220 likes | 510 Views
ADAM. James Cowling Senior Technical Architect. Agenda. What is ADAM? Relevance to IAM Real-world Implementation Scenarios. What is ADAM?. LDAP Directory Based on AD technology Simple and clean to install and uninstall Without AD’s NOS and historical baggage Supports both
E N D
ADAM James Cowling Senior Technical Architect
Agenda • What is ADAM? • Relevance to IAM • Real-world Implementation Scenarios
What is ADAM? • LDAP Directory • Based on AD technology • Simple and clean to install and uninstall • Without AD’s NOS and historical baggage • Supports both • DC=Microsoft, DC=COM • O=Microsoft,C=US • Integrates tightly with AD authentication • Basically Free
Technical Matters of Interest • Installation • Simple to install • Wizard or Unattended • Multiple installs per server • XP install limited to 10000 objects • Password Policies • Complexity rules similar to AD • Backup and Restore • EDB and LOG files
Replication • Replication between ADAM instances on different computers • using AD technology • Flexible replication models possible
Administration • Technical Administration via command-line tools • DSMGMT • Manage partitions, FSMO roles, policies, ports • REPLADMIN • Troubleshoot Replication • DSDBUTIL • Manage and troubleshoot the database • DSACLS • Manage Access Control Lists
Identity Administration • ADSIEdit and LDP supplied with ADAM • Many other tools exist • Web-based • Explorer-integrated • Build or Buy • Delegated Administration Permissions • Through ADAM ACLs in user context • Through 3rd Party tools in service account context
ADAM and IAM • Centralized Identity Storage • Flexible Authentication • Centralized Identity Management • Centralized Role Management
Users Groups Roles Identity Storage
Authentication • Primary Authentication Methods is LDAP simple bind • Forwards Windows Integrated Authentication for unknown users, and • Proxies LDAP Binds for Known Users • to AD and NT4 • in same or trusted domains
Solutions • Single Sign On • HR-Driven Provisioning • Centralized Web-based User Management
Single Sign-On • Publishing Company • 5000 Users • Identities in AD and NT • Require SSO for a WebSphere application
Solution • Central ADAM User Directory • Synchronize with AD and NT using MIIS • ADAM Proxies Authentication requests • Which are routed to AD and NT appropriately
HR-Driven Provisioning • Large Retailer • 65,000 users across multiple companies • Growth partly through acquisition • SAP systems • HR • Location / Facility Management • Portal • Workflow • 34 AD Domains
Goals • Improve Internal Communication • White Pages solution • Improve data quality • Improve Efficiency • Reduce human intervention during provisioning / deprovisioning • Maintain control • Approval workflows for account creation, assignment of portal roles • Increase Security • Identify and remove dormant accounts • Increase confidence in security group memberships
Centralized User Admin • Reinsurance company • 5000 Users • Offices around the world • “Managed” Offices • Members of global domain • User management provided centrally • “Unmanaged” Offices • Stand-alone domains • Local user management
Goals • Provide global access to global applications • True Single Sign On • Minimize support costs • Centralize Administration • Reduced Sign On – Password Sync • Improve Security • Time-based deprovisioning
Solution • Centralized Web-based User Management • ASP.NET application • Identities in ADAM • Users, Contacts, Companies, incl. Inheritance • MIIS-based provisioning to other systems • Active Directory • Oracle-based LOB systems • HP/UX-based LOB systems • Password Synchronization • AD password is authoritative • Sync to ADAM & HP/UX
ADAM James Cowling Senior Technical Architect