Purely for web-based access.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, March 13, 2006 10:10 AM
To: [email protected]
Subject: Re: [ActiveDir] AD LDAP directory choices
Jim, is this just for web-based application access?
As for choices, anything that uses your internal authority (AD) can
become messy in a hurry, especially since you have to be concerned with un-like
items (i.e. exceptions) to your normal identity management process.
There's a lot more to discuss about this type of situation, but it really
kind of depends on the type applications, the access architecture, and the risk
tolerances.
Al
On 3/13/06, Becker, Jim <[EMAIL PROTECTED]> wrote:
I work at the headquarters of a large university system, our local forest consists of a consortia of business divisions with one domain per division supporting our respective user communities. Within an OU in our domain we already host, for several of our campuses, about 100 external user accounts for authentication into an array of web-based business apps. These are very simple accounts for authentication only since the web apps handle their own authorizations so there are no groups, policies, etc. The most complicated aspect are several administrator accounts delegated with responsibility for managing a respective set of these 100 accounts.I've recently been informed that we will need to be able to host tens of thousands more of these simple accounts for a rather public community. I 'm not enamored with the idea of adding thousands more accounts to our domain, so I wanted to explore the options.In addition to extending and populating the existing OU, the potential choices are ADAM, a child domain of my domain, or an entirely different forest. I purposely left out using another divisional domain because we've settled on the overall forest's divisional structure and adding one more for this special case need probably wouldn't be accepted.Are others using one or more of these options, and what are the pros and cons of each that I should consider?Thanks,Jim Becker
Asst. Director of Administrative Systems
LAN Services
State University of New York
System Administration
[EMAIL PROTECTED]
