Reputation: 7409
LDAP / Active Directory with External Users
Context
A company that uses Active Directory for a long time. Previously, admins added Domain Users Group to many resources with read access. It is not realistic to change all this.
A service, in this case a GitHub:Enterprise instance, that uses LDAP for authentication was introduced for a cooperation project with another company.
Problem
Creating AD accounts for the external users gives them access to many resources which they should not have access to. If we don't create AD accounts for them, they cannot access the new service.
Is there a way to create a kind of 'decorated' proxy for AD that has some local users (the external guys) and refers to the original AD db for other users (the employees)?
What other ways are there that could solve the access permission problem?
It is possible to set up an additional VM with either Windows or Linux to solve the problem; however, it would be preferable if that was not required.
Upvotes: 2
Views: 2091
Answers (1)
Reputation: 11026
Typically this would be done with SAML federation.
Or you could use your openLDAP and add all the users into it as this would not allow permissions for AD.
Upvotes: 3
Related Questions
- Login authentication via LDAP
- Active Directory vs OpenLDAP
- Setting up LDAP authorization using OpenLDAP
- Openldap cannot authenticate non-admin users
- Openldap and ActiveDirectory authentication
- Active Directory
- Is LDAP suitable for external users?
- LDAP authorization
- Active Directory, LDAP UserPrincipal
- Retrieving all user accounts on an accessible external Active Directory server over LDAPS