Bookshelf Home | Contents | Index | PDF |
Siebel Security Guide > Security Adapter Authentication > About LDAP or ADSI Security Adapter Authentication > Comparison of LDAP and ADSI Security AdaptersThis topic outlines the differences in functionality provided by the LDAP and ADSI security adapters. The relative benefits of each type of security adapter are shown in Table 11. The LDAP security adapter can be used to authenticate against supported LDAP-compliant directories. The LDAP security adapter is also supported for integration to Active Directory and provides most of the functionality offered by the ADSI security adapter. The ADSI security adapter can authenticate against ADSI-compliant directories (Microsoft Active Directory). NOTE: For Siebel CRM version 8.0 and higher, it is recommended that you use the LDAP security adapter for authenticating against both Active Directory and LDAP-based external directories. However, if you use the LDAP security adapter to authenticate users against Active Directory, and if you want to manage user passwords or create new users in the Active Directory, then you must configure SSL between the LDAP security adapter and the Active Directory. Implementing SSL in these circumstances is a requirement of Microsoft Windows and Active Directory.
About Administering the Directory through Siebel Business ApplicationsIf you choose to administer the LDAP or Active Directory directory through Siebel Business Applications, then be aware that in large implementations timeout issues can occur, particularly if using the ADSI security adapter. To prevent timeout issues: For help with overall design recommendations and performance improvement, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance from Oracle's Application Expert Services. Using the LDAP Security Adapter with Active Directory: Setting the Base DNIf you use the LDAP security adapter with Active Directory, then problems can occur if you set the base distinguished name (Base DN), which specifies the root directory under which users are stored, to the root level of the Active Directory. When the LDAP security adapter searches the Active Directory, it searches everything under the Base DN. If the Base DN is set to the Active Directory root, then the LDAP security adapter searches all directory entities, including configuration and schema entities to which the application user does not have access. To prevent this situation from occurring, do not set the base DN to the Active Directory root directory; this recommendation also applies to implementations in which the ADSI security adapter performs the authentication function. Communicating with More Than One Authentication ServerThis topic describes the specific circumstances in which the LDAP and ADSI security adapters can connect to more than one directory server, either to authenticate users in more than one directory, or for failover purposes. ADSI Security AdapterThe ADSI security adapter does not support authentication of users in different domains or forests and does not support Microsoft Global Catalog functionality. However, the ADSI security adapter can connect to multiple AD servers for authentication or failover purposes provided that the following conditions are met:
To enable the ADSI security adapter to connect to multiple AD servers, specify the NetBIOS name of the domain containing the Active Directory servers, instead of the name of a specific Active Directory server, for the Server Name parameter of the ADSI security adapter profile. LDAP Security AdapterThe LDAP security adapter provided with Siebel Business Applications currently does not support communication with more than one directory server. However, the following options are available:
|
Siebel Security Guide | Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices. | |