This content has been marked as final. Show 5 replies
I'm also trying to run with Win 2003 AD and tried what you've suggested above but it's not working.
When click on Manage Organization Units:
An error occurred while contacting the LDAP server.
If ignore this error, and just configure Administer Access Control to use this LDAP, browser on client side does not show web proxy authentication dialog but error HTTP 500.
After a bit of thought and enough time to figure it out, I finally have a working configuration that allows Proxy Server 4 to authenticate against Active Directory. There may be better ways to do this but this method works without changes to our AD environment.
The authentication process goes like this.
In this particular case the directory proxy is doing several things.
web proxy server -> directory proxy -> request transformation -> active directory
1. Completing a virtual transformation on the objectclass 'groupofuniquenames' to the 'group' objectclass in AD.
2. Maps the attribute 'uid' to 'samaccountname'.
3. Maps the attribute 'uniquemember' to 'member'.
Here is a high level process to get working.
1. Install dsee 7 according to the docs. (http://docs.sun.com/app/docs/doc/820-4807/install-dsee?l=en&a=view)
2. Install the directory server console according to the docs. Note: When deploying dscc7 with sun webserver 7 please be sure the webserver is run with the same uid as the directory server admin server. (This means that the webserver will need to be run as 'root' in most cases.)
3. Create a new directory proxy server.
4. Configure the directory proxy to transform and proxy requests to AD.
5. Configure the proxy admin server to use directory authentication.
dpconf create-ldap-data-source -D cn=proxymgr ad_source_native domaincontroller.ms.domain.com:389 dpconf set-ldap-data-source-prop -D cn=proxymgr ad_source_native is-enabled:true is-read-only:true dpconf create-ldap-data-source-pool -D cn=proxymgr ad_native_pool dpconf attach-ldap-data-source -D cn=proxymgr ad_native_pool ad_source_native dpconf set-attached-ldap-data-source-prop -D cn=proxymgr ad_native_pool ad_source_native add-weight:100 bind-weight:100 modify-weight:100 search-weight:100 dpconf create-ldap-data-view -p 389 -D cn=proxymgr ad_native_directview ad_native_pool "ou=users,dc=ms,dc=domain,dc=com" dpconf add-virtual-transformation -D cn=proxymgr ad_native_directview mapping attr-value-mapping objectclass internal-value:group view-value:groupofuniquenames dpconf set-ldap-data-view-prop -D cn=proxymgr ad_native_directview attr-name-mappings:uid#samaccountname dpconf set-ldap-data-view-prop -D cn=proxymgr ad_native_directview attr-name-mappings+:uniquemember#member
6. Restart web proxy admin server.
host = directory proxy server (not ad domain controller) port= directory proxy port (not ad domain controller port) base dn = dc=ms,dc=domain,dc=com bind dn = CN=proxy user,OU=Users,DC=ms,DC=domain,DC=com <- most likely a service account. Can only use a users full DN. passwd = users password
7. Test by writing ACL's. Wouldn't it be nice is IE wasn't required for the GUI to work right.
1. You can monitor what is going on by reviewing the directory proxy server logs.
2. If you set the search base on the directory proxy to the server root, (dc=ms,dc=domain,dc=com) you may get referral errors. (err=52) This is is why the "create-ldap-data-view" is set to "ou=users,dc=ms,dc=domain,dc=com" above. This could be set to anything as long as it's not the server root. For example, ou=hq,ou=us,dc=ms,dc=domain,dc=com.
If there are any brave souls out there willing to try this and have questions please let me know. I will help if I can.