My problem is that I have a number of network administration applications like SAN switches that do not support nested groups from Active Directory Domain Services (AD DS). These legacy administration applications use either LDAP or LDAPS.
I am fairly sure I can use Active Directory Lightweight Directory Services (AD LDS) and possibly Windows Authorization Manager to work around this issue; however I am not really sure where to start.
I want to end up with:
- A single group that can be queried over LDAP/LDAPS for all it’s direct members
- LDAP proxy for user name and password credentials to AD DS
- Easy way to admin the group, ideally the group would aggregate the nested membership in AD DS.
- a native solution using freely available components from the Windows stack.
If you have any suggestions or solutions that you have previously used to solve this issue please let me know.
I had a similar problem at a previous job. We ended up doing what Jscott did, which was to create specific groups just for those special apps. These groups were created in batch-mode once a day (that was as often as we needed) based on what the nested-groups had in them. Unfortunately, I no longer have the source for that, but we leveraged a combination of
dsqueryand powershell to build these special groups.The problem there is that this list will return both users and member-groups. The power-shell logic has to disambiguate and recurse into the child groups, only adding uniquely-new members to the master user list. Once you've build the master user list, you can then use
dsaddto create (or update) a group with static membership.