Novell is now a part of Micro Focus

Discussion: AD vs. (or with) eDirectory

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 26 Jan 2005

Here's an excerpt from a recent Forum discussion on the pros and cons of mixing eDirectory and Active Directory.

Question 1:

"I have an issue where this application must run on a Windows box, but I really do not want to manage both an eDir and a AD. Setting up a workgroup doesn't offer security and manageability I need. I know DirXML will sync passwords, but I do not believe it will sync users (I could be wrong)."

"Anyway, I would like to be able to manage all the users and file access rights from eDirectory. Can eDirectory do this, or what's the best solution?"

Answer A:

No, eDirectory can't replace AD, but it can complement AD. Without using DirXML or another solution between eDirectory and AD, eDirectory on Windows is actually nothing more than a LDAP directory and replica place holder.

Yes, DirXML (Identity Manager 2) will sync users, groups, and passwords. However, you can't manage file access rights on NTFS partitions from eDirectory. You must use the Microsoft-supplied tools to do that.

Answer B:

DirXML/Identity Manager can synch pretty much any object to pretty much any other database, application or directory.

The best answer for your situation depends on the application you're considering. If the app "requires AD", then you need AD - eDirectory doesn't emulate AD (yuk! :-). You could also use DirXML to have eDirectory feed AD. That way you wouldn't have to administer AD - you could do it all from eDirectory.

If the app requires more, the solution could change - it really depends on the app and its level of integration with AD. I've seen apps that "required AD" but only used it for an LDAP authentication. Note that eDirectory (or any LDAP-compliant DS for that matter) can do that with no problem. As I said, it depends on the app and what it needs.

Answer C:

Well, Identity Manager will do that for you. Depending on the app's complexity, you'd just need to have IDM create the users and put them in a specific AD group (based on a group in eDirectory) that could give them access to the app.

But that does not mean you have to administer users and file rights on Windows. You have to administer users in SQL ...

Question 2:

"At our company we have just the DirXML starter pack. A software vendor that we use has decided to move off the pervasive engine onto MS SQL. I just do not want to have to manage two systems. All I want is to create and modify objects in eDirectory, such as file access, user creation, and basic management. I don't want to have to create a user in eDir then have to create that user in AD."

Answer A:

If you're doing MS things, you're likely going to have to manage two systems. Consider it a hidden cost that this vendor is passing along to you. It becomes a cost of the product, in terms of higher and more expensive maintenance costs (ongoing) in addition to the deployment and training costs (one-time).

If you're trying to do everything via eDirectory on Windows, you likely won't get what you want. DirXML will help you (the starter pack will do, you don't need IDM2 for this) by managing the users and groups. You'll have to deal with the file system via the MS tools, though you can probably set this up with groups then just manage group membership in MAD via DirXML.

Answer B:

As for following the vendor, is it time to select a different one?

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates