>>>>> "Michael" == Michael R Phelan <[EMAIL PROTECTED]> writes:
Michael> One of the problems with this design is that unverified Michael> Active Directory uses get left in the Active Directory Michael> domain. This is a result of people registering, but never Michael> verifying, their account. These need to be cleaned out Michael> periodically. We've discussed keeping the unverified accounts Michael> in a secondary data storage area, such as a relational Michael> database. This would allow us to no longer keep unverified Michael> account information in Active Directory. We're just concerned Michael> about having a second data storage area for users. We're Michael> concerned that we would just have to clean up the secondary Michael> data storage area instead, or in addition to, the Active Michael> Directory domain. No matter what you do, you're going to have to expiration of accounts which are unverified by end users. So just setup a nightly cronjob to go through and find all acounts past the time out limit and expire them. As for whether to put the initial data into LDAP or an external DB, it all depends on how comfortable you are with each tool. I'd probably go with an external DB, since I can't imagine it's going to be large, and if it does get lost, it's not a problem. But if someone's data gets into the LDAP, but you don't set the "Unverified" status, then you've opened up a security hole possibly. Also, if you lose the unverified users, it's not a big deal, you can just have them resubmit their information. Once they're in the LDAP, you want to be more conservative probably. In any case, I think you've got the right ideas here amd it's just a matter of implementation. I personally think you're on the right path. John _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
