Ldap – When is AD LDS really required

active-directoryad-ldsldap

I have a question regarding to the purpose of AD LDS.

Currently I am playing around with windows server infrastructure to have a better understanding of their inner workings and aim to build a simple test network. I have finished installing and setting up my domain controller (with AD DS, DHCP and DNS installed) and am now intending to build an external network(more commonly known as DMZ zone in the business world) that will probably contains a share Point or normal web application.

From what I have researched, I understand that I can use LDAP authentication to perform single sign on access on my web applications. I too understand that AD DS comes installed with LDAP port as well. My question is this, do i still require the use of an AD LDS in this situation

From what i understand about AD LDS, it allows me to synchronize user data from my active directory. With the synchronize data, I can then perform ldap authentication. However, the same can be achieve without the use of AD LDS right? I can still connect to the ldap port at my active directory and still achieve the same thing right?

Best Answer

I don't think you need to use LDS.

AD LDS is a basic LDAP directory; AD DS with the Windows-specific stuff stripped out of it. You can have lots of instances of LDS (on different ports) on one server, whereas you can only have one instance of AD DS on a domain controller.

If you want your AD DS users in AD LDS, you can use ADAMSync but that doesn't sync passwords.

If you want to use the same passwords, you can use userProxy or userProxyFull objects in AD LDS but that requires you to copy the objectSID from the AD DS user account to the AD LDS user account proxy. And it requires your LDS server to be able to contact your AD DS domain controller for user authentication. The application passes the Id and password to LDS. LDS performs a look-up of the Id and retrieves the objectSID which it forwards to the DC. It then passes the DC's response back to the application. userProxies can be a pain - if an account is deleted and later recreated, you have to remember to update the objectSid in the userProxy object in LDS.

Whether you should be exposing your AD DS to the internet via the DMZ, or applications hosted in it, is another question. But that's a design issue rather than a technical one. I'd say probably not, by the way.

Related Topic