0

I have an Active Directory server, running on Windows Server 2012 R2. I also have a webserver, running on macOS El Capitan. There is an external AD-server which I can use (only) to query for user (this is already working).

I would like for new users that exist on the external AD-server to be able to register themselves. They should authenticate to the external AD-server and, if they exist, an account should be created for them on my 2012 AD-server. They would also add some information when registering (an email address, ...). The whole process should be done via a website, which should run on the macOS webserver.

The part I stumble on is how to create the new account on the AD-server from the macOS webserver. I have looked into several possibilities, all of which either have a big deficiency or which I don't know enough about to implement:

  • Use a PHP query with a locked down domain admin, using either native PHP tools or a library like adLDAP (I don't know if this is secure enough or less secure than the SOAP approach listed below).
  • Execute a PowerShell script via ssh with no passphrase (quite insecure. I don't want people that access my webserver to have that much access to my AD-server).
  • Implement a (REST or SOAP) web service on the AD-server (I guess quite secure. I don't know if Windows IIS has this integrated already. Didn't find anything when searching).

My question is: What is a simple and secure method to remotely add users to Active Directory from a non-windows server?

Improve this question

1 Answer 1

Reset to default
0

New Improved Answer!

Here's how I would do it:

There is a windows port of openssh and openssh lets you specify a command to associate with a key in the authorized_keys file. Read this and look at the section for the authorized_keys file format and specifically command="command" Write your account creation script and add it as the "command". Pay attention to the bit about "OPENSSH_ORIGINAL_COMMAND"

The most important bit to remember is, the internet will try to hack this thing, so make sure you sanitize, sterilize and possibly euthanize the incoming data. Remember your concern with a no-password ssh key is that someone will steal the key. So, when you write the script, assume every baddie out there already has the key. This same concern applies regardless of the technology you use (php, soap, shampoo..etc)

Hope that's helpful!

Old Not Helpful Answer!

I think you can do that via LDAP. I found a C# resource that includes making users, and it does it via LDAP. In theory you could do the same thing with openldap (ldapsearch etc...) or the LDAP library in the programming language of your choice.

https://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#34

The article is 10 years old though, so it might not work.

I currently use LDAP as a read-only interface to a remote AD server, so at least I know LDAP is still important.

Hope that helps! -Dylan

Improve this answer
3
  • Thanks for your answer. Unfortunately, it does miss the point, which is adding a user securely. I am aware that there are libraries for Active Director/LDAP. For PHP, these are for example adLDAP, which I mentioned in the question, or the built in ldap library (if compiled with the right switches). The question is: How to add a user securely to a remote Active Directory? What are good practices, what is to be avoided (like having ssh access with a key with no passphrase).
    – Kai Hatje
    May 21, 2017 at 17:55
  • Oy, sorry. Your first example involves LDAP. Me update answer now.
    – Dylan Martin
    May 22, 2017 at 15:23
  • So if I got this right, it's still an ssh key with an empty passphrase, but going for a locked down ssh account/command (which can only run one command, pretty much)? I didn't know that you could do that so far, thanks for showing me something new. It "feels" equally secure to using PHP with a locked down admin user.
    – Kai Hatje
    May 26, 2017 at 0:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .