Implementing Active Directory: Luminis 4.2.0.44
Hello,
We are looking at implementing Active Directory with our Luminis install. Has anyone out there done this? If so, do you have any good documentation?
I am looking for any type of insight to this process.
Thanks,
I implemented EAS with our
I implemented EAS with our existing AD for Luminis when I first started configuring it. I did not keep my own documentation since everything worked straight out of the "Luminis Platform Security SDK External Authentication Server Implementation Guide" which is available on the Sungard CSC site. The only problem is that Luminis cannot update AD with the delivered EAS software. This is a problem especially when it comes to changing passwords. There are a few different ways to resolve the issue - pay Sungard for the additional functionality, write your own, or use an external application to change passwords. We opted to not use the AD integration at all since our faculty and students were not already in the directory, and are actually authenticating our LMS and another system off of the Luminis LDAP server instead.
Thank you:
Thank you for your comment. I've looked at the guide and am just worried about the password syncing since we require users to change passwords every 90 days. And ,of course, they can change them at any time in Active Directory. Plus, sometime users forget passwords and our Help Desk just resets them to a generic one in AD.
Thanks again for you comment. This is a great community and I appreciate the input.
Custom JAAS module
We just rolled out Luminis IV and integrated it with AD. We are using Luminis as our main portal system and only recently added the AD component for integration with other systems. Password and account management remain is the same as if we never used AD.
I wrote a whole bunch of java code to create a JAAS module that conencts directly to AD for authentication. It falls back to the Luminis LDAP for authentication if that fails, ensuring the password resets within the admin center of Luminis still functions as normal. If that is successful, it updates the AD password.
Overnight, a process runs to place users into their respective OUs in AD, and place users into AD groups matching their Luminis roles. New accounts and groups are created as well matching the Luminis username and roles. Deactivated accounts in Luminis are deactivated, and deleted Luminis users are disabled with a description in their account saying they were deleted from Luminis. This was to avoid messing with the email mailboxes in Exchange caused by actually deleting the user.
Anyway, the idea is completely doable and we've had nearly 0 issues. Users can change their own password, accounts can be provisioned and unprovisioned, administrative password resets, etc. are the same in Luminis as if we weren't using AD as the main authentication. That said, it took me many hours of coding and significant knowledge of LDAP and AD. I don't know about my ability to release the code, but I'm willing to offer advise if you choose to go this route.
Otherwise, AD authentication is pretty simple by following the EAS guide. You just don't have real time password syncing, account provisioning & deprovisioning needs to be done on 2 systems and kept in sync, password changes have to be donve via AD or via a custom script outside of Luminis (although it can be hosted on the Luminis system), etc.
I'm no AD/LDAP Pro:
Thanks for you comment. It helps to know what other people have done. I'm by no means any type of LDAP/AD pro that's for sure. I'm just worried about implementing the EAS without having any type of account provisioning/deprovisioning and password sync.
Thank you again for you comments, everyone in the community is very supportive and I appreciate your post.