Using AD LDS as proxy to AD DS with Zenon

Using AD LDS as proxy to AD DS with Zenon

Hello,

Because og ISA95 considerations, the ZenOn instances I need to configure will reside in a VLAN that has no direct access to the AD DS domain controller. But the requirement is to have domain based authentication. ZenOn supports AD LDS which is great. The AD LDS instance can act as a "binding authentication proxy" to an AD DS and it also has tools (adamsync) to synchrnonize AD DS users and groups down to the AD LDS instance. And this is also great. These two seem to be a solution for my requirements as I can have an LDS instance that has access to the DC, and the ZenOn instances will have access to the LDS instance.

But I can't make them work together.

I have set up AD DS to AD LDS synchronisation, and binding proxy authentication also work as expected - but only from custom code. The same user name and password pair that is accepted by the generic LDAP bind yields "invalid user name" in zenon. I presume, that there are other checks towards the LDS instance going on under the hood, but I have found no documentation about this, and I am currently unable to find it out. There is a difference between the legacy user and the proxied user though: the legacy user is of "user" class while the proxied is "userProxyFull" - and I can't have them both. Thus if there is an LDAP search based on the class, it will obviously fail.

Is there somewhere any documentation on how to set up such an environment? I doubt that such a segregation is a requirement only at our site.
Or at least can somebody tell the exact flow of the communication between the LDAP server during authentication; which attributes/values are fetched and/or filtered during any of these phases?

Regards,

This is a migrated post! Originally posted on 13.07.2020 by user zorgoz. Please be aware that information can be outdated.

    Disclaimer

    This document governs the use of our Community Forum. By registering and using the platform, you accept these conditions.

    The COPA-DATA Community Forum serves to encourage the exchange of information and experience about the zenon software between forum users respectively zenon users.

    Please mind that any published information on the Community Forum is the subjective opinion and view based on the experience and the level of knowledge of the author. COPA-DATA does not overtake any responsibility for the content and the accuracy of the shared information.

    Users of the Community Forum are encouraged to share only well-founded experiences and to point out any risks associated with the implementation of proposed solutions to problems. COPA-DATA at its absolute discretion, reserves the right to moderate the forum. In this connection COPA-DATA may remove any information containing false facts, potentially dangerous solutions, bad language or content that may insult, degrade or discriminate others. COPA-DATA may block a non-complying user from forum access if the user violated this provision.

    COPA-DATA reserves the right to change this document from time to time at own discretion.


    Ing. Punzenberger COPA-DATA GmbH
    Karolingerstraße 7b · 5020 Salzburg · Austria
    www.copadata.com