>From a pure LDAP perspective you can expect similar perf numbers on AD vs. ADAM. For medium sized directories (like 10M) I'm of the opinion that there isn't a huge advantage to ADAM over AD. When you get larger (high tens of millions to hundreds of millions or billions), ADAM gets more interesting. I would note that I tend to look at AD vs. ADAM with an eye on AD as the 'default' choice, more often than not. This stems from a more rich protocol stack on AD (Kerberos, etc.) which is only helpful. ADAM has a more constrained protocol stack. If you have entirely home grown apps this is less interesting, but if you think you might use vendor specific apps this can only help.
Not trying to downplay ADAM, just want to make sure you pick the right technology for your job. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, November 24, 2006 8:21 AM To: [email protected] Subject: Re: [ActiveDir] Scaling up with AD or ADAM? I personally don't have any experience with ADAM at "big" scale, but I've heard of some really large deployments. Eric might be able to share some stories. I wouldn't be concerned about the underlying technology, as it is all based on the AD core and is quite solid and mature. I have no experience on IBM TAM, but I'd hope it can integrate with normal LDAP stores. As such, I think it should work. There probably won't be any support in the product for ADAM/AD features like fast concurrent binding that might help improve your auth performance, but that might not be a huge deal. I don't think ADFS uses that either. :) Joe K. ----- Original Message ----- From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, November 23, 2006 10:24 PM Subject: Re: [ActiveDir] Scaling up with AD or ADAM? > Thanks, Joe. > > I'll look up Eric's blog for metrics and such ASAP. :-) > > I was thinking ADAM was the likely choice - just wasn't sure how much > production experience folks had with it (it's still new-ish), or quite > how to size it. > > Re federation - that looks like a subsequent phase, and ADFS definitely > came to mind. This customer has some IBM TAM kicking around, so that's > another choice. Later, in either case. > > Migrating users from the live directory to the archival is no big deal > -- the reason we're engaged is to put our provisioning and password > management technology in. > > BTW - anyone here integrated TAM (Tivoli Access Manager -- IBM's WebSSO) > with ADAM? Any pointers or horror stories we should know about? > > Cheers, > > -- > Idan Shoham > Chief Technology Officer > M-Tech Information Technology, Inc. > [EMAIL PROTECTED] > http://mtechIT.com > > ************************************************************************ **** > Visit M-Tech at the Gartner Identity and Access Management Summit: > http://www.gartner.com/2_events/conferences/iam1_section.jsp > November 29 -- December 1; Las Vegas; Booth D. > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+- > Visit M-Tech at the FinSec trade show: > http://www.misti.com/default.asp?Page=65&Return=70&ProductID=5305 > December 4 -- 5; New York > > > ************************************************************************ **** > The information in this email is confidential and may be legally > privileged. It is intended solely for the addressee. Access to this > email by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, distribution or any action taken or > omitted to be taken in reliance on it, is prohibited and may be unlawful. > ************************************************************************ **** > > On Thu, 23 Nov 2006, Joe Kaplan wrote: > >> That's a classic scenario for ADAM. I wouldn't use AD for that as you >> just need bind auth for users of a web app. AD actually gives you a ton >> of stuff you don't need and some additional complexity. ADAM scales the >> same as AD, so there is no advantage from a scale point of view to use >> AD. >> >> I'm not sure how you would achieve the goal of the archival users in a >> separate directory as I don't know how you'll be able to migrate the >> password data in ADAM to another ADAM store. There might be a way, but >> I'm just not sure. >> >> I'd suggest reading up on Eric Fleischman's blog to find out some >> interesting stuff on ADAM perf and scale. The bottom line is that as >> long as you have the disk and the CPU to handle the data store, you >> shouldn't have any problem with an ADAM instance that size. You are many >> orders of magnitude away from the actual limits in the system. >> >> As I am now a huge fan of federation technologies, I feel I would be >> remiss if I didn't suggest the possibility of adding that into the mix >> with ADFS. It can make a nice wrapper around your ADAM instance to serve >> as an account store and having federation capability gives you an easy >> way to link in identities from within the enterprise and also to directly >> use the identities of your business partners without having to maintain >> them in your own store. The identity lifecycle management costs of 2M+ >> users is not insignificant and users would generally rather not have to >> get a new account in your system to use it if they can avoid it. Just a >> thought... :) >> >> Joe K. >> >> ----- Original Message ----- From: "[EMAIL PROTECTED]" >> <[EMAIL PROTECTED]> >> To: <[email protected]> >> Sent: Thursday, November 23, 2006 2:54 PM >> Subject: [ActiveDir] Scaling up with AD or ADAM? >> >> >>> Hi guys, >>> >>> We're helping a customer design a large new directory, to use with an >>> Extranet environment. We see this thing scaling up to about 2 million >>> active users, and up to about 10 million archival users (who no longer >>> log in, but for various business reasons need to be kept around). >>> >>> The active users are likely to log in every few days, and will be >>> distributed around the globe. >>> >>> Logins will be LDAP binds from web apps -- no file/print/etc. in scope. >>> >>> Has anyone built an AD environment to this scale? >>> >>> We're thinking separate directories BTW - a "live" one for the 2M users, >>> and an "archive" one for the 10M historical records. >>> >>> Would you recommend ADAM? With how many DCs if so? (the web apps would >>> likely be hosted at a single site). >>> >>> Perhaps full-fledged AD? How many DCs? >>> >>> Thanks! >>> >>> -- >>> Idan Shoham >>> Chief Technology Officer >>> M-Tech Information Technology, Inc. >>> [EMAIL PROTECTED] >>> http://mtechIT.com >>> >>> ************************************************************************ **** >>> Visit M-Tech at the Gartner Identity and Access Management Summit: >>> http://www.gartner.com/2_events/conferences/iam1_section.jsp >>> November 29 -- December 1; Las Vegas; Booth D. >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+- >>> Visit M-Tech at the FinSec trade show: >>> http://www.misti.com/default.asp?Page=65&Return=70&ProductID=5305 >>> December 4 -- 5; New York >>> >>> >>> ************************************************************************ **** >>> The information in this email is confidential and may be legally >>> privileged. It is intended solely for the addressee. Access to this >>> email by anyone else is unauthorized. If you are not the intended >>> recipient, any disclosure, copying, distribution or any action taken or >>> omitted to be taken in reliance on it, is prohibited and may be >>> unlawful. >>> ************************************************************************ **** >>> >>> On Thu, 23 Nov 2006, Lee Flight wrote: >>> >>>> >>>> Hi >>>> >>>> I think the problem is with >>>> >>>> >But the user installing the ADAM instance is already member >>>> > of administrators. >>>> >>>> The ADAM answer file reader does not seem to check that; if it >>>> sees the Administrator parameter in the answer file it assumes that >>>> the user running the install is not an ADAM administrator and as >>>> this is a unique instance installing the LDIFs will not be possible >>>> due to lack of permissions to modify the local schema. >>>> It might be possible to circumvent this using an explicit >>>> SourceUsername >>>> and SourcePassword in the answer file, but I think your workaround is >>>> more secure. >>>> >>>> Lee Flight >>>> >>>> On Thu, 23 Nov 2006 [EMAIL PROTECTED] wrote: >>>> >>>>> >>>>> Hi >>>>> >>>>> I am trying to install ADAM unattended to be used for publishing >>>>> Oracle DB's. >>>>> >>>>> I would like to grant administrators from the local computer as ADAM >>>>> administrator and I would like >>>>> to import some of the accompanying LDF files. >>>>> >>>>> ; Specifies the Administrators within the AD\AM instance. >>>>> Administrator=MYCOMPUTER\Administrators >>>>> >>>>> ; The following line specifies the .ldf files to import into the ADAM >>>>> schema. >>>>> ImportLDIFFiles="MS-InetOrgPerson.ldf" "MS-User.ldf" >>>>> >>>>> However the installs fails when I specify both options. The error >>>>> message is that the user have to >>>>> be administrator to import .ldf files. But the user installing the >>>>> ADAM instance is already member >>>>> of administrators. >>>>> >>>>> My current workaround is to comment out the ImportLDIFFiles statement >>>>> and import them after the >>>>> instance has been created. >>>>> >>>>> Just wondered if this was a known problem. >>>>> >>>>> /kkh >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> List info : http://www.activedir.org/List.aspx List FAQ : >>>>> http://www.activedir.org/ListFAQ.aspx >>>>> List archive: >>>>> http://www.mail-archive.com/[email protected]/ >>>>> >>>> >>>> List info : http://www.activedir.org/List.aspx >>>> List FAQ : http://www.activedir.org/ListFAQ.aspx >>>> List archive: http://www.mail-archive.com/[email protected]/ >>>> >>> List info : http://www.activedir.org/List.aspx >>> List FAQ : http://www.activedir.org/ListFAQ.aspx >>> List archive: http://www.mail-archive.com/[email protected]/ >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: http://www.mail-archive.com/[email protected]/ >> > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
