If they insist on the attribute route, I sort of like this answer! You can add and remove instances of ADAM for apps that get deployed, and your internal AD stays clean.
It's also a really nice answer for apps that may be deployed outside your internal network (if that was the goal - as someone else guessed) Having said that, I'm not a huge fan of deploying multiple directory systems for application deployment unless there is a really good reason. It either increases administrative overhead for someone, or adds to your infrastructure if you deploy a method of syncronizing the directory membership. Or both ;) When your devs tell you it's slower to query the group membership, can they tell you ~how much~ slower? And how fast they are looking for? Maybe it's a tweaking issue? On 10/19/04 12:48 PM, "Renouf, Phil" <[EMAIL PROTECTED]> wrote: > Any thought of using ADAM as the authentication source for these > applications? That gives you a lot more flexibility for how you > authenticate the users and gives you the ability to make changes to the > schema without effecting your AD implementation. If you go that route I > would suggest using LDAP over SSL for communication between the app > servers and ADAM (a good idea even if you keep using AD). > > Phil > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark > Sent: Tuesday, October 19, 2004 9:21 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] groups vs attributes > > As our developers (as well as our 3rd party vendors) continue to create > apps that leverage AD, the question comes up frequently - which is a > better solution...to search AD for a group membership, or for the value > of a given attribute, when validating a user's access to a custom > application? > > Our "standard" has been to use universal groups for this sort of thing, > that is, UserA can access the application, if he is a member of the > appropriate universal group. However, our developers have discovered in > their ad hoc queries that returning a list of users that have a given > value assigned to a custom attribute is much faster that returning a > list of users that are members of a universal group. So they are asking, > shouldn't we be adding a custom attribute when an application requires a > validation that a user can access the application, rather than using a > group membership? > > Any notes from the field would be much appreciated! > > Mark Creamer > > Systems Engineer > > Cintas Corporation > > The Service Professionals > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
