAM instance 'Domain2' OU. Name the second XML file MS‐AdamSyncConf2.xml.
Edit other settings within the second XML file as needed.
For example, when the second XML file is installed using the command:
ADAMSync /install localhost:389 %windir%\ADAM\MS‐AdamSyncConf2.xml
It loads in what it should be synchronizing for one particular domain.
Active Directory Lightweight Directory Service (AD LDS) Integration 20
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Displaying Currently Loaded Configurations
To display the currently loaded ADAM synchronization files perform the following:
Open a command prompt and navigate to:
C:\Windows\ADAM
Enter the following command:
AdamSync /list localhost:389
It should list something similar to this:
C:\WINDOWS\ADAM>ADAMSync /list localhost:389
Listing configuration files:
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
|‐> "DC=blackshield,DC=CRYPTOCard,DC=com": BlackShield Sync
|‐> "OU=Domain2,DC=blackshield,DC=cryptocard,DC=com": BlackShield Sync
Done.
Note: If you want ADAM to synchronize information from both domains at a given time interval, you will need to ensure that all needed XML files have been loaded and have been both told to do a full sync /fs.
Batch File Example
Example:
Line 1 ADAMSync /sync localhost:389 "DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSyncDomain1.log
Line 2 ADAMSync /sync localhost:389 "OU=Domain2,DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSyncDomain2.log
Line Explanations
Line 1 This line synchronizes changes from Domain 1 into ADAM top DN
Line 2 This line synchronizes changes from Domain 2 into ADAM Domain2 OU
Active Directory Lightweight Directory Service (AD LDS) Integration 21
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Configuring BlackShield to use AD LDS proxy user
Now that AD LDS has been configured, it is now time to configure BlackShield to connect to the AD LDS instance for the user source.
During the user source configuration, provide the IP/DNS name of the AD LDS system, NOT the AD DC system.
This is to be done at the LDAP Configurations screen.
Figure 37
In the LDAP Credentials screen, enter in cn=adamproxy in the User DN
Click the dropdown menu and select the Base DN of the AD LDS instance
(eg. dc=blackshield,dc=cryptocard,dc=com)
Place a checkmark in Append Base DN to User DN
Enter in the Password for the user. (Please see Figure 34 through Figure 36 beginning on page 18)
Figure 38
Note: For more detailed installation instructions, please take a look at the BlackShield ID Administrator Manual at: http://www.cryptocard.com.
Caveats
If multiple domains are being synchronized to a single AD LDS instance, than the container names must be unique. When importing users within the same Container name, AD LDS will rename the container to a random name. If a user (eg. JDoe) exists in two domains, with the same username, and within the same container name, than one of the username must be changed (eg. JDoe2) so that bother users will be synchronized to the AD LDS instance.
It is recommended that a separate Container be created within AD LDS when synchronizing data from the second domain. This is to indicate within the synchronization XML file that the BASE DN is within the
Active Directory Lightweight Directory Service (AD LDS) Integration 22
QUICKStart Guide BlackShield ID Authenticating On-line Identities
Active Directory Lightweight Directory Service (AD LDS) Integration 23
newly created container. This will allow two completely separate sets of LDAP information easily stored within AD LDS.
eg. An OU has been created within AD LDS called 'Domain2'. In the second domain XML file, the base DN that will be used is CN=Domain2,DC=blackshield,DC=cryptocard,DC=com)
Note: A user that exists in AD LDS can never use their Microsoft static password to authenticate against BlackShield. Usernames must be unique if multiple domains are synchronized to an AD LDS instance. Then the users will be displayed properly within BlackShield ID.
Recommended