ADAM

1
ADAM

• James Cowling
• Senior Technical Architect

2
Agenda

• What is ADAM?
• Relevance to IAM
• Real-world Implementation Scenarios

3
What is ADAM?

• LDAP Directory
• Based on AD technology
• Simple and clean to install and uninstall
• Without ADs NOS and historical baggage
• Supports both
• DCMicrosoft, DCCOM
• OMicrosoft,CUS
• Integrates tightly with AD authentication
• Basically Free

4
Technical Matters of Interest

• Installation
• Simple to install
• Wizard or Unattended
• Multiple installs per server
• XP install limited to 10000 objects
• Password Policies
• Complexity rules similar to AD
• Backup and Restore
• EDB and LOG files

5
Replication

• Replication between ADAM instances on different
  computers
• using AD technology
• Flexible replication models possible

6
Administration

• Technical Administration via command-line tools
• DSMGMT
• Manage partitions, FSMO roles, policies, ports
• REPLADMIN
• Troubleshoot Replication
• DSDBUTIL
• Manage and troubleshoot the database
• DSACLS
• Manage Access Control Lists

7
Identity Administration

• ADSIEdit and LDP supplied with ADAM
• Many other tools exist
• Web-based
• Explorer-integrated
• Build or Buy
• Delegated Administration Permissions
• Through ADAM ACLs in user context
• Through 3rd Party tools in service account context

8
ADAM and IAM

• Centralized Identity Storage
• Flexible Authentication
• Centralized Identity Management
• Centralized Role Management

9
Identity Storage

• Users
• Groups
• Roles

10
Authentication

• Primary Authentication Methods is LDAP simple
  bind
• Forwards Windows Integrated Authentication for
  unknown users, and
• Proxies LDAP Binds for Known Users
• to AD and NT4
• in same or trusted domains

11
Solutions

• Single Sign On
• HR-Driven Provisioning
• Centralized Web-based User Management

12
Single Sign-On

• Publishing Company
• 5000 Users
• Identities in AD and NT
• Require SSO for a WebSphere application

13
Solution

• Central ADAM User Directory
• Synchronize with AD and NT using MIIS
• ADAM Proxies Authentication requests
• Which are routed to AD and NT appropriately

14
HR-Driven Provisioning

• Large Retailer
• 65,000 users across multiple companies
• Growth partly through acquisition
• SAP systems
• HR
• Location / Facility Management
• Portal
• Workflow
• 34 AD Domains

15
Goals

• Improve Internal Communication
• White Pages solution
• Improve data quality
• Improve Efficiency
• Reduce human intervention during provisioning /
  deprovisioning
• Maintain control
• Approval workflows for account creation,
  assignment of portal roles
• Increase Security
• Identify and remove dormant accounts
• Increase confidence in security group memberships

16
Solution
17
Centralized User Admin

• Reinsurance company
• 5000 Users
• Offices around the world
• Managed Offices
• Members of global domain
• User management provided centrally
• Unmanaged Offices
• Stand-alone domains
• Local user management

18
Goals

• Provide global access to global applications
• True Single Sign On
• Minimize support costs
• Centralize Administration
• Reduced Sign On Password Sync
• Improve Security
• Time-based deprovisioning

19
Solution

• Centralized Web-based User Management
• ASP.NET application
• Identities in ADAM
• Users, Contacts, Companies, incl. Inheritance
• MIIS-based provisioning to other systems
• Active Directory
• Oracle-based LOB systems
• HP/UX-based LOB systems
• Password Synchronization
• AD password is authoritative
• Sync to ADAM HP/UX

20
Implementation
21
Questions?
22
ADAM

• James Cowling
• Senior Technical Architect