That's a classic scenario for ADAM. I wouldn't use AD for that as you just
need bind auth for users of a web app. AD actually gives you a ton of stuff
you don't need and some additional complexity. ADAM scales the same as AD,
so there is no advantage from a scale point of view to use AD.
I'm not sure how you would achieve the goal of the archival users in a
separate directory as I don't know how you'll be able to migrate the
password data in ADAM to another ADAM store. There might be a way, but I'm
just not sure.
I'd suggest reading up on Eric Fleischman's blog to find out some
interesting stuff on ADAM perf and scale. The bottom line is that as long
as you have the disk and the CPU to handle the data store, you shouldn't
have any problem with an ADAM instance that size. You are many orders of
magnitude away from the actual limits in the system.
As I am now a huge fan of federation technologies, I feel I would be remiss
if I didn't suggest the possibility of adding that into the mix with ADFS.
It can make a nice wrapper around your ADAM instance to serve as an account
store and having federation capability gives you an easy way to link in
identities from within the enterprise and also to directly use the
identities of your business partners without having to maintain them in your
own store. The identity lifecycle management costs of 2M+ users is not
insignificant and users would generally rather not have to get a new account
in your system to use it if they can avoid it. Just a thought... :)
Joe K.
----- Original Message -----
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Thursday, November 23, 2006 2:54 PM
Subject: [ActiveDir] Scaling up with AD or ADAM?
Hi guys,
We're helping a customer design a large new directory, to use with an
Extranet environment. We see this thing scaling up to about 2 million
active users, and up to about 10 million archival users (who no longer log
in, but for various business reasons need to be kept around).
The active users are likely to log in every few days, and will be
distributed around the globe.
Logins will be LDAP binds from web apps -- no file/print/etc. in scope.
Has anyone built an AD environment to this scale?
We're thinking separate directories BTW - a "live" one for the 2M users,
and an "archive" one for the 10M historical records.
Would you recommend ADAM? With how many DCs if so? (the web apps would
likely be hosted at a single site).
Perhaps full-fledged AD? How many DCs?
Thanks!
--
Idan Shoham
Chief Technology Officer
M-Tech Information Technology, Inc.
[EMAIL PROTECTED]
http://mtechIT.com
****************************************************************************
Visit M-Tech at the Gartner Identity and Access Management Summit:
http://www.gartner.com/2_events/conferences/iam1_section.jsp
November 29 -- December 1; Las Vegas; Booth D.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Visit M-Tech at the FinSec trade show:
http://www.misti.com/default.asp?Page=65&Return=70&ProductID=5305
December 4 -- 5; New York
****************************************************************************
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on it, is prohibited and may be unlawful.
****************************************************************************
On Thu, 23 Nov 2006, Lee Flight wrote:
Hi
I think the problem is with
>But the user installing the ADAM instance is already member
> of administrators.
The ADAM answer file reader does not seem to check that; if it
sees the Administrator parameter in the answer file it assumes that
the user running the install is not an ADAM administrator and as
this is a unique instance installing the LDIFs will not be possible
due to lack of permissions to modify the local schema.
It might be possible to circumvent this using an explicit SourceUsername
and SourcePassword in the answer file, but I think your workaround is
more secure.
Lee Flight
On Thu, 23 Nov 2006 [EMAIL PROTECTED] wrote:
Hi
I am trying to install ADAM unattended to be used for publishing Oracle
DB's.
I would like to grant administrators from the local computer as ADAM
administrator and I would like
to import some of the accompanying LDF files.
; Specifies the Administrators within the AD\AM instance.
Administrator=MYCOMPUTER\Administrators
; The following line specifies the .ldf files to import into the ADAM
schema.
ImportLDIFFiles="MS-InetOrgPerson.ldf" "MS-User.ldf"
However the installs fails when I specify both options. The error
message is that the user have to
be administrator to import .ldf files. But the user installing the ADAM
instance is already member
of administrators.
My current workaround is to comment out the ImportLDIFFiles statement
and import them after the
instance has been created.
Just wondered if this was a known problem.
/kkh
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
