Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Evgeny Ferapontov2016-04-05 18:24:20
PHP
Evgeny Ferapontov, 2016-04-05 18:24:20

How to create users in AD from a website or synchronize accounts between AD and a website?

We are thinking of introducing Active Directory in some places to manage the zoo of machines and normal differentiation of user rights. The company has about 200 computers, several regionally distributed offices, a bunch of servers. The main business application of this company is a website, which from a direct application has also grown into a centralized user accounting system, in general, powers began to intersect in areas of use with Active Directory. AD itself is needed primarily for group policies and normal user access rights management.
The web application of this company runs on LAMP, the server is located in another country, it is not connected to the local network via VPN, user credentials and their privileges are stored in a MySQL table in the form of a login, password, and a bunch of access rights attributes.
For users, it is most logical if the credentials in this application and in AD are the same. Periodically (about once a month, timed to coincide with the meeting of department heads), the passwords of all accounts in the application are reset and random new ones are generated, and the managers distribute credentials to end users. New accounts add and remove old ones in the application also heads of departments. No one will administer and maintain the consistency of credentials in AD and in the application.
Offhand, there are two solutions:

  1. Synchronization of credentials between AD and application (how???)
  2. Delegation of powers to create/delete credentials in AD to heads of departments, auto-generation of a powershell script when creating/deleting an account in the application to create/delete an account in AD, the manager will have to run the resulting script after each change (some kind of rusty bike + it is not clear how to reset passwords

Moreover, you can still come up with something "pretty" with the script, such as displaying understandable error / success messages, aggregating several changes into one script, etc., but there are absolutely no ideas regarding synchronization.
What can you advise in this situation?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
S
Sergey Galaktionov, 2016-04-06
@Hagmos

Does the application support OAuth? If yes, then dig towards AD FS

Report
A
Alexander, 2016-04-06
@AlexListen

Look towards adLDAP https://github.com/adldap/adLDAP/wiki

Similar questions
B
Boris Greinov2021-03-18 20:53:14
Synthesizing speech to a website but not Web Speech Api? 3Reply
B
bio2015-03-31 04:08:43
How to make a soap xml parser? 2Reply
S
student_it2015-04-19 11:49:55
How can I prevent the Referer from being sent when playing an audio file via the HTML Audio tag? 2Reply
Y
Yaroslav2019-10-03 12:49:21
Where and how to find free labor for the for fun project and where to discuss ideas? 7Reply
L
leviathan2017-05-10 17:06:01
How to display a specific widget in wordpress? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question