I have to wonder, what the average number of domains in an Active Directory forest in most enterprises.  Do many organizations only have 1 domain within their AD forest.  I suppose the question is not solely about AD, but about LDAP directories in general.

If directories can have multiple paritions, why do so many apps assume there is only one?

Time and time again an app is brought into my environment that is sold to a internal group that can do “Active Directory” for authentication. What they usually mean is that it can do LDAP, and by LDAP I usually find it is one of these possibilities:

  • Connects to a server, and can enumerate partitions
    • This is the rarity to find, where an app can enumerate the partitions, and chase referrals between them.
    • Cognos was a refreshing surprise after finding some undocumented options for their product
  • Connects to a server, but you can only specify ONE parition (naming context)
    • obviously, if you have an app that can only do this, and you have multiple partitions there is going to be a problem
    • Unfortunately, this seems to be the most common scenario I find.   It is surprising that some of the larger “enterprise” apps out there fall into this category.  What kind of enterprise were they planning to be implemented in?
    • A common thread is usually an app using a Java class, so there might be a limitation there but I am not sure.   It is very common in the IBM suite of products (Lotus/Websphere,etc.), but I have seen this problem with many 3rd parties as well as MS apps.
  • Can specifiy multiple authentication points, but still can only specify one partition per.
    • A little better, but now you have precedence issues as well if you can’t specify which NC to validate against via the application.

So, LDAP is not always the same level of LDAP support.    It is just hard to believe these applications out there seem to make an assumption a large enterprise has only 1 directory to be addressed.

There are solutions to resolve these issues if you find you have application groups coming to you AFTER they purchase the application.  I’ll try and address some solution scenarios later that may make sense.

 

Technorati Tags: