What is the Point of Active Directory/LDAP Specification?

My college threw an interesting curve ball today and I couldn't give him a good enough answer. The question was simple 'What is the point of active directory'. Now I don't have a lot of exposure to active directory, but I thought I could easily answer. My argument was; If you have a group of objects its easy to look up attributes for those objects using active directory. For example, if you have a group in AD and you want to verify the users of that group you simply look up the member attribute of that group. However he argued, rightly so, that you can do that with a table in a database, why do that in AD. I couldn't give him a good enough answer and now I'm curious. Given the above example, why use AD over a database?
To me AD is a way to manage a set of resources, whatever they are, by mapping them to objects that have however many attributes. But we could do that in a database, whats the point of AD? Why do you use AD?

I come from a primarily database centric background. Just like life experience, it casts a certain perspective on problems. Database people solve things with databases. Directory people solve things with directories. Everyone has their perspective. It's not really about who's right and who's wrong. It's about perspective because people are most likely to go with what's familiar when given a problem. It's easy to have this conversation in a educational environment but when you're on the job it's about turf, schedules and careers. My latest job (in which this debate comes up a lot) has been about directories which has been a very enlightening experience because I've been given a gift of perspective. I can put on the directory hat and look at it from another angle.
To get back to your professor's question. The answer is easy. LDAP (AD or other) is an application above a database. It has a data store behind it, in most cases we can just assume this is a database. So, in short, it's apples to oranges. But if we insist on comparing which makes the better juice, let's look at how we'd make a database like a directory. We could create a data model with an attributes table, an entries table and so on. We can deconstruct what LDAP data structures really are and implement each type as a table with FK/PK relationships and so on. It's sure to work because there are already so many products on the market doing this very thing. But think about the effort now. How are you going to add new users? A front-end? Stored procedures? Scripts? How are you going to keep someone from seeing things they shouldn't? You have to insert an object into all the right tables to ensure that your data is consistent and valid. In a pure database, you're trying to create ACLs on database rows. Now you're writing a full featured application with a lot of complexity. Given enough directory features, the database isn't going to be able to do everything without an external application.
What is the point of LDAP? It's got hierarchy, ACLs, group of unique names functionality and things that are a layer of abstraction above the data store. I love databases but if you start designing out a directory server from scratch you'll realize it's far beyond comparing a user.ldif to a row in a user table. They are similar in appearance but different types of software.
Edited by: milkfilk on Dec 16, 2008 11:48 AM
Edited by: milkfilk on Dec 16, 2008 11:54 AM

Similar Messages

  • What is the concept of Active directory in HFM

    Hi Experts
    What is the concept of Active directory in HFM?
    regards
    Dev

    Hi Dave,
    Not sure if this is your exact requirement... but might be helpful.
    The concept of Active directory is that users can login to HFM application with the windows credentials. To make that work you should first need to configure.
    Please refer the below link, page 23:
    http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200.pdf
    Hope this helps,
    Thank you,
    Charles Babu J

  • What is the default Win2000 Active Directory Object Attribute definition for adding users? I'm using the 4.1 Netscape Directory SDK

    The Netscape/NDS AddUser implements inetOrgPerson, and some other objects/Attributes not implemented in Active Directory Object Attributes, and I receive errors about the Attributes. Could you tell me the correct Attribute definition for the default DS, to add a user?

    Unsure what you mean. iDS 5 implements the inetOrgPerson as of the RFC. It is made of 4 objects top, person, organizationPerson and inetOrgPerson. The user object in MAD using many more MS specifi attributes in the top class. (53 extras)

  • What are the difference between Acite Directory 2008 R2 and 2012 R2

    what are the difference between Active Directory 2008 R2  and 2012 R2
    or what are the new features in active directory of 2012 R2

    Take a look here
    http://technet.microsoft.com/en-us/library/dn268294.aspx
    Last here is another forum post talking about almost the same thing
    Difference
    between AD DS 2008 R2 and AD DS 2012
    Hope this helps!
    If it answered your question, remember to “Mark as Answer”.
    If you found this post helpful, please “Vote as Helpful”.
    Postings are provided “AS IS” with no warranties, and confers no rights.
    Active Directory: Ultimate Reading Collection

  • To build the organization's Active Directory permissions are what we need

    To build the organization's Active Directory permissions are what we need

    what is your actual question?  Can you be more specific?
    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
    Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
    Blogs: Blogs
    Twitter: Twitter
    LinkedIn: LinkedIn
    Facebook: Facebook
    Microsoft Virtual Academy:
    Microsoft Virtual Academy
    This posting is provided AS IS with no warranties, and confers no rights.

