I won't argue with Mr. Culver about
what Novell's fine Nsure Identity Manager (DirXML) product will
or will not do, for obvious reasons... :-)
He is absolutely right that you can write any
type of rules to do the various nasty one to many, many to one, and many to
many joins when doing the synchronization. What I meant by
"relatively impossible" was really "tedious and painful".
However, the other concept that I was trying to get at
(and obviously failed to do) is that it is easier to write two
"simple" synchronization rule sets when synchronizing the directories to a
"metadirectory" (or using MIIS's terms - "the metaverse") then to use a
more complex single direct synchronization rule set.
As for the State of Montana's AD / NDS OU
structures.... Here is an example:
Medium size agency with geographic dispersion across
all 56 counties in Montana and 700+ users (for sake of discussion call this
"Agency A"). (For you people who actually work for a living translate
"agency" to "division" or "subsidiary")
NDS:
Active Directory
agency
OU
agency OU
-Location A -Users
-Users
-Workstations
-Workstations
-GPO OU 1
-Win2000XP -GPO
OU 2
-NT -Servers
-Location B
-Users
-Workstations
-Location C
-Users
-........
-Location .....
Now for Agency A, if they create an user in AD
and want to synchronize to NDS, what OU does the user get created
in??? They will have to come up with some rule that looks
at another attribute of the user object to decide where to place the user
such as "City". Okay, so you write an DirXML rule that says if user is
created in Active Directory under "ou=User, ou=Agency A", create a new user in
NDS, and place the user in "ou=users, ou= Location A, ou=Agency A" where
Location = Location A if City = A.
Great that works for the Metadirectory case and for
the direct synch case *until* your agency administrator decides to change
OU structure on the AD side or on the NDS side. Let's say the
agency administrator is implementing some type of ZEN
policy on the NDS side or otherwise goes crazy and splits up the Users OU
underneath the Location OU. In the direct sync case you have to
rewrite the entire synchronization rule to determine which OU the user
will get placed in. In the Metadirectory case, you don't have to
touch the AD import rule because nothing changed. All you would have
to do is to modify the NDS export rule to take into account the new
logic for determining where to place the user.
So... the points I was trying to make
were:
1. Novell's NsureIdentity
(rebranded DirXML) truly is an
industrial strength Metadirectory and exceeds Jorge's criteria of "Not the size
of an Identity Management tool like MIIS".
2. If you have *fairly* large and
disparate OU structures between AD and NDS, you are much better
off in the long run building a true Metedirectory than trying
to build a direct synchronization link.
3. If you have >2 directories, then a Metadirectory
becomes way more attractive and is easier to manage,
more efficient, and much easier to maintain the synchronization logic
and something like Nsure Identity Manager or MIIS become very
attractive products.
4. I'm not saying "don't use Nsure (DirXML)".... what
I am saying is realize what you are getting when you purchase
Nsure.
_Stuart Fuller
P.S. Hunter *does* know that there is something wrong
with me.... :-p
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Medeiros, Jose
Sent: Thursday, May 12, 2005 3:22 PM
To: [email protected]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Synching NDS and AD
Sent: Thursday, May 12, 2005 3:22 PM
To: [email protected]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Synching NDS and AD
In response to Stuarts posting,
" NIM is actually bigger than just
eDir and AD Sync, and it's certainly more than just a simple sync with the
ability to control the flow of metadata and modify data on the fly through XSLT
XML, it also includes the idea of authorative sources at an attribute level -
one of the most powerful and flexible metadirectory products on the market today
and one which is reasonably mature/robust.
If you've setup your AD structure so differently to your eDirectory
structure within the same company then there's either something wrong with one
of the structures or there's something wrong with you - I have never ever seen a
directory structure in AD that I can't apply rules through NIM to sync with
eDirectory even in instances of poor design. "
As Per Matthew
Culver
Sr Network
Engineer
Novell
Inc.
------------------------------------------------------------------------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Fuller, Stuart
Sent: Thursday, May 12, 2005 12:27 PM
To: [email protected]
Subject: RE: [ActiveDir] Synching NDS and ADNsure Identity Manager = "Metadirectory" for all disparate NDS (Edir) and AD directories.We are/have been looking at this question, and yes you can do a simple synch between Novell and AD with this product. *BUT* in our case the OU structures between to the two directories are so disparate that a direct sync is relatively impossible. If we end up going with this solution, we will have to project both directories to a third directory that we will write the sync rules for. This ends up being a Metadirectory.*If* your OU structure, account ID's, etc... are fairly or exactly the same, then you can do a direct sync and end up with something "...not the size of an Identity Management Tool like MIIS". If you want a full blown Metadirectory then Novell's Nsure Indentity management is in the same category of directory products as MIIS._Stuart Fuller
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, May 11, 2005 3:16 PM
To: [email protected]
Subject: RE: [ActiveDir] Synching NDS and ADHi Jorge,We run Netware NDS 6.5 along with AD 2003 and we have a fulltime Netware Consultant on staff assigned by Novell. I spoke with him about your request and what he would recommend and he gave me this link http://www.novell.com/products/nsureidentitymanager/Regards,Jose Medeiros---------------------------------------------------------------------------------------------------------------Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, May 11, 2005 11:07 AM
To: [email protected]
Subject: [ActiveDir] Synching NDS and ADHi,
Does anyone know of a product that can acchieve the following:
* Synching NDS and AD
* 2-way synching
* Automated synching
* Possibility to assign a directory for the first sync
* Synching of user accounts, groups and passwords (although I wonder if the latter is possible because different mechanisms are used for storing pwds)* Not the size of an Identity Management tool like MIIS
Could MS Services for Netware play a role in this?
Cheers
#JORGE#Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
Infrastructure Consultant
__________________________________________<<...OLE_Obj...>>
LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T)
Kennedyplein 248, 5611 ZT, Eindhoven
. Postbus 7089
5605 JB Eindhoven
( Tel : +31-(0)40-29.57.777
2 Fax : +31-(0)40-29.57.709
( Mobile : +31-(0)6-26.26.62.80
* E-mail : [EMAIL PROTECTED]
" <http://www.logicacmg.com/> - Solutions that matter -
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
