Comments on: Is AD really the dominant Identity Store out there? http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html An Architect's Quest to make sense of the world of Identity and Access Management Thu, 01 Sep 2011 20:45:14 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Trent http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html/comment-page-1#comment-89 Trent Wed, 07 Jan 2009 01:40:59 +0000 http://talkingidentity.com/blog/?p=116#comment-89 If allow guest access or partner/contractor access onto your network, you don't want to add these people to the corp. AD do you? A 2nd identity store could be useful and alleviate management and resource headaches. I'm not sure you'd need a full blow 2nd AD though. If allow guest access or partner/contractor access onto your network, you don’t want to add these people to the corp. AD do you? A 2nd identity store could be useful and alleviate management and resource headaches. I’m not sure you’d need a full blow 2nd AD though.

]]> By: Anonymous http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html/comment-page-1#comment-88 Anonymous Tue, 25 Nov 2008 19:37:48 +0000 http://talkingidentity.com/blog/?p=116#comment-88 Martin said: AD is a perfectly acceptable directory. What deficiency or defect exists in AD that *requires* a company to add a second directory? Answer: Platform Martin said:
AD is a perfectly acceptable directory.
What deficiency or defect exists in AD that *requires* a company to add a second directory?
Answer: Platform

]]> By: Jef http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html/comment-page-1#comment-87 Jef Mon, 21 Jul 2008 22:26:36 +0000 http://talkingidentity.com/blog/?p=116#comment-87 I can see how you may not want to use AD as "the" identity store, especially when you have multiple domains/forests, decentralized management, etc. If not architected correctly, it can be unwieldy for applications. This is limitation of the architect, not the technology itself though. Heck, many applications still don't "understand" the concept of multiple Domains/NCs, and want to only use a single partition to connect too relying only on a unique username. But what if you have multiple HR systems as well? I hope the majority of enterprises have a single authoritative source for identity data from an HR unit. You will end up with some concept of an aggregated identity store (either through a Vdir or Metadirectory product), to which point if you go the directory route, it is a "Directory is a directory is a directory" Now why would I choose to use OID as my aggregated identity store over ADLDS when I have experience with managging ADDS already? It might not be a hard sell to add an additional directory to aggregate data, but it would be a harder sell to switch technologies/vendors providing that directory. An ADLDS instance with aggregated identity information, and proxy bind objects goes a long way before having to bring in another directory product. Also many places who grew up on NT4 Domains may not have understood that AD is more than just a complex NT4 domain with usernames and basic information, and are not using it for the underlying directory metadata. I can see how a vendor could come in and sell them a "solution" they already have, but just don't understand. Jef I can see how you may not want to use AD as “the” identity store, especially when you have multiple domains/forests, decentralized management, etc. If not architected correctly, it can be unwieldy for applications. This is limitation of the architect, not the technology itself though.
Heck, many applications still don’t “understand” the concept of multiple Domains/NCs, and want to only use a single partition to connect too relying only on a unique username.
But what if you have multiple HR systems as well? I hope the majority of enterprises have a single authoritative source for identity data from an HR unit.
You will end up with some concept of an aggregated identity store (either through a Vdir or Metadirectory product), to which point if you go the directory route, it is a “Directory is a directory is a directory”
Now why would I choose to use OID as my aggregated identity store over ADLDS when I have experience with managging ADDS already? It might not be a hard sell to add an additional directory to aggregate data, but it would be a harder sell to switch technologies/vendors providing that directory.
An ADLDS instance with aggregated identity information, and proxy bind objects goes a long way before having to bring in another directory product.
Also many places who grew up on NT4 Domains may not have understood that AD is more than just a complex NT4 domain with usernames and basic information, and are not using it for the underlying directory metadata. I can see how a vendor could come in and sell them a “solution” they already have, but just don’t understand.
Jef

]]> By: Clayton Donley's Blog http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html/comment-page-1#comment-90 Clayton Donley's Blog Mon, 21 Jul 2008 22:03:59 +0000 http://talkingidentity.com/blog/?p=116#comment-90 <strong>Where does he get that wonderful identity data?</strong> Finally getting around to participating in the latest stream of blog postings following up the "meta-directory is dead" and "daddy, does Active Directory grow on trees?" discussions... Nishant has already addressed some of these comments in his post fr... Where does he get that wonderful identity data?

