[ActiveDir] LDAP Server Request
My job is requesting that a LDAP server be built that would be able to communicate with the existing corporate Active Directory environment. I do not have much experience with LDAP so this will be a learning adventure for me. The reason for the LDAP Server is because of a massive project the company is working on. The project will be the backbone of the company and will require username and password authentication. The goal of the project is to have one centralized management solution for all different area needs instead of the disparate solutions that we have today. One immediate concern that I had with the project and the use of the corporate DCs was for any potential reports that are generated. I believe that if you are no longer with the company, then there is not need to keep your credentials or personal data on the network. Therefore, I delete this information. By deleting the users, these reports may become corrupt. This of course is a problem for management. Deleting the users is not a problem but any errors in reporting information is. Has anyone come across this problem before? Does this make sense? Another concern of mine was performance. The project design calls for a number of servers, each of them having their specific goals. It is very possible that any one server can hit the DCs for their information at any given time. My concern is that while this is happening an uncontrolled amount of times at any given time of day may cause the domain environment to suffer. Security is also a concern. The machines built as part of the project will be in a secure well protected environment. But things do happen unfortunately. I would rather see that the machines built as part of the project call one server that has access to the domain to query the information that it needs. That machine will be a read-only client of the AD environment. My initial thought is to investigate Microsoft ADAM. If ADAM can query the domain only checking for new entries while ignoring those that are deleted, I think that I can accomplish the task of addressing all of the concerns outlined above. What do you think? Is this solution possible? Is there an easier solution? One that is preferable to this? Thank you in advance for your responses, Edwin
Re: [ActiveDir] LDAP Server Request
Edwin wrote: (...) My initial thought is to investigate Microsoft ADAM. If ADAM can query the domain only checking for new entries while ignoring those that are deleted, I think that I can accomplish the task of addressing all of the concerns outlined above. What do you think? Is this solution possible? Is there an easier solution? One that is preferable to this? Everything is possible :). OK - from quick reading You should investigate option of using ADAM with some synchronization solution like IIFP, MIIS or even ADAM Synchronizator which comes with ADAM SP1. When somebody is leaving the company his account should be removed (it can be logical remove - not physical deletation of account) from corporate AD - then this change should be synchronized to Your LDAP server. That's about case of deleted accounts. You can address performance with several ADAM instances working in load balanced environment. ADAM has replication mechanisms like AD and this will keep Your AD instances in synch, while LB will let You balance workload among different LDAP servers. Your security concernes are a little mitigated if You are using a solution which synchronizes the data _to_ ADAM - in such case data changes are pushed to ADAM. That's few quick ideas - I'm sure that You will get more feedback from other persons and I will try to get back to this topic in the evening (my time zone :) ). -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Server Request
I think that I have enough information about what needs to be done. ADAM is definitely a require solution to this problem. I have been reading more on the use and functionality of ADAM and it fits the bill. In fact, the example that is provided in the ADAM documentation provide by Microsoft is just about as close to the real life situation I am facing as you can get. Thank you all for your replies, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, February 28, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Server Request A little more on the overall picture. What you seem to be describing is an identity lifecycle management environment (call that marketecture :) To play back requirements: 1) system must be able to account for identities for undertemined amount of time for the purposes of reporting 2) system must be resilient to usage patterns 3) system must be securable in its final implementation 4) system must be able to authenticate user objects utilizing name and password credential pair. Some thoughts: regardless of the identity store you use, you'll want to pay particular attention to identity lifecycle. That is, what happens to the identity from cradle to the grave? An identity archive might be more of a solution. Maybe a separate directory or even a database somewhere else that stores information about past identities for the purposes of reporting. The rest of the stuff(day to day) is pretty straightforward and is easily solvable based on the information you've given. The process of archiving a user, i.e. what to do, what to keep, etc is something you'll have to define for your company. Make it flexible and comprehensible enough that you don't have to revisit very often, but that you could if you had to. Not sure synchronization fits the bill here because you haven't said that all accounts must live in AD. In fact, I suspect that some may not. Is that the case? Al On 2/28/06, Tomasz Onyszko [EMAIL PROTECTED] wrote: Edwin wrote: (...) My initial thought is to investigate Microsoft ADAM.If ADAM can query the domain only checking for new entries while ignoring those that are deleted, I think that I can accomplish the task of addressing all of the concerns outlined above. What do you think?Is this solution possible?Is there an easier solution?One that is preferable to this? Everything is possible :). OK - from quick reading You should investigate option of using ADAM with some synchronization solution like IIFP, MIIS or even ADAM Synchronizator which comes with ADAM SP1. When somebody is leaving the company his account should be removed (it can be logical remove - not physical deletation of account) from corporate AD - then this change should be synchronized to Your LDAP server. That's about case of deleted accounts. You can address performance with several ADAMinstances working in load balanced environment. ADAM has replication mechanisms like AD and this will keep Your AD instances in synch, while LB will let You balance workload among different LDAP servers. Your security concernes are a little mitigated if You are using a solution which synchronizes the data _to_ ADAM - in such case data changes are pushed to ADAM. That's few quick ideas - I'm sure that You will get more feedback from other persons and I will try to get back to this topic in the evening (my time zone :) ). -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/