Edwin wrote:
(...)
My initial thought is to investigate Microsoft ADAM. If ADAM can query
the domain only checking for new entries while ignoring those that are
deleted, I think that I can accomplish the task of addressing all of the
concerns outlined above.
What do you think? Is this solution possible? Is there an easier
solution? One that is preferable to this?
Everything is possible :).
OK - from quick reading You should investigate option of using ADAM with
some synchronization solution like IIFP, MIIS or even ADAM
Synchronizator which comes with ADAM SP1.
When somebody is leaving the company his account should be removed (it
can be logical remove - not physical deletation of account) from
corporate AD - then this change should be synchronized to Your LDAP
server. That's about case of deleted accounts.
You can address performance with several ADAM instances working in load
balanced environment. ADAM has replication mechanisms like AD and this
will keep Your AD instances in synch, while LB will let You balance
workload among different LDAP servers.
Your security concernes are a little mitigated if You are using a
solution which synchronizes the data _to_ ADAM - in such case data
changes are pushed to ADAM.
That's few quick ideas - I'm sure that You will get more feedback from
other persons and I will try to get back to this topic in the evening
(my time zone :) ).
--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