  • Exchange 2013 cu3 setup fails with 'problem... validating the state of Active Directory... supplied credential... invalid'

    Windows Server 2013; Exchange Server 2013 with Cumulative Update 1
    Cannot install Cumulative Update 3 for Exchange Server 2013. It fails with
    [xxx] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid.  See the Exchange setup log for more information on this error.
    [xxx] [0] [ERROR] Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid.
    [xxx] [0] [ERROR] The supplied credential is invalid.
    (Crosses - XXX - replace original values.)
    I have found that a few others have experienced the same problem but found no solution, nor could come up with anything myself. If it is any hint, Event 40961 was logged in the Event Viewer around the same time on almost all installation attempts to be purely
    conincidental:
    The Security System could not establish a secured connection with the server
    ldap/xxx.xxx/[email protected] No authentication protocol was available.
    Both Windows Server and Exchange Server otherwise work OK, and do not recall any issues with Cumlative Update 1 installation.

    Hi vhr1,
    Based on my knowledge, the Event ID 40961 is a warning message.
    This behavior occurs when we restart the server that was promoted to a DC. The Windows Time service tries to authenticate before Directory Services has started.
    Found some resources for your reference even if the Exchange Version is mismatched:
    http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx
    http://support.microsoft.com/kb/823712/en-us
    About the error message, "Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on . The supplied credential for 'XXX\Xxx' is invalid."
    The error message InvalidCredentials means: the wrong password was supplied or the SASL credentials cannot be processed.
    Found a similar thread for your reference, hope it is helpful:
    http://social.technet.microsoft.com/Forums/en-US/98e26ad6-8e43-4ef5-8ff9-e9fee6e76bda/bind-operation-is-invalid?forum=exchangesvrdeploylegacy
    Feel free to contact me if there is any problem.
    Thanks
    Mavis
    Mavis Huang
    TechNet Community Support

  • Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site

    Have an existing ex2010 sp3 organization.
    Could not run ex2013cu1 setup from my newly built 2012 server, getting the error in the subject line.  I used the command line to run the AD preparation steps successfully from my 2012 DC/GC, then tried to run setup again from the new 2012 server and
    still get the same error.  The error itself in the log is pretty useless:
    [05/07/2013 01:19:13.0137] [0] **********************************************
    [05/07/2013 01:19:13.0137] [0] Starting Microsoft Exchange Server 2013 Cumulative Update 1 Setup
    [05/07/2013 01:19:13.0137] [0] **********************************************
    [05/07/2013 01:19:13.0152] [0] Local time zone: (UTC-08:00) Pacific Time (US & Canada).
    [05/07/2013 01:19:13.0152] [0] Operating system version: Microsoft Windows NT 6.2.9200.0.
    [05/07/2013 01:19:13.0152] [0] Setup version: 15.0.620.29.
    [05/07/2013 01:19:13.0152] [0] Logged on user: DOMAIN\ADMINISTRATOR.
    [05/07/2013 01:19:13.0168] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
    [05/07/2013 01:19:13.0168] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
    [05/07/2013 01:19:13.0215] [0] Command Line Parameter Name='sourcedir', Value='\\h1\f$\junk\installers\server\Exchange\2013cu1'.
    [05/07/2013 01:19:13.0215] [0] Command Line Parameter Name='mode', Value='Install'.
    [05/07/2013 01:19:13.0215] [0] RuntimeAssembly was started with the following command: '/sourcedir:\\SERVER\f$\junk\installers\server\Exchange\2013cu1 /mode:Install'.
    [05/07/2013 01:19:13.0215] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
    [05/07/2013 01:19:13.0793] [0] Finished loading screen CheckForUpdatesPage.
    [05/07/2013 01:19:38.0762] [0] Finished loading screen UpdatesDownloadsPage.
    [05/07/2013 01:19:40.0496] [0] Starting file's copying...
    [05/07/2013 01:19:40.0496] [0] Setup copy files from '\\SERVER\f$\junk\installers\server\Exchange\2013cu1\Setup\ServerRoles\Common' to 'C:\Windows\Temp\ExchangeSetup'
    [05/07/2013 01:19:40.0700] [0] Finished loading screen CopyFilesPage.
    [05/07/2013 01:19:40.0840] [0] Disk space required: 1292445007 bytes.
    [05/07/2013 01:19:40.0840] [0] Disk space available: 23767240704 bytes.
    [05/07/2013 01:19:59.0762] [0] File's copying finished.
    [05/07/2013 01:19:59.0965] [0] Finished loading screen InitializingSetupPage.
    [05/07/2013 01:20:02.0934] [0] Setup is choosing the domain controller to use
    [05/07/2013 01:20:09.0325] [0] Setup is choosing a local domain controller...
    [05/07/2013 01:20:11.0794] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. 
    See the Exchange setup log for more information on this error.
    [05/07/2013 01:20:11.0794] [0] [ERROR] Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
    [05/07/2013 01:20:11.0809] [0] Setup will use the domain controller ''.
    [05/07/2013 01:20:11.0809] [0] Setup will use the global catalog ''.
    [05/07/2013 01:20:11.0825] [0] Exchange configuration container for the organization is 'CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local'.
    [05/07/2013 01:20:11.0919] [0] Exchange organization container for the organization is 'CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local'.
    [05/07/2013 01:20:11.0966] [0] Setup will search for an Exchange Server object for the local machine with name 'WEX1'.
    [05/07/2013 01:20:12.0028] [0] No Exchange Server with identity 'WEX1' was found.
    [05/07/2013 01:20:12.0044] [0] The following roles have been unpacked:
    [05/07/2013 01:20:12.0044] [0] The following datacenter roles are unpacked:
    [05/07/2013 01:20:12.0044] [0] The following roles are installed:
    [05/07/2013 01:20:12.0059] [0] The local server does not have any Exchange files installed.
    [05/07/2013 01:20:12.0075] [0] Server Name=WEX1
    [05/07/2013 01:20:12.0137] [0] Setup will use the path '\\SERVER\f$\junk\installers\server\Exchange\2013cu1' for installing Exchange.
    [05/07/2013 01:20:12.0137] [0] The installation mode is set to: 'Install'.
    [05/07/2013 01:20:27.0591] [0] An Exchange organization with name 'DOMAIN' was found in this forest.
    [05/07/2013 01:20:27.0591] [0] Active Directory Initialization status : 'False'.
    [05/07/2013 01:20:27.0591] [0] Schema Update Required Status : 'False'.
    [05/07/2013 01:20:27.0591] [0] Organization Configuration Update Required Status : 'False'.
    [05/07/2013 01:20:27.0591] [0] Domain Configuration Update Required Status : 'False'.
    [05/07/2013 01:20:27.0841] [0] Applying default role selection state
    [05/07/2013 01:20:27.0872] [0] Setup is determining what organization-level operations to perform.
    [05/07/2013 01:20:27.0872] [0] Because the value was specified, setup is setting the argument OrganizationName to the value DOMAIN.
    [05/07/2013 01:20:27.0872] [0] Setup will run from path 'C:\Windows\Temp\ExchangeSetup'.
    [05/07/2013 01:20:27.0888] [0] InstallModeDataHandler has 0 DataHandlers
    [05/07/2013 01:20:27.0888] [0] RootDataHandler has 1 DataHandlers
    [05/07/2013 01:20:27.0903] [0] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.  See
    the Exchange setup log for more information on this error.
    [05/07/2013 01:20:27.0935] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. 
    See the Exchange setup log for more information on this error.
    [05/07/2013 01:21:04.0154] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
    [05/07/2013 01:21:04.0154] [0] End of Setup
    [05/07/2013 01:21:04.0154] [0] **********************************************

    Hi,
    The cause is clearly described in the log:
    [05/07/2013 01:20:11.0794] [0] [ERROR] Setup encountered a problem while validating the state of Active Directory: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. 
    See the Exchange setup log for more information on this error.
    [05/07/2013 01:20:11.0794] [0] [ERROR] Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency.
    I'd suggest you check NIC settings and AD configuration.
    Hope it is helpful.
    Fiona Liao
    TechNet Community Support

  • Getting User Attributes from an Active Directory LDAP

    Hello all.
    I want to extract attributes assigned to a user in the Active Directory LDAP and make them available through the getPropertyValue property in Javascript. I know that a user's System Attributes can be accessed with getPropertyValue but I have not found a way to get specific attributes from the LDAP and make them available as specific attributes in xMII. System attributes like "EmailAddress1" seem to transfer from the LDAP but others don't. Anyone have any ideas?
    Thanks.
    ...Sparks

