Federation with MS Active Directory and OE11

Posted by stefan.lang@havilog.com on 05-Apr-2012 13:07

Did anyone realize a real SSO Federation with MS ADS (or LDAP to ADS) on OE11 for:

  • GUI Client on Windows
  • AppServer on Unix
  • Background batch under UNIX
  • SQL Accces with wire line ODBC driver
  • Multi-tenancy (should not matter really)

I was not able to create a real transparent full federation playing around with CLIENT-PRINCIPALS, etc.

(Only something very near to it, but i need to save the ADS password in my data model (which I see as security-ugly)).

Any hints ?

OpenEdge General - Forum

All Replies

Posted by Michael Jacobs on 06-Apr-2012 08:23

Its conceivable that an AppServer, running on a Windows OS, can function as an Authentication Service for your UNIX AppServer and ABL batch processes.  The Authentication Service's sole purpose is to use Client-Principals and and have OE authenticate the users in a domain configured with the _oslocal system type, giving you AD user authentication.  The resulting sealed Client-Principal can be returned to any ABL session, on any OS, where it can be used to set the AVM session and/or OE database connection's user-id.  Sadly, this is not a complete solution as it would not cover your SQL92 server running on a UNIX server. 

Would an Authentication Service be viable for your situation?

Posted by stefan.lang@havilog.com on 12-Apr-2012 15:08

Good Idea, but I would not add a additional windows app server to our UNIX based solution for realability and cost reasons.

I did not find any method to use SQL without using authetication against _user table.

So this keeps a gap open for real federation.

Posted by Robin.Smith@Fluidthinking.com.au on 14-Apr-2012 18:38

I'd agree with Stefan here.

From my understanding, depending on the licence model in play, if you had a UNIX only system, then adding a Windows AppServer and Database to implement an authentication server could require a extra DB licence and AppServer licence for each user.

In the Windows Authentication Service solution, I suppose the communication with the authentication AppServer should be through SSL to hide the password etc.  This is a great solution if only it did not incur the extra license costs.

I understand that _oslocal on UNIX can only use local UNIX account in 11.0, in future releases, if the UNIX serve uses the Windows AD for authentication, could the OE session on UNIX also use the same mechanism?

Posted by Michael Jacobs on 15-Apr-2012 04:08

Thank you both for your feedback.  It appears that AD authentication (through LDAP) by OpenEdge UNIX servers is your only viable solution for both SQL & ABL.  That OpenEdge does not have. 

Posted by stefan.lang@havilog.com on 22-Apr-2012 11:48

My problem is that I did not find any way to use LDAP on SQl server side or ADS federation with ODBC Driver locally.

The SQL server uses allways _usertable fro authentication.

Is there any other way?

Posted by Michael Jacobs on 23-Apr-2012 04:46

Any form of implicit AD access in 11.0 requires this configuration:

a) SQL92 server is running on a Windows server

b) The database's Domain in which the client is authenticating must be enabled and configured to use the _oslocal system

c) The user-id in the SQL connection has to include both the Windows user-id and the OE Domain configured with _oslocal

Are all three of these conditions met?  It sounds like the client is authenticating to a Domain configured for _oeusertable?

Posted by stefan.lang@havilog.com on 24-Apr-2012 14:57

No, we run everything on UNIX :-)

Posted by Michael Jacobs on 25-Apr-2012 07:06

Outstanding choice

Seriously, in release 11.0 SQL92 can only authenticate to what the UNIX OS is configured to use.   Sorry no AD Federation for UNIX yet.

This thread is closed