Layer 7 Identity Management

Active Directory:  Full C++ versus "AD-Lite" JCS Connector

  • 1.  Active Directory:  Full C++ versus "AD-Lite" JCS Connector

    Posted 10-24-2016 11:57 AM

    Team,

     

    Usually we default to the OOTB C++ connector for Identity Suite (Identity Manager, Identity Governance) to manage Active Directory.   I thought I would list the pro and cons about using the JCS connector, to see if there are some use-cases where a "AD-Lite" version could be leveraged, e.g. the new IDVA (Identity Suite Virtual Appliance) without the need for a MS Windows Server.

     

     

    MS Active Directory is very near LDAPv3 standards.  

    Similar:

    -   The primary naming attribute, the cn (common name) value, must be unique within an OU, but you could have the same cn value multiple times if each is in its own OU.

    -  ObjectClass & Last Name (sn) are mandatory objects per the usual InetOrg schema.

    -  Able to use any LDAP client tool (jxplorer, SoftTerra LDAPBrowser, Apache Directory Studio, ldapsearch, CA Directory dxsearch, etc.) to query & update MS Active Directory

    -  userPassword is one of the MS Active Directory attributes that stored the user's password in a hash format.

    -  Both non-SSL/TLS port and SSL/TLS ports are offered to manage via LDAP/S protocol.

    - SSL/TLS CA and Server certificates are used to secure the LDAP communication.

    Difference:

    -  The MS Active Directory attributes, sAMAccountName and UPN, are REQUIRED, regardless of OU location, to be UNIQUE with the MS AD Domain and MS AD Forest, respectively.   This feature does not exist in LDAPv3 standards but could likely be emulated by some directories or via client tools.

    - The MS Active Directory attribute memberOf, maintains referential integrity between user objects and group objects; users DN values are populated on AD Group objects; and group DN values are populated on user objects.

     

     

    MS Active Directory offers two (2) tools that are very useful to manage user and group objects via LDAP/S:  

    csvde.exe and ldifde.exe

     

    Step-by-Step Guide to Bulk Import and Export to Active Directory 

    Ldifde 

    https://support.microsoft.com/en-us/kb/555634 

    Csvde 

     

     

    MS AD C++ Connector Benefits:

     

    The benefits of using the CA Identity Suite/Identity Manager/Identity Governance C++ connector for MS Active Directory.

    - Already exists OOTB.

    - Manages the user objects & group objects with no agents required, via a service account over TCP 636 with TLS Security

    - Has the ability to view ALL of the MS AD schema OOTB and/or any expansion of MS AD schema by MS Exchange

              -  May be expanded to additional attributes; via C++ AD payload extension file.

              - Has awareness of the uniqueness of sAMAccountName and UPN attributes to report error message based on duplication.

    - Has the ability to auto-create a home folder using MS AD API using variables recommended by MS

    - Has the ability to manage auto-failover using MS AD list of peer servers provided with 1st connection.

               -  May be limited to a sub-list of auto-failover servers via a properties file.

    - Has the ability to manage MS Exchange creation/update/deletion with the MS AD Connector and MS API Tools (Powershell/WinRM)  or with an agent (if need pre/post exits)

    - Has the ability to execute PRE/POST exits upon User Creation process from the IMPS server, e.g. MS Powershell / MS VBscripts / MS Win Batch / KIX scripts / etc.

     

     

     

    "AD-Lite" JCS/IAMCS Connector Benefits & Gaps:

     

    The benefits of using the CA Identity Suite/Identity Manager/Identity Governance IAMCS/JCS connector for a "AD-Lite" endpoint.

    - Requires use of ConnectorXpress and about 1-2 hours per domain to configure and use.  Include QA time.

    - Manages the user objects & group objects with no agents required, via a service account over TCP 636 with TLS Security

    - Has the ability to view ALL of the MS AD schema but would need to be defined for each value.  

               - May be as little or as much as is required, via the CX XML mapping exercise.

              - May manage self-password and delegated password change, by updating the userPassword attribute.

    - May be used with Linux/Unix deployments & does NOT require a MS Windows server for the Identity Suite/IDVA virtual appliance.

    - May be used to validate the public CA root certificate is correct; prior to use of the C++ connector; to manage password changes over TCP 636 with TLS.

    - May be able to manage PRE/POST exits via Operation Bindings (JavaScript) on the CX Connector for user and group objects.

    Gaps:

    - Does NOT have the ability to auto-create a home folder

    - Does NOT have the ability to manage auto-failover using MS AD list of peer servers

    - Does NOT have the ability to manage MS Exchange creation/update/deletion

    - Will NOT have awareness of the uniqueness of sAMAccountName and UPN attributes.

     

     

     

     

    Three (3) use-cases that the "AD-Lite" would have value are:

     

    1) Password Reset Only

    2) Base AD Provisioning/De-Provisioning  (No home folder/No MS Exchange)

    3) Governance Query of AD endpoint users access for Campaign (user versus manager)

     

     

    Thoughts?

     

     

    Alan