I have an Active Directory server, running on Windows Server 2012 R2. I also have a webserver, running on macOS El Capitan. There is an external AD-server which I can use (only) to query for user (this is already working).
I would like for new users that exist on the external AD-server to be able to register themselves. They should authenticate to the external AD-server and, if they exist, an account should be created for them on my 2012 AD-server. They would also add some information when registering (an email address, ...). The whole process should be done via a website, which should run on the macOS webserver.
The part I stumble on is how to create the new account on the AD-server from the macOS webserver. I have looked into several possibilities, all of which either have a big deficiency or which I don't know enough about to implement:
- Use a PHP query with a locked down domain admin, using either native PHP tools or a library like adLDAP (I don't know if this is secure enough or less secure than the SOAP approach listed below).
- Execute a PowerShell script via ssh with no passphrase (quite insecure. I don't want people that access my webserver to have that much access to my AD-server).
- Implement a (REST or SOAP) web service on the AD-server (I guess quite secure. I don't know if Windows IIS has this integrated already. Didn't find anything when searching).
My question is: What is a simple and secure method to remotely add users to Active Directory from a non-windows server?