Some of you know that I have been looking for a replacement product to Oracle Directory Server Enterprise Ed. 11G (Formerly Sun Directory Server). I have been researching the option of using AD LDS as a credential store.

  Here are the drivers for using an LDAP service outside of Prod AD.

1.      We have the need to keep accounts forever so that unaffiliated persons may continue to partner with our institution, i.e. Alumni, former employees, etc.   2.      I don’t want to mix unaffiliated accounts with Production accounts in Active Directory.

3.      We are currently populating a highly available, redundant ODSEE 11G instance using F-5’s and GTM’s with this “Forever” information, but it is very hands on and prone to some errors in regard to configuration.

4.      This LDAP instance is hosted on *nix boxes and we want to move to the Microsoft Stack. AD LDS made sense because of the close resemblances to some features of AD.

5.      The overhead of a new AD forest seems a little overkill for what the LDAP service will do.

  I am new to AD LDS as I have never had any use for it until now. I have made a lot of progress in the past week but I am now seeing discussions on the internet stating, to the effect, that AD LDS was never intended to be a credential store but more of an application store. My intent was to use AD LDS for users, attributes, groups, and passwords as a replacement for the LDAP solution we currently have.

  The question I have is: Is AD LDS truly a viable replacement for the ODSEE LDAP that I am currently using? Would it be better to just bring up an AD instance and call it a day?   I am finding that some of the “It-Just-Works” in AD are not enabled in AD LDS and I have to figure out how to get the desired results via ACL’s. Before I go down the long path, I want to know if this will be worth it.

  Brian Britt