Two Identity Vault using one AD Remote Loader


Hi

Is it possible to have two identity Vault, to use one remote loader
installation. The remote loader will be configured with two "instance’s"
of the addriver.dll running on different ports.

I have two Vaulte that need information from a single MS AD (Two DC in
this Domain). Vault 1 is updating/receiving: user, group, ou's and
password for students, and Vault 2 are doing the same for employee.
Different licenses and different amount of users. The second thing with
these two Vaults is the owner and rights to the Vaults (Separation of
duty)

Other idea’s are welcome.

Best regards
Michael


--
mJg2XW
------------------------------------------------------------------------
mJg2XW's Profile: https://forums.netiq.com/member.php?userid=442
View this thread: https://forums.netiq.com/showthread.php?t=51771

  • mJg2XW wrote:

    > Is it possible to have two identity Vault, to use one remote loader
    > installation. The remote loader will be configured with two "instance�s"
    > of the addriver.dll running on different ports.


    That would work, except for passwords. Only one AD driver on a DC can do password sync

    > I have two Vaulte that need information from a single MS AD (Two DC in
    > this Domain). Vault 1 is updating/receiving: user, group, ou's and
    > password for students, and Vault 2 are doing the same for employee.
    > Different licenses and different amount of users. The second thing with
    > these two Vaults is the owner and rights to the Vaults (Separation of
    > duty)


    If you want to do this, then you need to have one RL on one DC and the other RL on the other DC.
    With the password filters configured to send password changes to *both* DCs.

    It should work, not sure if it is a supported config though.

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • On Wed, 17 Sep 2014 17:59:07 0000, mJg2XW wrote:

    > Is it possible to have two identity Vault, to use one remote loader
    > installation. The remote loader will be configured with two "instanceÂ’s"
    > of the addriver.dll running on different ports.


    Yes, that works fine. The remote loader neither knows nor cares what
    engine the connection comes from, so long as the configuration details
    (passwords, SSL certificates chain) are correct.


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.netiq.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.
  • On 9/17/2014 12:59 PM, mJg2XW wrote:
    >
    > Hi
    >
    > Is it possible to have two identity Vault, to use one remote loader
    > installation. The remote loader will be configured with two "instance�s"
    > of the addriver.dll running on different ports.
    >
    > I have two Vaulte that need information from a single MS AD (Two DC in
    > this Domain). Vault 1 is updating/receiving: user, group, ou's and
    > password for students, and Vault 2 are doing the same for employee.
    > Different licenses and different amount of users. The second thing with
    > these two Vaults is the owner and rights to the Vaults (Separation of
    > duty)
    >
    > Other idea�s are welcome.
    >
    > Best regards
    > Michael
    >
    >


    Just some food for thought. What if instead of the current architecture you had the AD connect to your vault. Then from
    your vault you distribute events to the employee and student vaults via an edir2edir driver.



    --
    -----------------------------------------------------------------------
    Will Schneider
    Knowledge Partner http://forums.netiq.com

    If you find this post helpful, please click on the star below.
  • Will Schneider wrote:

    > Just some food for thought. What if instead of the current architecture you had the AD connect to your vault. Then from your vault you distribute events to the employee and student vaults via an edir2edir driver.


    That is how I would do it. But I think that the issue is two different "owners" of the data, and they aren't interested in having the data co-mingle.
    I'd try and sell it as a tenanted IDM Vault design. Maybe that might work.
    Far better than two AD driver shims, IMHO

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • On 9/17/2014 2:54 PM, Alex McHugh wrote:
    > Will Schneider wrote:
    >
    >> Just some food for thought. What if instead of the current architecture you had the AD connect to your vault. Then from your vault you distribute events to the employee and student vaults via an edir2edir driver.

    >
    > That is how I would do it. But I think that the issue is two different "owners" of the data, and they aren't interested in having the data co-mingle.
    > I'd try and sell it as a tenanted IDM Vault design. Maybe that might work.
    > Far better than two AD driver shims, IMHO
    >


    maybe positioning it as an abstraction layer for AD would be a helpful approach as well.

    --
    -----------------------------------------------------------------------
    Will Schneider
    Knowledge Partner http://forums.netiq.com

    If you find this post helpful, please click on the star below.

  • Thanks to all.
    The problem is "two different "owners" of the data":). And the data for
    the two different data source is licensed different. One of license is
    academic and the other is a "standard" license.
    /Michael


    --
    mJg2XW
    ------------------------------------------------------------------------
    mJg2XW's Profile: https://forums.netiq.com/member.php?userid=442
    View this thread: https://forums.netiq.com/showthread.php?t=51771


  • It is a pain that licensing interferes with the technical design.
    NetIQ really should look into doing this in a better way. That said it
    is possible to have the diffrent licenses in the same Vault, you just
    have to have attributes do diffrentiate them.
    Another thing on that topic is that if you create another Vault as an
    abstratcion layer for the AD I'm not sure you have to license it, you
    can argue that it is only an abstraction. Better take that up with
    licensing first though.


    --
    joakim_ganse
    ------------------------------------------------------------------------
    joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
    View this thread: https://forums.netiq.com/showthread.php?t=51771

  • On 9/18/2014 2:56 AM, joakim ganse wrote:
    > Another thing on that topic is that if you create another Vault as an
    > abstratcion layer for the AD I'm not sure you have to license it, you
    > can argue that it is only an abstraction. Better take that up with
    > licensing first though.


    I would tend to agree with that as well. I mean if you get audited they don't even have to know about that tree in reality :)
    Besides that everyone has already figured their way around the auditing bull anyway. It's a broken model and they know it.

    --
    -----------------------------------------------------------------------
    Will Schneider
    Knowledge Partner http://forums.netiq.com

    If you find this post helpful, please click on the star below.
  • On 9/18/2014 4:12 AM, Will Schneider wrote:
    > On 9/18/2014 2:56 AM, joakim ganse wrote:
    >> Another thing on that topic is that if you create another Vault as an
    >> abstratcion layer for the AD I'm not sure you have to license it, you
    >> can argue that it is only an abstraction. Better take that up with
    >> licensing first though.

    >
    > I would tend to agree with that as well. I mean if you get audited they
    > don't even have to know about that tree in reality :)
    > Besides that everyone has already figured their way around the auditing
    > bull anyway. It's a broken model and they know it.


    And if someone wanted to cheat, and had half a brain, could cheat
    trivially on it.

    That is a bad model to try to use. New models coming may not be better.