Thread: [Lam-public] Local Copy of AD Forests
Brought to you by:
gruberroland
From: Mark S. <ma...@zt...> - 2024-03-20 13:06:15
Attachments:
Outlook-2jfmguoy.png
|
Design: 1. Ubuntu 20 LTS with LAM, LDAP. 2. DC/Contoso.local server Forest with many servers 3. DC/LitWareInc.local server Forest with many servers 4. IdP - Server farm for authentication 5. AWS Cloud 6. Azure Cloud I have successfully connected LAM to both DC's and can see the tree view. All is good. For security reasons I do not want to expose the DC's to external sources. I want the LDAP databases for both forests on the Ubuntu host. Does your tool make that happen? The IdP should only point to the LDAP server to verify authentication. The LDAP server should be getting near realtime updates of the AD changes. Ultimately I have probably 100 AD forests I need to integrate into this. Mark R. Sigsbee, CISSP SUNet PKI Support Team Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> (301)509-7592 (cell) [cid:2b613cae-9b8b-4cbe-a232-1a91589eec32] |
From: Roland G. <po...@ro...> - 2024-03-20 18:36:43
|
Hi Mark, LAM is a GUI to manage LDAP entries. The place where these are stored is totally up to the LDAP server. If you need to sync data between LDAP servers then you will also need an additional tool. Best regards Roland Am 20.03.24 um 13:31 schrieb Mark Sigsbee: > Design: > > 1. > Ubuntu 20 LTS with LAM, LDAP. > 2. > DC/Contoso.local server Forest with many servers > 3. > DC/LitWareInc.local server Forest with many servers > 4. > IdP - Server farm for authentication > 5. > AWS Cloud > 6. > Azure Cloud > > I have successfully connected LAM to both DC's and can see the tree view. All is good. > > For security reasons I do not want to expose the DC's to external sources. I want the LDAP databases for both forests on the Ubuntu host. Does your tool make that happen? The IdP should only point to the LDAP server to verify authentication. The LDAP server should be getting near realtime updates of the AD changes. Ultimately I have probably 100 AD forests I need to integrate into this. > > > Mark R. Sigsbee, CISSP > > > > SUNet PKI Support Team > > Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> > > (301)509-7592 (cell) > > > > [cid:2b613cae-9b8b-4cbe-a232-1a91589eec32] > > > > > > _______________________________________________ > Lam-public mailing list > Lam...@li... > https://lists.sourceforge.net/lists/listinfo/lam-public |
From: Mark S. <ma...@zt...> - 2024-03-20 19:41:21
Attachments:
Outlook-k452hk1l.png
|
I'm not a Unix expert, I'm the AD guy. I have no clue what tool you are referring to. Can you make a recommendation? Mark R. Sigsbee, CISSP SUNet PKI Support Team Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> (301)509-7592 (cell) [cid:11ffa6ef-57a0-4260-8b6d-8bc96f25c5e0] ________________________________ From: Roland Gruber <po...@ro...> Sent: Wednesday, March 20, 2024 2:36 PM To: lam...@li... <lam...@li...> Subject: Re: [Lam-public] Local Copy of AD Forests Hi Mark, LAM is a GUI to manage LDAP entries. The place where these are stored is totally up to the LDAP server. If you need to sync data between LDAP servers then you will also need an additional tool. Best regards Roland Am 20.03.24 um 13:31 schrieb Mark Sigsbee: > Design: > > 1. > Ubuntu 20 LTS with LAM, LDAP. > 2. > DC/Contoso.local server Forest with many servers > 3. > DC/LitWareInc.local server Forest with many servers > 4. > IdP - Server farm for authentication > 5. > AWS Cloud > 6. > Azure Cloud > > I have successfully connected LAM to both DC's and can see the tree view. All is good. > > For security reasons I do not want to expose the DC's to external sources. I want the LDAP databases for both forests on the Ubuntu host. Does your tool make that happen? The IdP should only point to the LDAP server to verify authentication. The LDAP server should be getting near realtime updates of the AD changes. Ultimately I have probably 100 AD forests I need to integrate into this. > > > Mark R. Sigsbee, CISSP > > > > SUNet PKI Support Team > > Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> > > (301)509-7592 (cell) > > > > [cid:2b613cae-9b8b-4cbe-a232-1a91589eec32] > > > > > > _______________________________________________ > Lam-public mailing list > Lam...@li... > https://lists.sourceforge.net/lists/listinfo/lam-public _______________________________________________ Lam-public mailing list Lam...@li... https://lists.sourceforge.net/lists/listinfo/lam-public |
From: Roland G. <po...@ro...> - 2024-03-21 06:52:04
|
