tschloesser Outstanding Contributor.
Outstanding Contributor.
684 views

Question regarding AD LDS

Hello there 😉

I got the challenge to connect to an Active Directory Lightweight Directory Service (AD LDS). Since I did not had this challenge before I am wondering, if some one here could provide some hints to avoid possible pitfalls doing the integration.

In this case we only have to add, modify and delete objects in the LDS and need some attributes back. No password synchronization is planed so far.

My main question is, if ti it a good idea to use the standard LDAP driver in this case or better go with the Active Directory driver. In case using the LDAP driver is there anything special to think about like some strange attributes which have to be taken care of during the creation of an object (user) in LDS?

Kind regards,

Thorsten
Labels (1)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: Question regarding AD LDS

tschloesser;2482684 wrote:
Hello there 😉

I got the challenge to connect to an Active Directory Lightweight Directory Service (AD LDS). Since I did not had this challenge before I am wondering, if some one here could provide some hints to avoid possible pitfalls doing the integration.

In this case we only have to add, modify and delete objects in the LDS and need some attributes back. No password synchronization is planed so far.

My main question is, if ti it a good idea to use the standard LDAP driver in this case or better go with the Active Directory driver. In case using the LDAP driver is there anything special to think about like some strange attributes which have to be taken care of during the creation of an object (user) in LDS?

Kind regards,

Thorsten


Hi Thorsten,
I can recommend using AD driver in Simple (LDAP) mode. This is my preferred method to work with AD, when I don't need password sync.

The first visible issue with the use of "standard" LDAP driver is change detection mechanism: AD has many anomalies from "standard" LDAP. ( http://ldapwiki.com/wiki/Microsoft%20Active%20Directory%20Anomalies)
The AD doesn't support Changelog. Timestamp-based detection also very questionable.

Alex
tschloesser Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding AD LDS

Hi Alex,

thanks for your answer!
To be honest my first idea was to go with the ad driver as well, but some of my teammates and the customer thinks it would be better to use the LDAP driver instead.
I was not aware of the anomalies you were refferuing to - I will look at this and discuss it with the project group.

But have you really tried to use the LDAP once? I am wondering if someone else here in the forum can share some experiences going this way.

Thanks a lot,

Thorsten
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question regarding AD LDS

Do whichever way you like, but the driver for microsoft active directory
(MAD) is designed to work with ADAM/ADLDS so doing otherwise will probably
just mean a lot of work for you to make the standard LDAP driver work with
non-standard AD weirdness.

https://www.netiq.com/documentation/identity-manager-47-drivers/ad/data/baj5jif.html

If you're paid hourly, do it their way if they insist. 😉

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
tschloesser Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding AD LDS

Thanks Aaron for your answer! I will try to convince the customer not to go the pure LDAP way in this case!

Kind regards,

Thorsten
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question regarding AD LDS

tschloesser;2482718 wrote:
Hi Alex,

thanks for your answer!
To be honest my first idea was to go with the ad driver as well, but some of my teammates and the customer thinks it would be better to use the LDAP driver instead.
I was not aware of the anomalies you were refferuing to - I will look at this and discuss it with the project group.

But have you really tried to use the LDAP once? I am wondering if someone else here in the forum can share some experiences going this way.

Thanks a lot,

Thorsten


If your question, did I use LDAP driver for connect to AD? My answer - no. I doubt, but maybe somebody else has this experience.
All my AD drivers (currently 6 in production) works in Simple (LDAP) mode.

AD driver use MS DirSYNC API and for me it only one right (very light) method to detect changes in AD.
0 Likes
tschloesser Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding AD LDS

Hi Alex,

since anybody here suggest to use the AD driver when the publisher is needed, I will tray to go that way as well 😉

I can only remember that somewhere in the past, long before we had packages, Designer offerd the option to use the LDAP (and csv) Driver to integrate with AD. But this must have been in the roots .....

Anyway, thank you and have a great day!

Thorsten
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question regarding AD LDS

tschloesser wrote:

> But have you really tried to use the LDAP once? I am wondering if
> someone else here in the forum can share some experiences going this
> way.


I've done this once, in a very special setup to accelerate password sync to
several ADs and Edir trees (this was before priority sync came along). The same
code worked for both, but that was subscriber only and only updating existing
accounts in the target directories. No matching, no object creation and most
important: no publisher.

That setup worked quite well and I would do it again that way, even for full
user provisioning, as long as the requirements are strictly subscriber only. As
soon as publisher polling is required, I'm with Aaron and Alex and go for the
AD shim.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
tschloesser Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding AD LDS

Thanks you very much Lothar for you answer - I will take this into account and try to convince my customer ....

Kind regards,

Thorsten
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question regarding AD LDS

The AD driver works really good with ad lds.
Remember, ad lds is just a version of ad.

Using that driver makes it much simpler.

Best luck
0 Likes
tschloesser Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding AD LDS

Thanks Joakim!

Meanwhile I was able to sugest anyone to go with the AD driver 😉

Kind regards,

Thorsten
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.