Working on the technical architecture of a large IDM project involving several 2003 or 2008 R2 Active Directory (AD) forests and domains, it looks strange to me that a 10 years old solution featuring an LDAP gateway is not really designed to support multiple master nodes:

of course, you can deploy multiple domain controlers for read accesses, but as soon as your PDC emulator is down, your domain won’t usually accept any update ! Remember that an AD infrastrucure relies on 5 main services, called FSMO roles (as well as RPC,DNS and Kerberos services too), where « SM » stands for « single master » …

Another common mistake when provisioning an AD directory, comes from the SID, which is an internal identifier used by AD to uniquely identify any user. Windows uses it to manage users rights, and always compute a single and « never used before » SID for a new user. As a consequence, when deleting and recreating a user account, the old user’s access rights are lost. On one side, it makes the system safer, but you’ve got to keep it in mind when it comes to mapping business needs to provisioning rules.

But those limitations seem to come from the links between Windows and Active Directory, and only applies to the latter: Active Directory Lightweight Directory Services (ADLDS), formerly known as ADAM (Active Directory Application Mode) has no such limitations and usually looks like a better choice for LDAP enabled applications.

Les derniers articles par janua (tout voir)