AD / LDAP modifications

E

Ed Stuart

Hi,

I'm considering an AD tree that has approximately 8,000 users.
However, I'd like to make modifications to AD so that I can have User
attributes that indicate if given Users belong to the same family. Is
this feasible? Would a modification such as this kill AD and LDAP
query performance?

Thanks,
Ed
 
E

Ed Stuart

I belong to a church that has approximately 8,000 attending. For lots
of reasons, it makes sense to store the member info in AD so that it
is available to LDAP aware applications. However, if you can't
indicate which members are family members or if it isn't practical to
do so, then the gig is up. I'd also need to be able to indicate who
in the family are guardians.
 
B

Brian Desmond [MVP]

Ok. So what you might do for guardians is assign parents to be the manager
of their children in AD. For the family in general, you could do a few
things:

Define a primary account for each family and make this account the manager
of all the children, spouses, etc
Pick an attribute in AD you're not going to use and store the family
relation in there (if you've got Exchange, extension attributes are great
for this)
Add your own attributes to the schema

Personally, I would probably go for option 2in your scenario, or perhaps
option 1 depending on how this is setup.

Are you planning to authenticate each member with a Windows account
(website, etc)? If not, you might want to use ADAM instead. It's AD, but it
runs as an application on a server, so no domain controllers, etc. In ADAM,
you could define a class like churchGoer, and add all the attributes you
need to track data.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com
 
G

Guest

Brian Desmond said:
Are you planning to authenticate each member with a Windows account
(website, etc)? If not, you might want to use ADAM instead. It's AD, but it
runs as an application on a server, so no domain controllers, etc. In ADAM,
you could define a class like churchGoer, and add all the attributes you
need to track data.
Click to expand...

I want to do something similar to Ed, only my Active Directory accounts will
be used to login. I would like to add a class with several attributes
defining permissions to some custom apps. I figured out how to add a single
attribute and associate it with the user class. Is their a way to join
together two classes? I would like to add the following attributes:

jobCode - Long int
ApplicationAPermissionLevel - int
ApplicationBPermissionLevel - int
ApplicationCPermissionLevel - int
ApplicationDPermissionLevel - int
ApplicationEPermissionLevel - int
ApplicationFPermissionLevel - int

I thought that I might be able to create a new class, put these attributes
in it, and then associate it to the user class. Then, to read the values of
these attributes, I would run a query like this:

Select adspath from LDAPPath, jobCode ,ApplicationAPermissionLevel,
ApplicationBPermissionLevel, ...
WHERE objectCategory='Person' AND objectClass='user'
AND sAMAccountName='myaccount'

Would this work? And how can I associate a custom class with the user
class? Or am I looking at this the wrong way.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LDAP to AD 2
Restrict access to AD over LDAP 4
How to add some customized attributes to users in AD? 1
LDAP + AD 3
AD two-way trust with NT4 domain and authentication resolution LDA 1
Possible to have Per-user referrals to external LDAP? 3
Minimum AD Permissions needed to query LDAP for username password auth 2
LDAP Query Error 1

Top