MarkMoorhead Trusted Contributor.
Trusted Contributor.
995 views

eDirectory communication with AD

Hello,

Couldn't find this info on a TID, Documentation, or in Forums so hopefully it is possible.

I have a Cisco router with Anyconnect for remote access VPN. Unforturnately, it will only work with Active Directory.

Is there a way for my eDirectory to talk to an Active Directory or Active Directory LDS if I set it up on my only Windows 2012 server? I set up AD LDS on the server and have been playing with getting LDAP to communicate with eDirectory or exporting eDirectory for import in AD LDS, but have been striking out right and left.

If anyone can point me in the right direction, or just tell me I'm out of luck, I'd really appreciate it. 😄

Thank You.
Labels (1)
0 Likes
11 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: eDirectory communication with AD

On 01/21/2019 01:44 PM, MarkMoorhead wrote:
>
> Couldn't find this info on a TID, Documentation, or in Forums so
> hopefully it is possible.


You're looking for a product called Identity Manager (IDM) which is
actually based on eDirectory, and will synchronize your existing
eDirectory tree to many other products, one of which happens to be
microsoft active directory (MAD), or anything else that works via LDAP, or
JDBC, or text files, or SOAP, or REST, or a bunch of other methods.

> I have a Cisco router with Anyconnect for remote access VPN.
> Unforturnately, it will only work with Active Directory.


You may want to verify that; many times products will list support for one
product when they actually support LDAP, and of course eDirectory has had
an LDAPv3 interface for decades.

> Is there a way for my eDirectory to talk to an Active Directory or
> Active Directory LDS if I set it up on my only Windows 2012 server? I
> set up AD LDS on the server and have been playing with getting LDAP to
> communicate with eDirectory or exporting eDirectory for import in AD
> LDS, but have been striking out right and left.


Do not put eDirectory directly on a MAD box, especially a DC, for
performance reasons, but you can definitely synchronize data between
eDirectory and MAD using the IDM driver (driver == connector). Initial
setup can be very easy, but put everything in a Test environment first
since changes from one environment will (as designed) flow to the other,
and that can be a problem if it is not done in the way you want (e.g. the
user deleted from MAD is now deleted from eDirectory).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
MarkMoorhead Trusted Contributor.
Trusted Contributor.

Re: eDirectory communication with AD

Good information and a place to start. I do have access to IDM as part of my OES package. Thanks for the advice!
0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory communication with AD

On 21.01.2019 21:44, MarkMoorhead wrote:
>
> Hello,
>
> Couldn't find this info on a TID, Documentation, or in Forums so
> hopefully it is possible.
>
> I have a Cisco router with Anyconnect for remote access VPN.
> Unforturnately, it will only work with Active Directory.
>
> Is there a way for my eDirectory to talk to an Active Directory or
> Active Directory LDS if I set it up on my only Windows 2012 server? I
> set up AD LDS on the server and have been playing with getting LDAP to
> communicate with eDirectory or exporting eDirectory for import in AD
> LDS, but have been striking out right and left.
>
> If anyone can point me in the right direction, or just tell me I'm out
> of luck, I'd really appreciate it. 😄


Are you using just eDirectory standalone, or is this OES we're talking
about?

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
MarkMoorhead Trusted Contributor.
Trusted Contributor.

Re: eDirectory communication with AD

This is OES. Sorry, should have specified.

Mark
0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory communication with AD

On 22.01.2019 00:16, MarkMoorhead wrote:
>
> This is OES. Sorry, should have specified.
>


In that case, you may want to look at Domain Services for Windows too.

https://www.novell.com/documentation/open-enterprise-server-2018/acc_dsfw_lx/data/b8xzyv1.html

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
kbuley Absent Member.
Absent Member.

Re: eDirectory communication with AD

MarkMoorhead;2494083 wrote:
Hello,

Unforturnately, it will only work with Active Directory.




This is not true. It's been a while since I've configured an ASA, but you should be able to do something like:

aaa-server eDir protocol ldap
aaa-server eDir host $IPADDRESS_OF_EDIR
server-port 636
ldap-base-dn ou=FOO,ou=BAR,o=BAZ (Where are your users?)
ldap-scope subtree
ldap-login-dn cn=ADMIN,ou=ADMINS,o=TREE (where's your admin user?)
ldap-login-password $ADMINISTRATIVE_PASSWORD
ldap-over-ssl enable
server-type novell

I don't have an ASA or Pix handy, so I'm not sure of the appropriate config for TLS (instead of SSL).
In the unlikely event you're not using SSL... the port would be 389 and you wouldn't enable ldap-over-ssl.

Taking a peek in the Cisco forums might be helpful, too. There's no need to stand up an AD instance and sync to it when the Cisco device can talk standard LDAP to eDir. Why add moving parts?
0 Likes
MarkMoorhead Trusted Contributor.
Trusted Contributor.

Re: eDirectory communication with AD

This is on a Firepower 2110, and from what I've seen in the Cisco documentation it's a little different than the ASA. Seems to be more picky. Some mention of a RADIUS server as an alternative but no mention of LDAP. Could just be the new user interface which doesn't allow it, and command line may do the trick. I'll check the Cisco forums and maybe post an inquiry there as well. Thanks for the input.
0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory communication with AD

On 22.01.2019 02:34, MarkMoorhead wrote:
>
> This is on a Firepower 2110, and from what I've seen in the Cisco
> documentation it's a little different than the ASA. Seems to be more
> picky. Some mention of a RADIUS server as an alternative but no mention
> of LDAP. Could just be the new user interface which doesn't allow it,
> and command line may do the trick. I'll check the Cisco forums and
> maybe post an inquiry there as well. Thanks for the input.
>
>

FWIW: You can setup Radius on OES....

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory communication with AD

On Tue, 22 Jan 2019 08:57:00 GMT, Massimo Rosen
<mrosenNO@SPAMcfc-it.de> wrote:

>On 22.01.2019 02:34, MarkMoorhead wrote:
>>
>> This is on a Firepower 2110, and from what I've seen in the Cisco
>> documentation it's a little different than the ASA. Seems to be more
>> picky. Some mention of a RADIUS server as an alternative but no mention
>> of LDAP. Could just be the new user interface which doesn't allow it,
>> and command line may do the trick. I'll check the Cisco forums and
>> maybe post an inquiry there as well. Thanks for the input.
>>
>>

>FWIW: You can setup Radius on OES....


Or optionally just set it up on straight SLES. I run OES here, but
for simplicity sake, I setup a separate VM running SLES and dedicated
it to Radius.

--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
MarkMoorhead Trusted Contributor.
Trusted Contributor.

Re: eDirectory communication with AD

Thanks for the great info everyone. I'll post how I get it worked out.
0 Likes
kbuley Absent Member.
Absent Member.

Re: eDirectory communication with AD

MarkMoorhead;2494093 wrote:
This is on a Firepower 2110, and from what I've seen in the Cisco documentation it's a little different than the ASA. Seems to be more picky. Some mention of a RADIUS server as an alternative but no mention of LDAP. Could just be the new user interface which doesn't allow it, and command line may do the trick. I'll check the Cisco forums and maybe post an inquiry there as well. Thanks for the input.


The radius server would use eDirectory for its user store. You could then use membership in eDirectory groups to determine what key/value pairs are sent from the radius server.

Now that I think about it, I seem to remember connecting to AD in a similar fashion. On the Windows side, you'd install the IAS component and have it speak radius to the Cisco device (and it would use AD as a back-end).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.