In response to the post by Stuart, Matthew Culver wrote: " I agree with a lot of what is being said here and the way that he's talking about setting it up (with a location attribute) is how I'd do it too however based on the brief description I think I would have made the directory structures at this site more similar to allow for this. "
As Per Matthew Culver Sr Network Engineer Novell Inc. ------------------------------------------------------------------------------------------------------ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fuller, Stuart Sent: Thursday, May 12, 2005 5:07 PM To: [email protected] Subject: RE: [ActiveDir] Synching NDS and AD I won't argue with Mr. Culver about what Novell's fine Nsure Identity Manager (DirXML) product will or will not do, for obvious reasons... :-) He is absolutely right that you can write any type of rules to do the various nasty one to many, many to one, and many to many joins when doing the synchronization. What I meant by "relatively impossible" was really "tedious and painful". However, the other concept that I was trying to get at (and obviously failed to do) is that it is easier to write two "simple" synchronization rule sets when synchronizing the directories to a "metadirectory" (or using MIIS's terms - "the metaverse") then to use a more complex single direct synchronization rule set. As for the State of Montana's AD / NDS OU structures.... Here is an example: Medium size agency with geographic dispersion across all 56 counties in Montana and 700+ users (for sake of discussion call this "Agency A"). (For you people who actually work for a living translate "agency" to "division" or "subsidiary") NDS: Active Directory agency OU agency OU -Location A -Users -Users -Workstations -Workstations -GPO OU 1 -Win2000XP -GPO OU 2 -NT -Servers -Location B -Users -Workstations -Location C -Users -........ -Location ..... Now for Agency A, if they create an user in AD and want to synchronize to NDS, what OU does the user get created in??? They will have to come up with some rule that looks at another attribute of the user object to decide where to place the user such as "City". Okay, so you write an DirXML rule that says if user is created in Active Directory under "ou=User, ou=Agency A", create a new user in NDS, and place the user in "ou=users, ou= Location A, ou=Agency A" where Location = Location A if City = A. Great that works for the Metadirectory case and for the direct synch case *until* your agency administrator decides to change OU structure on the AD side or on the NDS side. Let's say the agency administrator is implementing some type of ZEN policy on the NDS side or otherwise goes crazy and splits up the Users OU underneath the Location OU. In the direct sync case you have to rewrite the entire synchronization rule to determine which OU the user will get placed in. In the Metadirectory case, you don't have to touch the AD import rule because nothing changed. All you would have to do is to modify the NDS export rule to take into account the new logic for determining where to place the user. So... the points I was trying to make were: 1. Novell's NsureIdentity (rebranded DirXML) truly is an industrial strength Metadirectory and exceeds Jorge's criteria of "Not the size of an Identity Management tool like MIIS". 2. If you have *fairly* large and disparate OU structures between AD and NDS, you are much better off in the long run building a true Metedirectory than trying to build a direct synchronization link. 3. If you have >2 directories, then a Metadirectory becomes way more attractive and is easier to manage, more efficient, and much easier to maintain the synchronization logic and something like Nsure Identity Manager or MIIS become very attractive products. 4. I'm not saying "don't use Nsure (DirXML)".... what I am saying is realize what you are getting when you purchase Nsure. _Stuart Fuller P.S. Hunter *does* know that there is something wrong with me.... :-p ------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, May 12, 2005 3:22 PM To: [email protected] Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Synching NDS and AD In response to Stuarts posting, " NIM is actually bigger than just eDir and AD Sync, and it's certainly more than just a simple sync with the ability to control the flow of metadata and modify data on the fly through XSLT XML, it also includes the idea of authorative sources at an attribute level - one of the most powerful and flexible metadirectory products on the market today and one which is reasonably mature/robust. If you've setup your AD structure so differently to your eDirectory structure within the same company then there's either something wrong with one of the structures or there's something wrong with you - I have never ever seen a directory structure in AD that I can't apply rules through NIM to sync with eDirectory even in instances of poor design. " As Per Matthew Culver Sr Network Engineer Novell Inc. ------------------------------------------------------------------------------------------------------ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fuller, Stuart Sent: Thursday, May 12, 2005 12:27 PM To: [email protected] Subject: RE: [ActiveDir] Synching NDS and AD Nsure Identity Manager = "Metadirectory" for all disparate NDS (Edir) and AD directories. We are/have been looking at this question, and yes you can do a simple synch between Novell and AD with this product. *BUT* in our case the OU structures between to the two directories are so disparate that a direct sync is relatively impossible. If we end up going with this solution, we will have to project both directories to a third directory that we will write the sync rules for. This ends up being a Metadirectory. *If* your OU structure, account ID's, etc... are fairly or exactly the same, then you can do a direct sync and end up with something "...not the size of an Identity Management Tool like MIIS". If you want a full blown Metadirectory then Novell's Nsure Indentity management is in the same category of directory products as MIIS. _Stuart Fuller ------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, May 11, 2005 3:16 PM To: [email protected] Subject: RE: [ActiveDir] Synching NDS and AD Hi Jorge, We run Netware NDS 6.5 along with AD 2003 and we have a fulltime Netware Consultant on staff assigned by Novell. I spoke with him about your request and what he would recommend and he gave me this link http://www.novell.com/products/nsureidentitymanager/ Regards, Jose Medeiros ---------------------------------------------------------------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jorge de Almeida Pinto Sent: Wednesday, May 11, 2005 11:07 AM To: [email protected] Subject: [ActiveDir] Synching NDS and AD Hi, Does anyone know of a product that can acchieve the following: * Synching NDS and AD * 2-way synching * Automated synching * Possibility to assign a directory for the first sync * Synching of user accounts, groups and passwords (although I wonder if the latter is possible because different mechanisms are used for storing pwds) * Not the size of an Identity Management tool like MIIS Could MS Services for Netware play a role in this? Cheers #JORGE# Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __________________________________________ <<...OLE_Obj...>> LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (ID&T) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] " <http://www.logicacmg.com/> - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
