RE: [ActiveDir] OT: MIIS, ADAM, & AD

[joe]

Yeah we brought this up at the last summit as well. Either allow specying the SQL backend you wanted to use (hello ODBC) or incorporate the DB technology as completely black box don't ever have to worry about it.   Multiple forests shouldn't be an issue as long as you have proper trust lines. If I recall, a proxy object simply uses the logonuser API which will require the direct path trust to the authentication sources.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, July 31, 2005 12:33 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: MIIS, ADAM, & AD I'll be a lot more interested in MIIS when "free" doesn't mean I have to "buy" SQL licenses to run it. I can understand the server license for Windows, but it should run on any version of the latest Windows server (enterprise, standard, etc) or a desktop OS. Not sure why that is not possible, unless maybe there's a wait for the new SQL 2005 products.   Anyway, I'm with Joe on this.  I think the simpler you can keep it the better. Writing it in-house with a series of scripts may be enough to do what you want and it's not too terribly difficult.   As for proxy objects, if I recall correctly you typically don't want to use them because of the security issues and because it's really designed for legacy apps.  If you can use AD, use AD.  If you have to use simple bind, then proxy objects may fit the requirement as long as you remember to use some sort of transport security.    You may have a problem with multiple forests as well.  Haven't tried that, but since it's a proxy bind, I imagine it may get a little confused. I'd be interested to hear if that's not the case though.    Al  From: [EMAIL PROTECTED] on behalf of Robert Bobel Sent: Sun 7/31/2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: MIIS, ADAM, & AD Nice side benefit is that the license to use MIIS with the Feature Integration pack to sync AD to ADAM is free.   http://www.microsoft.com/downloads/details.aspx?familyid=D9143610-C04D-41C4-B7EA-6F56819769D5&displaylang=en     Bob   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, July 30, 2005 7:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: MIIS, ADAM, & AD   Where is this going to be located? Extranet or Intranet?   If you are going to be doing some very simple syncing, I would look at writing something myself or maybe implementing one of the lighter syncing tools like SimpleSync or HP's LDSU. If you need to do a lot of transforms or complex translations or connect to lots of different data sources such as SAP, etc, MIIS might be where you want to go. If you spin up MIIS, it is possible you may need to have a body sitting there maintaining and troubleshooting it due to its complexity plus it is really in flux right now in my opinion in terms of how many things they are looking to change and/or add to it.   How is the data in the directory to be used? Is it going to be an auth point for apps or ???         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, July 29, 2005 10:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: MIIS, ADAM, & AD We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts.   My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A first glance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure.   I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue.   Reading about ADAM "proxy users" leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil?   Are there any good "MIIS for dummies" type documentation around? Any good ADAM and/or MIIS mailing lists?