Directory Independance is dead (in case you didn't know)
Category
Bookmark :
I'm guessing many of you know this already, but DI has gone the way of the dodo. I thought I'd post it here, because I know questions about this will come up at the LDAP session Chris Miller and I are giving at Lotusphere. So, here's my quick FAQ:
What is/was DI?
- The ability to store all your users and groups in another directory, not Domino. Active Directory was the primary target. It would be (somewhat) seamless to users.
Can't I do that with Directory Assistance?
- To an extent, yes. Web authentication will work just fine, but Notes clients can't authenticate (no public key in AD) - and it's obviously a secondary directory in the UI.
So, why would I have wanted it?
- Primarily small sites, or acquisitions, would be interested - that already have a deployed AD infrastructure and don't want to manage two sets of users.
It's gone, why?
- Don't ask me, ask IBM. There were alot of serious repercussions about the introduction of DI (developer and admin), and I'll admit that there would have been only a certain number of specific use cases. However, I really liked the idea in certain circumstances.
So what are my options if I want to do that above?
- It depends....
- Web only sites, use Directory Assistance, or an IIS Front End server, or SPNEGO to achieve the login. No accounts necessary in the Domino Directory
- For Notes clients, tough. You must use the Domino Directory (or possibly disable all key checking.. haven't tested that, but I don't think it would work, and it's a very bad idea anyway)
- For mixed web/notes environments, you need both directories to mirror each other, and hence, you're boned.
Boned? Seriously? Nothing I can do?
- Well, no - but nothing *easy*. You have some options...
- Use TDI as mentioned by IBM. Better still, go see Thomas Duff and Mitch Cohen talk about it at Lotusphere. It takes a while to get your head around.
- DON'T use ADSync. It's a terrible, horrible bit of front-end software that DOES NOT ensure synced directories.
- Use a third party tool such as FirM. These sorts of tools adstract user management, or monitor the BACK-END directory and push the changes into the other directory. Kinda like TDI, but in a much more controlled manner (and they do lots of other things too)
Bookmark :
I'm guessing many of you know this already, but DI has gone the way of the dodo. I thought I'd post it here, because I know questions about this will come up at the LDAP session Chris Miller and I are giving at Lotusphere. So, here's my quick FAQ:
What is/was DI?
- The ability to store all your users and groups in another directory, not Domino. Active Directory was the primary target. It would be (somewhat) seamless to users.
Can't I do that with Directory Assistance?
- To an extent, yes. Web authentication will work just fine, but Notes clients can't authenticate (no public key in AD) - and it's obviously a secondary directory in the UI.
So, why would I have wanted it?
- Primarily small sites, or acquisitions, would be interested - that already have a deployed AD infrastructure and don't want to manage two sets of users.
It's gone, why?
- Don't ask me, ask IBM. There were alot of serious repercussions about the introduction of DI (developer and admin), and I'll admit that there would have been only a certain number of specific use cases. However, I really liked the idea in certain circumstances.
So what are my options if I want to do that above?
- It depends....
- Web only sites, use Directory Assistance, or an IIS Front End server, or SPNEGO to achieve the login. No accounts necessary in the Domino Directory
- For Notes clients, tough. You must use the Domino Directory (or possibly disable all key checking.. haven't tested that, but I don't think it would work, and it's a very bad idea anyway)
- For mixed web/notes environments, you need both directories to mirror each other, and hence, you're boned.
Boned? Seriously? Nothing I can do?
- Well, no - but nothing *easy*. You have some options...
- Use TDI as mentioned by IBM. Better still, go see Thomas Duff and Mitch Cohen talk about it at Lotusphere. It takes a while to get your head around.
- DON'T use ADSync. It's a terrible, horrible bit of front-end software that DOES NOT ensure synced directories.
- Use a third party tool such as FirM. These sorts of tools adstract user management, or monitor the BACK-END directory and push the changes into the other directory. Kinda like TDI, but in a much more controlled manner (and they do lots of other things too)
-
Comments
Posted by Mitch Cohen At 12:44:34 On 05/01/2010 | - Website - |