    Sparks,
    If you're using 11.5 or 12 actually they should all map into the system as session properties.  You can use the following URL to verify your session properties:
    http://<xMIIServer>/Lighthammer/PropertyAccessServlet?Mode=List
    If you are not seeing the attributes you expect then your Attribute Query for User or Role is incorrect for your LDAP system and you need to change the LDAP configuration queries.
    -Sam

  • Integrating Active Directory LDAP in OBIEE 11g

    Hi All,
    I Have Configured Active Directory LDAP in OBIEE.
    Steps i have Followed are,
    1) configured Active Directory in providers under Scurity Releam.
    2) Restarted BI Services to Load the Ldap Users.
    3) login to the EM under bifoundation domain selected securitues->security configuration provider.created user.login.attr and username.attr.
    4) under Credentials->oracle.bi.system map->system.user->deleted BISystemUser and Created key with the Existing name in Active Directory.
    5) assigned System user to BISystem role in em.
    6) in Console Roles and Polocies->Global Roles->Roles->Admin->view Role Condition (User = Active Directory User or Group=Administrators).
    7) Restarted BI Server and Presentation Services.
    Now I am Unable to Login to Presentation Services.
    Please Reply ASAP.
    Thanks and Regards
    Kiran Kumar

    Kiran, Is there a specific reason for using RPD for LDAP authentication? From 11g onwards, the best practice is to use Weblogic (or external Authentication providers). Is it correct to say that for "Authentication' without proper RPD LDAP config for "USER" variable, users cannot login via presentation layer?
    Cheers!
    BK

  • PowerShell Script Get the User's Active Directory Fully Qualified Login Name for Specific Locked Out Accounts

    I have a script which displays locked out accounts. It works great.
    I'd like to display the fully qualified Active Directory Login Name instead of the LastName, First Name:
    Example: Davis, Susan
    Want instead: Domain\Susan.Davis
    I'd also like to include an additional filter to look for only Domain\Susan.Davis OR Domain\Robin.Givens
    Here is my script:
    $objDomain = New-Object System.DirectoryServices.DirectoryEntry
    $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objSearcher.SearchRoot = $objDomain
    $objSearcher.PageSize = 1000
    $objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
    $colProplist = "name","samaccountname"
    foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
    $colResults = $objSearcher.FindAll()
    foreach ($objResult in $colResults) {
    $domainname = $objDomain.name
    $samaccountname = $objResult.Properties.samaccountname
    $user = [ADSI]"WinNT://$domainname/$samaccountname"
    $ADS_UF_LOCKOUT = 0x00000010
    if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
    $objResult.Properties.name
    John
    John

    Sorry, I should have mentioned that the cmdlets I'm using are part of the Active Directory module. You'll need to install the RSAT (Win7+) to use them.
    If you'd rather stick with your DirectorySearcher methods instead of moving to the AD module, you can adjust your output by using something like this instead:
    if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
    "$domainname\$($objResult.Properties.samaccountname)"
    $domainname might not be what you're expecting, just FYI.
    As for filtering, you can add to the if statement and check for your known usernames only.
    Don't retire TechNet! -
    (Don't give up yet - 12,700+ strong and growing)

  • What's the Point of Photo Stream?

    What is the point of having the option to turn on or off the photo stream if it no longer exists?  If it has been replaced by the recent activity feature then why not have the option to turn on or off the recent activity feature?

    Photo Stream only handles images and your videos are not uploaded or shared with other devices.
    Use iPhoto to import from your device. It can bring in the videos and image files.

  • What's the point of using a password?

    what's the point of using a password if anyone can insert the installation DVD and choose reset password

    As Barney-15E says, someone with physical control, can just remove the disk, and put it in an external enclosure, and mount the file system with their computer and access all the files.
    Only encrypted data would be protected. There are data encryption facilities available on the Mac, both included, as well as 3rd party, including 3rd party whole disk encryption.
    But having a password on an account, and engaging the password when the screen saver is active, can keep casual access from happening.
    Also if you allow network access (file sharing, remote login, screen sharing), the password will keep random net users from accessing your system, when for example, you are in a coffee shop, or if someone gets onto your WiFi network, or you give a visitor to your home access to your network, or you allow a guest to use the guest account.

