1

We have an application that uses AD LDS (ADAM) which contains a extended user class ( custom attributes, specific to our application). One of our clients wants our users linked to their domain users (AD). When they create a user in their system, a user on our side has to be created. When they delete a user on their system, the corresponding user should be deleted on our side. The same with basic properties (name, email, ...). The application specific attributes will be modified by our tool.

What is the best or most reliable way to keep those users in sync? The client does not allow us to modify their schema.

I was thinking myself to create a webservice to add/ delete / modify a user on our side which kan be called from within their system. But Maybe there are better solutions. Thanks.

JPBlanc
  • 70,406
  • 17
  • 130
  • 175
djsubzero
  • 11
  • 1
  • 2

2 Answers2

0

Personaly I will use ADAMSync for that. You can a kind of 'how do I' in Synchronize ADAM (or LDS) with Active Directory Domain Services.

ADAMSync.exe and ADShemaAnalyser.exe are part of the binary installed with ADAM.

In the case you are affectively using ADAM, be careful to install the ADAM SP1.

JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • A older project uses ADAM, newer projects are using AD LDS. I'll check out ADAMSync. – djsubzero Aug 30 '11 at 14:58
  • From the documentation, and after some googling, I found out that the schemas must match to use ADAMSync. This is not the case. My extended userclass inherits from "user" and has custom attributes. So all user attributes are available in ADAM, but the naming context is completely different. The hierarchy does not match also. So I'm afraid this is not an option. Or are there some advanced configurations for some mapping? – djsubzero Aug 31 '11 at 06:55
  • First you can synchronise YOUR Adam with the AD one, but i'am not sure it's necessary if you are carefull on the object and attributes you synchronize. Second with the XML configuration file you can make a query and just synchronize an OU whith object and attributs you want. In your ADAM you also need to make 'your user class' inherit from the class 'msDS-BindProxy' if yu want a kind of proxy authentification. Have you make some test ? – JPBlanc Aug 31 '11 at 07:20
  • Ok, I will try that. I'm not in the possibility to test it the first 2 weeks, but I will tell you if it works. Thanks – djsubzero Aug 31 '11 at 11:20
0

You can use the free Identity Integration Feature Pack from MS to sync selected attributes between AD and AD-LDS. You can download it here http://www.microsoft.com/download/en/details.aspx?id=11149

I'm not sure if it supports server 2008. It may be included in server 2008 as a role now.

JimSTAT
  • 735
  • 1
  • 8
  • 27