Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
170 views

Two Identity Vault using one AD Remote Loader


Hi

Is it possible to have two identity Vault, to use one remote loader
installation. The remote loader will be configured with two "instance’s"
of the addriver.dll running on different ports.

I have two Vaulte that need information from a single MS AD (Two DC in
this Domain). Vault 1 is updating/receiving: user, group, ou's and
password for students, and Vault 2 are doing the same for employee.
Different licenses and different amount of users. The second thing with
these two Vaults is the owner and rights to the Vaults (Separation of
duty)

Other idea’s are welcome.

Best regards
Michael


--
mJg2XW
------------------------------------------------------------------------
mJg2XW's Profile: https://forums.netiq.com/member.php?userid=442
View this thread: https://forums.netiq.com/showthread.php?t=51771

Labels (1)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Two Identity Vault using one AD Remote Loader

mJg2XW wrote:

> Is it possible to have two identity Vault, to use one remote loader
> installation. The remote loader will be configured with two "instance�s"
> of the addriver.dll running on different ports.


That would work, except for passwords. Only one AD driver on a DC can do password sync

> I have two Vaulte that need information from a single MS AD (Two DC in
> this Domain). Vault 1 is updating/receiving: user, group, ou's and
> password for students, and Vault 2 are doing the same for employee.
> Different licenses and different amount of users. The second thing with
> these two Vaults is the owner and rights to the Vaults (Separation of
> duty)


If you want to do this, then you need to have one RL on one DC and the other RL on the other DC.
With the password filters configured to send password changes to *both* DCs.

It should work, not sure if it is a supported config though.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Two Identity Vault using one AD Remote Loader

On Wed, 17 Sep 2014 17:59:07 +0000, mJg2XW wrote:

> Is it possible to have two identity Vault, to use one remote loader
> installation. The remote loader will be configured with two "instanceÂ’s"
> of the addriver.dll running on different ports.


Yes, that works fine. The remote loader neither knows nor cares what
engine the connection comes from, so long as the configuration details
(passwords, SSL certificates chain) are correct.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Two Identity Vault using one AD Remote Loader

On 9/17/2014 12:59 PM, mJg2XW wrote:
>
> Hi
>
> Is it possible to have two identity Vault, to use one remote loader
> installation. The remote loader will be configured with two "instance�s"
> of the addriver.dll running on different ports.
>
> I have two Vaulte that need information from a single MS AD (Two DC in
> this Domain). Vault 1 is updating/receiving: user, group, ou's and
> password for students, and Vault 2 are doing the same for employee.
> Different licenses and different amount of users. The second thing with
> these two Vaults is the owner and rights to the Vaults (Separation of
> duty)
>
> Other idea�s are welcome.
>
> Best regards
> Michael
>
>


Just some food for thought. What if instead of the current architecture you had the AD connect to your vault. Then from
your vault you distribute events to the employee and student vaults via an edir2edir driver.



--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Two Identity Vault using one AD Remote Loader

Will Schneider wrote:

> Just some food for thought. What if instead of the current architecture you had the AD connect to your vault. Then from your vault you distribute events to the employee and student vaults via an edir2edir driver.


That is how I would do it. But I think that the issue is two different "owners" of the data, and they aren't interested in having the data co-mingle.
I'd try and sell it as a tenanted IDM Vault design. Maybe that might work.
Far better than two AD driver shims, IMHO

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Two Identity Vault using one AD Remote Loader

On 9/17/2014 2:54 PM, Alex McHugh wrote:
> Will Schneider wrote:
>
>> Just some food for thought. What if instead of the current architecture you had the AD connect to your vault. Then from your vault you distribute events to the employee and student vaults via an edir2edir driver.

>
> That is how I would do it. But I think that the issue is two different "owners" of the data, and they aren't interested in having the data co-mingle.
> I'd try and sell it as a tenanted IDM Vault design. Maybe that might work.
> Far better than two AD driver shims, IMHO
>


maybe positioning it as an abstraction layer for AD would be a helpful approach as well.

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Two Identity Vault using one AD Remote Loader


Thanks to all.
The problem is "two different "owners" of the data":). And the data for
the two different data source is licensed different. One of license is
academic and the other is a "standard" license.
/Michael


--
mJg2XW
------------------------------------------------------------------------
mJg2XW's Profile: https://forums.netiq.com/member.php?userid=442
View this thread: https://forums.netiq.com/showthread.php?t=51771

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Two Identity Vault using one AD Remote Loader


It is a pain that licensing interferes with the technical design.
NetIQ really should look into doing this in a better way. That said it
is possible to have the diffrent licenses in the same Vault, you just
have to have attributes do diffrentiate them.
Another thing on that topic is that if you create another Vault as an
abstratcion layer for the AD I'm not sure you have to license it, you
can argue that it is only an abstraction. Better take that up with
licensing first though.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=51771

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Two Identity Vault using one AD Remote Loader

On 9/18/2014 2:56 AM, joakim ganse wrote:
> Another thing on that topic is that if you create another Vault as an
> abstratcion layer for the AD I'm not sure you have to license it, you
> can argue that it is only an abstraction. Better take that up with
> licensing first though.


I would tend to agree with that as well. I mean if you get audited they don't even have to know about that tree in reality 🙂
Besides that everyone has already figured their way around the auditing bull anyway. It's a broken model and they know it.

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Two Identity Vault using one AD Remote Loader

On 9/18/2014 4:12 AM, Will Schneider wrote:
> On 9/18/2014 2:56 AM, joakim ganse wrote:
>> Another thing on that topic is that if you create another Vault as an
>> abstratcion layer for the AD I'm not sure you have to license it, you
>> can argue that it is only an abstraction. Better take that up with
>> licensing first though.

>
> I would tend to agree with that as well. I mean if you get audited they
> don't even have to know about that tree in reality 🙂
> Besides that everyone has already figured their way around the auditing
> bull anyway. It's a broken model and they know it.


And if someone wanted to cheat, and had half a brain, could cheat
trivially on it.

That is a bad model to try to use. New models coming may not be better.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.