  • I am extremely upset. I purchased my iPad in SA and I am traveling in Greece. When I want to make use of the free apps, I get a message that the app is not available in the SA store. What is the point of having an iPad if you cannot use it worldwide?

    I am extremely upset. I purchased my iPad in SA and now I am in Greece. I cannot download free apps as I get a message that the apps are not available in the SA store and only in US stores. When I change to the US store the same thing happens. What is the point of having an iPad if I cannot use it worldwide??? I feel that I wasted my money purchasing it as I specifically purchased it to use when I travel. How can I get access to all the available apps and why are they restricted.

    You can use your iPad worldwide. However, each AppleID is tied to
    a specific country's store. To use the AppStore in any country, you
    must be in that country and have a credit/debit card issued by a financial
    institution in that country with a verified billing address in that country.
    It is the developer's choice which AppStores he makes his app available
    from, and some countries prohibit certain apps.
    To make a purchase from the US store (including downloading a free app
    available in the US store), you must be in the US and have card issued
    in the US with verified billing address in the US.
    You can use your purchases from the SA store worldwide, but you
    cannot make purchases in other than the SA store unless you meet
    the aforesaid conditions.

  • What is the point of the download window if you use stacks?

    Greetings,
    One of the most annoying things about the download window was the fact that the window always hung around after completing dowloads in Tiger when using safari. To me, that was just a time waster of always pressing Apple+W to close that window.
    When Leopard was released, I was excited to realize that one function of the download stack was to recevie downloads from safari after completed. However, after completion, the download window still sticks around and I still have to close it... then navigate to my stack of downloads to mount the image. What is the point of the download window is I use stacks now? Why can't the window disappear after completion?
    //Cheers

    Aaargh!! Me too - it's so annoying! Firefox has a downloads window as well - I just don't see the point of it. I didn't like it in Tiger either.
    As a way to see the progress of downloads, it's fine, but it should at least close when all the downloads are finished, and completed downloads should not display.
    Ideally it should look & work exactly like the Copy window in Finder - the one that comes up when you are copying or moving a large file or number of files from one folder to another.
    Is there a hack that will make it work like that?

  • My wifes iphone was too full to record a video so I upgraded her cloud storage to 20g and did mine at same time. Cloud is showing 15g free storage butshe still cannot take any mor photos as "not enough memory" What is the point of paying for the extr

    My wifes iphone was too full to record a video so I upgraded her cloud storage to 20g and did mine at same time. Cloud is showing 15g free storage butshe still cannot take any mor photos as "not enough memory" What is the point of paying for the extr

    Hello Pushtheriver,
    After reviewing your post, I have located an article that can help in this situation. It contains a number of troubleshooting steps and helpful advice concerning iCloud storage issues:
    Get help using iCloud storage
    This may also help:
    Understanding iOS device capacity
    You can sync and download many different types of content on your device. Some types of content (such as music and videos) typically take more space than others (such as notes and books). The amount of space taken by an app depends on the app's purpose; complex or graphically intense apps usually take more space than simpler apps.
    If your device is near its capacity, you can remove some of the less used content to make room for more.
    Thank you for contributing to Apple Support Communities.
    Cheers,
    BobbyD

Maybe you are looking for

  • How can I add comments in genius bar reservation after closing the window?

    I was typing my additional comments in the genius bar reservation for servicing my Macbook Pro but i accidentally closed the window. Is it possible to get back to the reservation window and type in my comments?? Thanks a lot.

  • Datasource problem - error 8 when starting extraction program

    Hello, we are using a datasource (data mart) to write data from one cube to another. When running the infopackage we get the 2 errors below. When testing with the extractor checker, everything was fine. Datasource was replicated, transfer rules are a

  • Alias for discussions?

    I recently noticed that my Discussions alias has disappeared and my full name is now showing...I cannot for the life of me find where to change it back!

  • Call a Tracking URL

    I have a unique situation where I'm hosting a flash file from a c++ application rather than a web page and I want to track button clicks. How can I call my tracking URL when a user clicks a button? Thank you!

  • Button to go from the Master page to the "New" Detail page

    Hi, I have an application with some Master/Detail pages, on one of the Master/Details the client wants a button on the Master page to go directly to create a new Detail, instead of enter on the Detail page and then press the New button. Is it possibl