Hi Mark, can you provide more details what you mean with "I want the LDAP databases for both forests on the Ubuntu host"? Do you just want to manage them from one central system? In this case, LAM is a good fit. You can create a server profile for each forest and manage all of them with one LAM instance. Best regards Roland Am 20.03.24 um 20:41 schrieb Mark Sigsbee: > I'm not a Unix expert, I'm the AD guy. I have no clue what tool you are referring to. > > Can you make a recommendation? > > Mark R. Sigsbee, CISSP > > > > SUNet PKI Support Team > > Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> > > (301)509-7592 (cell) > > > > [cid:11ffa6ef-57a0-4260-8b6d-8bc96f25c5e0] > > > > ________________________________ > From: Roland Gruber <po...@ro...> > Sent: Wednesday, March 20, 2024 2:36 PM > To: lam...@li... <lam...@li...> > Subject: Re: [Lam-public] Local Copy of AD Forests > > Hi Mark, > > LAM is a GUI to manage LDAP entries. The place where these are stored is > totally up to the LDAP server. If you need to sync data between LDAP > servers then you will also need an additional tool. > > > Best regards > Roland > > > Am 20.03.24 um 13:31 schrieb Mark Sigsbee: >> Design: >> >> 1. >> Ubuntu 20 LTS with LAM, LDAP. >> 2. >> DC/Contoso.local server Forest with many servers >> 3. >> DC/LitWareInc.local server Forest with many servers >> 4. >> IdP - Server farm for authentication >> 5. >> AWS Cloud >> 6. >> Azure Cloud >> >> I have successfully connected LAM to both DC's and can see the tree view. All is good. >> >> For security reasons I do not want to expose the DC's to external sources. I want the LDAP databases for both forests on the Ubuntu host. Does your tool make that happen? The IdP should only point to the LDAP server to verify authentication. The LDAP server should be getting near realtime updates of the AD changes. Ultimately I have probably 100 AD forests I need to integrate into this. >> >> >> Mark R. Sigsbee, CISSP >> >> >> >> SUNet PKI Support Team >> >> Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> >> >> (301)509-7592 (cell) >> >> >> >> [cid:2b613cae-9b8b-4cbe-a232-1a91589eec32] >> >> >> >> >> >> _______________________________________________ >> Lam-public mailing list >> Lam...@li... >> https://lists.sourceforge.net/lists/listinfo/lam-public > > > _______________________________________________ > Lam-public mailing list > Lam...@li... > https://lists.sourceforge.net/lists/listinfo/lam-public > |
From: Mark S. <ma...@zt...> - 2024-03-21 11:32:18
Attachments:
Outlook-b3fscmq0.png
|
I want to periodically pull from both AD forests into the LDAP database and have the IdP reference the LDAP database as authoritative. The IdP never reaches out to the AD databases directly, thus never exposing them. The periodicity, though required for account changes, isn't a huge factor. I figured cron jobs can do that. Mark R. Sigsbee, CISSP SUNet PKI Support Team Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> (301)509-7592 (cell) [cid:9f752961-1d5e-4e9c-a743-10c61a2ba214] ________________________________ From: Roland Gruber <po...@ro...> Sent: Thursday, March 21, 2024 2:38 AM To: Mark Sigsbee <ma...@zt...>; lam...@li... <lam...@li...> Subject: Re: [Lam-public] Local Copy of AD Forests Hi Mark, can you provide more details what you mean with "I want the LDAP databases for both forests on the Ubuntu host"? Do you just want to manage them from one central system? In this case, LAM is a good fit. You can create a server profile for each forest and manage all of them with one LAM instance. Best regards Roland Am 20.03.24 um 20:41 schrieb Mark Sigsbee: > I'm not a Unix expert, I'm the AD guy. I have no clue what tool you are referring to. > > Can you make a recommendation? > > Mark R. Sigsbee, CISSP > > > > SUNet PKI Support Team > > Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> > > (301)509-7592 (cell) > > > > [cid:11ffa6ef-57a0-4260-8b6d-8bc96f25c5e0] > > > > ________________________________ > From: Roland Gruber <po...@ro...> > Sent: Wednesday, March 20, 2024 2:36 PM > To: lam...@li... <lam...@li...> > Subject: Re: [Lam-public] Local Copy of AD Forests > > Hi Mark, > > LAM is a GUI to manage LDAP entries. The place where these are stored is > totally up to the LDAP server. If you need to sync data between LDAP > servers then you will also need an additional tool. > > > Best regards > Roland > > > Am 20.03.24 um 13:31 schrieb Mark Sigsbee: >> Design: >> >> 1. >> Ubuntu 20 LTS with LAM, LDAP. >> 2. >> DC/Contoso.local server Forest with many servers >> 3. >> DC/LitWareInc.local server Forest with many servers >> 4. >> IdP - Server farm for authentication >> 5. >> AWS Cloud >> 6. >> Azure Cloud >> >> I have successfully connected LAM to both DC's and can see the tree view. All is good. >> >> For