RE: [ActiveDir] LDAP Server Request

[Edwin]

I think that I have enough information about what needs to be done.  ADAM is definitely a require solution to this problem.  I have been reading more on the use and functionality of ADAM and it fits the bill.  In fact, the example that is provided in the ADAM documentation provide by Microsoft is just about as close to the real life situation I am facing as you can get.   Thank you all for your replies, Edwin   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, February 28, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Server Request   A little more on the overall picture.  What you seem to be describing is an identity lifecycle management environment (call that marketecture :)    To play back requirements: 1) system must be able to account for identities for undertemined amount of time for the purposes of reporting 2) system must be resilient to usage patterns 3) system must be securable in its final implementation 4) system must be able to authenticate user objects utilizing name and password credential pair.   Some thoughts: regardless of the identity store you use, you'll want to pay particular attention to identity lifecycle. That is, what happens to the identity from cradle to the grave? An identity archive might be more of a solution.  Maybe a separate directory or even a database somewhere else that stores information about past identities for the purposes of reporting.  The rest of the stuff(day to day) is pretty straightforward and is easily solvable based on the information you've given.  The process of archiving a user, i.e. what to do, what to keep, etc is something you'll have to define for your company.  Make it flexible and comprehensible enough that you don't have to revisit very often, but that you could if you had to.   Not sure synchronization fits the bill here because you haven't said that all accounts must live in AD.  In fact, I suspect that some may not.  Is that the case?   Al   On 2/28/06, Tomasz Onyszko <[EMAIL PROTECTED]> wrote: Edwin wrote: (...) > My initial thought is to investigate Microsoft ADAM.  If ADAM can query > the domain only checking for new entries while ignoring those that are > deleted, I think that I can accomplish the task of addressing all of the > concerns outlined above. > > > > What do you think?  Is this solution possible?  Is there an easier > solution?  One that is preferable to this? Everything is possible :). OK - from quick reading You should investigate option of using ADAM with some synchronization solution like IIFP, MIIS or even ADAM Synchronizator which comes with ADAM SP1. When somebody is leaving the company his account should be removed (it can be logical remove - not physical deletation of account) from corporate AD - then this change should be synchronized to Your LDAP server. That's about case of deleted accounts. You can address performance with several ADAM  instances working in load balanced environment. ADAM has replication mechanisms like AD and this will keep Your AD instances in synch, while LB will let You balance workload among different LDAP servers. Your security concernes are a little mitigated if You are using a solution which synchronizes the data _to_ ADAM - in such case data changes are pushed to ADAM. That's few quick ideas - I'm sure that You will get more feedback from other persons and I will try to get back to this topic in the evening (my time zone :) ). -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/