We have an upcoming
project which will require an LDAP directory containing both our internal users,
and our extranet users. Currently, our internal users are in one AD domain, the
extranet users are in another. The domains are in separate forests, and there
are no trusts.
My plan is to use
ADAM for the central LDAP directory. However, I'm on the horns of an enema, um,
I mean dilemma on how to sync ADAM to the two domains. A first glance would
suggest MIIS. However, MIIS looks pretty complicated, and difficult to
configure.
I'm considering
writing my own sync code since the task at hand is relatively straight-forward.
Passwords will be a bit of a problem, but not unworkable. We use Psynch to
maintain our internal passwords, so I can have it change the ADAM passwords at
the same time it changes the internal AD passwords. The extranet users change
their password via an existing web app, so having it change the ADAM passwords
won't be an issue.
Reading about ADAM
"proxy users" leads me to believe they'd be a perfect fit as the object type to
use for our internal users (authentication is relayed to AD thus negating the
need to sync passwords). However, the ADAM tech ref says proxy users should only
be used as a last resort, and to refer to the next section as to why.
Unfortunately, the next section doesn't explain why not to use them. Anybody
know why proxy user objects are evil?
Are there any good
"MIIS for dummies" type documentation around? Any good ADAM and/or MIIS mailing
lists?