security reasons I do not want to expose the DC's to external sources. I want the LDAP databases for both forests on the Ubuntu host. Does your tool make that happen? The IdP should only point to the LDAP server to verify authentication. The LDAP server should be getting near realtime updates of the AD changes. Ultimately I have probably 100 AD forests I need to integrate into this. >> >> >> Mark R. Sigsbee, CISSP >> >> >> >> SUNet PKI Support Team >> >> Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> >> >> (301)509-7592 (cell) >> >> >> >> [cid:2b613cae-9b8b-4cbe-a232-1a91589eec32] >> >> >> >> >> >> _______________________________________________ >> Lam-public mailing list >> Lam...@li... >> https://lists.sourceforge.net/lists/listinfo/lam-public > > > _______________________________________________ > Lam-public mailing list > Lam...@li... > https://lists.sourceforge.net/lists/listinfo/lam-public > |
From: Roland G. <po...@ro...> - 2024-03-21 19:06:01
|
Hi Mark, LDAP sync is not part of LAM's functionality. Our partners might be able to help you: https://www.ldap-account-manager.org/lamcms/partners Best regards Roland Am 21.03.24 um 12:31 schrieb Mark Sigsbee: > I want to periodically pull from both AD forests into the LDAP database and have the IdP reference the LDAP database as authoritative. The IdP never reaches out to the AD databases directly, thus never exposing them. > > The periodicity, though required for account changes, isn't a huge factor. I figured cron jobs can do that. > > > Mark R. Sigsbee, CISSP > > > > SUNet PKI Support Team > > Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> > > (301)509-7592 (cell) > > > > [cid:9f752961-1d5e-4e9c-a743-10c61a2ba214] > > > > ________________________________ > From: Roland Gruber <po...@ro...> > Sent: Thursday, March 21, 2024 2:38 AM > To: Mark Sigsbee <ma...@zt...>; lam...@li... <lam...@li...> > Subject: Re: [Lam-public] Local Copy of AD Forests > > Hi Mark, > > can you provide more details what you mean with "I want the LDAP > databases for both forests on the Ubuntu host"? > Do you just want to manage them from one central system? In this case, > LAM is a good fit. You can create a server profile for each forest and > manage all of them with one LAM instance. > > > Best regards > Roland > > > Am 20.03.24 um 20:41 schrieb Mark Sigsbee: >> I'm not a Unix expert, I'm the AD guy. I have no clue what tool you are referring to. >> >> Can you make a recommendation? >> >> Mark R. Sigsbee, CISSP >> >> >> >> SUNet PKI Support Team >> >> Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> >> >> (301)509-7592 (cell) >> >> >> >> [cid:11ffa6ef-57a0-4260-8b6d-8bc96f25c5e0] >> >> >> >> ________________________________ >> From: Roland Gruber <po...@ro...> >> Sent: Wednesday, March 20, 2024 2:36 PM >> To: lam...@li... <lam...@li...> >> Subject: Re: [Lam-public] Local Copy of AD Forests >> >> Hi Mark, >> >> LAM is a GUI to manage LDAP entries. The place where these are stored is >> totally up to the LDAP server. If you need to sync data between LDAP >> servers then you will also need an additional tool. >> >> >> Best regards >> Roland >> >> >> Am 20.03.24 um 13:31 schrieb Mark Sigsbee: >>> Design: >>> >>> 1. >>> Ubuntu 20 LTS with LAM, LDAP. >>> 2. >>> DC/Contoso.local server Forest with many servers >>> 3. >>> DC/LitWareInc.local server Forest with many servers >>> 4. >>> IdP - Server farm for authentication >>> 5. >>> AWS Cloud >>> 6. >>> Azure Cloud >>> >>> I have successfully connected LAM to both DC's and can see the tree view. All is good. >>> >>> For security reasons I do not want to expose the DC's to external sources. I want the LDAP databases for both forests on the Ubuntu host. Does your tool make that happen? The IdP should only point to the LDAP server to verify authentication. The LDAP server should be getting near realtime updates of the AD changes. Ultimately I have probably 100 AD forests I need to integrate into this. >>> >>> >>> Mark R. Sigsbee, CISSP >>> >>> >>> >>> SUNet PKI Support Team >>> >>> Mark@ZTISolutions.com<mailto:Mark@ZTISolutions.com> >>> >>> (301)509-7592 (cell) >>> >>> >>> >>> [cid:2b613cae-9b8b-4cbe-a232-1a91589eec32] >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Lam-public mailing list >>> Lam...@li... >>> https://lists.sourceforge.net/lists/listinfo/lam-public >> >> >> _______________________________________________ >> Lam-public mailing list >> Lam...@li... >> https://lists.sourceforge.net/lists/listinfo/lam-public >> > > > > _______________________________________________ > Lam-public mailing list > Lam...@li... > https://lists.sourceforge.net/lists/listinfo/lam-public |