Finally getting around to participating in the latest stream of blog postings following up the “meta-directory is dead” and “daddy, does Active Directory grow on trees?” discussions… Nishant has already addressed some of these comments in his post fr…

]]> By: james http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html/comment-page-1#comment-86 james Sat, 19 Jul 2008 13:45:23 +0000 http://talkingidentity.com/blog/?p=116#comment-86 <a href="http://duckdown.blogspot.com/2008/07/active-directory-20.html" rel="nofollow">http://duckdown.blogspot.com/2008/07/active-directory-20.html</a> http://duckdown.blogspot.com/2008/07/active-directory-20.html

]]> By: James Dodds http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html/comment-page-1#comment-85 James Dodds Thu, 17 Jul 2008 16:57:34 +0000 http://talkingidentity.com/blog/?p=116#comment-85 I'm not seeing where anyone is saying the AD LAN should be the same as the AD identity store. Microsoft doesn't say that. I think the point is simply that AD "can" be an identity store, just as Novell, Sun, Oracle directories "can" be an identity store, and since many organization already have AD and AD expertise, it may make sense for them to deploy AD as an identity store. Or ADAM... James I’m not seeing where anyone is saying the AD LAN should be the same as the AD identity store. Microsoft doesn’t say that. I think the point is simply that AD “can” be an identity store, just as Novell, Sun, Oracle directories “can” be an identity store, and since many organization already have AD and AD expertise, it may make sense for them to deploy AD as an identity store. Or ADAM…
James

]]> By: Nishant Kaushik http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html/comment-page-1#comment-84 Nishant Kaushik Thu, 17 Jul 2008 15:46:00 +0000 http://talkingidentity.com/blog/?p=116#comment-84 The deficiencies in AD are well documented, so I won't go into them. Just do a Google search on the topic. And once you get past simple attribute management, each directory introduces some value added features that become differentiators when talking about identity store deployments. I am not saying enterprises must get a second directory, only that they should have their choice of directory. Again, going back to my experience, the fact that companies were choosing directories other than AD for their projects, after careful consideration and despite already having AD in house, means that the choice is necessary. OID, for instance, has a much stronger base in the telco industry due to performance benefits it has over other directories. The deficiencies in AD are well documented, so I won’t go into them. Just do a Google search on the topic. And once you get past simple attribute management, each directory introduces some value added features that become differentiators when talking about identity store deployments.
I am not saying enterprises must get a second directory, only that they should have their choice of directory. Again, going back to my experience, the fact that companies were choosing directories other than AD for their projects, after careful consideration and despite already having AD in house, means that the choice is necessary. OID, for instance, has a much stronger base in the telco industry due to performance benefits it has over other directories.

]]> By: Martin http://blog.talkingidentity.com/2008/07/is_ad_really_the_dominant_iden.html/comment-page-1#comment-83 Martin Thu, 17 Jul 2008 09:26:42 +0000 http://talkingidentity.com/blog/?p=116#comment-83 OK - so MS *forced* the organizations to use AD. The freedom of choice is not an acceptable answer for why a company should add a second directory and that is the essence of your argument. AD is a perfectly acceptable directory. What deficiency or defect exists in AD that *requires* a company to add a second directory? None. Directories are directories are directories. They all have some differences that makes one incrementally better in one metric or another over the others and they all have warts. OK – so MS *forced* the organizations to use AD.
The freedom of choice is not an acceptable answer for why a company should add a second directory and that is the essence of your argument.
AD is a perfectly acceptable directory.
What deficiency or defect exists in AD that *requires* a company to add a second directory? None.
Directories are directories are directories. They all have some differences that makes one incrementally better in one metric or another over the others and they all have warts.

]]>