Single JDE instance -LDAP authentication - multiple AD/Domains

SKH

Well Known Member
LDAP - multiple AD/Domains

Dear All,

I'll try to be brief :)

We currently run 8.11 on Wintel/SQL Server 2008 R2 (will upgrade to 9.1 soon). System is configured to use LDAP and this has been running fine for over 8 years.

In short, our Company is collaborating with a couple of others and forming a brand new Company (to co-exist with our existing Company but as an entirely separate entity). Users from the new setup will require access to our JDE system BUT they will be on a separate AD/domain which will NOT be 'trusted' with our existing one.

I know we can add the new users to our existing AD but interested to know what other options are available? Anybody running a single JDE installation but with users accessing from multiple domains? Can we run with more than one LDAP configuration? Can this be achieved by having multiple Logic servers (pointing at different domains)? Is it possible to mix LDAP authentication with non-LDAP on a single E1 instance?

Sorry for all the questions - brainstorming !

Thanks / Regards,

Sanjeev
 
Last edited:
Not with the standard LDAP, unfortunately.

But our SSO solution can certainly handle this scenario. Please, contact me off the list for more details...
 
In theory, that's what the Global Catalogue is for. JDE does support pointing the LDAP configuration to the GC port 3268. If you're pointing to a single domain controller and port 389, changing to a Global Catalogue would enable you to search multiple domains. Best practice is for all DC's to be a Global Catalogue server, maintaining replica copies. Your configuration may vary.

You would have to make sure the Windows domain architecture accounts for this, so if there is no plan to create domain trusts (more often than not they are created) and join them into a multi-domain forest, then you would have to look at other options.

The issue becomes possible duplication of user accounts in these multiple domains. That would be your problem to resolve (or your companies responsible parties in IT.) But don't let anyone tell you that it can't be done or that you have to buy additional software to do this.

Having said that, I have a need to test this in my lab for a project, so if you're interested in the results, contact me via PM.

You could easily add a second JAS configuration (could be a single or multiple servers) and use OAM with Red Stack. That would allow you to keep LDAP integration for back-end services and use SSO for authentication for the end-users. OAM is easy to configure for multiple LDAP data stores, of which AD is one supported option. You would have to license OAM if you want to connect directly to AD. If you're on Blue Stack, you'd have to license it anyway. There's LDAP options with Blue Stack and SSO through WebSphere Portal, but I won't get into that.
 
Last edited:
Charles,

Have you actually done anything of the kind before? Just curious. GC option sounds good, but would it actually work?

Anyway, GC lives in a forest, i.e.: it cannot span multiple forests. And joining all domains would create implicit trusts. So on top of the complexities you brought up, there would be multiple additional layers. And of course the maintenance requirements would grow exponentially with the added complexity.

So if the domains are all designed for JDE from the scratch, than maybe this is doable, but I don't think that an existing domain infrastructure like this can be bent to fit the JDE requirements.
 
Thank you for replying Alex, I'll be in touch for some more information.
 
Charles, thank you for your reply. I would be most interested in knowing how your results faired. I will be in touch :)
 
Charles,

Have you actually done anything of the kind before? Just curious. GC option sounds good, but would it actually work?

Anyway, GC lives in a forest, i.e.: it cannot span multiple forests. And joining all domains would create implicit trusts. So on top of the complexities you brought up, there would be multiple additional layers. And of course the maintenance requirements would grow exponentially with the added complexity.


We're using JDE with Active Directory LDAP and the Global Catalogue. We have 3 distinct domains and it works great. No special plugin required.
 
We have 3 child domains and wish to implement LDAP for authentication - So, if it works great, but can anyone help and provide details on how to accomplish this configuration.
 
LDAP now working - The LDAP filter is a global catalog base search on the root of the parent domain ANDED with group membership of an E1USERS local security group.

I just have to get users added from another Child domain and test - I'll post all the details after I've checked all is ok.

Adding a user to to the E1USERS security group from one of our other child domains - LDAP fails to find the user.

We have now logged a call with Oracle to see if this solution should/can work.

Oracle got back to me and stated that it would not work.

Anyway, I just got it working - I've tested users from another domain in our forest and they get logged on OK.
 
Last edited:
Back
Top