Link to home
Start Free TrialLog in
Avatar of sd6tss
sd6tss

asked on

Virtual OU/Query-Based OU/Active Directory View possible?

We have an Active Directory setup in which we use OUs to seperate our hundreds of users by department in a heirarchial structure. This works great for most applications, but we have a new one coming down the pike called Powerschool which, while it knows how to look up auth info from AD, doesn't know how to do it with search scope=sub, so it seems to require all of our users to be in the same OU. Because we actually use our AD in a specific structure for OU-based policies and that sort of thing, it's not possible for us to move the user accounts into a single OU.

Is it possible to have a single OU whose contents are dynamically updated by an LDAP query?  I'm thinking along the lines of a database view, or even to give a simpler example, the "Search Folders" found in recent versions of Outlook, Thunderbird, Mail.app, and Evolution.

If I could have all of my users in a single OU, at least for query purposes, it would be a huge step forward for us with this Powerschool project.

Thanks.
(Don't hesitate to ask for clarification, I'll be watching this entry closely all day)

--
Sam Powers (sam@rm-r.net)
Database Administrator
Jackson County SD #6, Central Point, OR
Avatar of sd6tss
sd6tss

ASKER

I'd like to use built in tools if possible. I understand that a "Virtual Directory Server" (External LDAP aggregator) may be one option, but that'd be my #2 choice.
Avatar of sd6tss
sd6tss

ASKER

(that is to say that if there were a virtual directory server built into AD, I'd just go ahead and use that instead of getting some other piece of software, but the more i look into it the more it seems like a virtual directory server is what i need)
Avatar of pmarquardt
pmarquardt
Flag of United States of America image
Can you use a distribution/security group instead of an OU container for application mgt? I don't see the reason you are locked into using an OU container for this application. There are also tools available that allow you to custom create schema changes for containers to allow finite control levels on object. I am aware of Quest's tool, but I am certain others are available. Of course you already know about the external LDAP aggregator, so I guess that's a moot subject.
Avatar of sd6tss
sd6tss

ASKER

No, I can't use an exchange distribution group or an AD security group. Powerschool wants to look in a specific LDAP context for objects with a specific attribute filled out (Usually this would be uid or userPrincipalName.)

Because distribution groups and security groups contain their member users as attribute values rather than objects with subordinate DNs, you can't perform a query with your base as the security group, because no data would be returned. Sorry.

I'm working on configuring oracle virtual directory right now, I hope it works out.

(Can I give myself the points for answering the question?)
Avatar of pmarquardt
pmarquardt
Flag of United States of America image
I think the idea is you get to keep your points.... :-)

I wish I could have been of more help to you, but I believe you are on the narrow path with this issue.

Please let me know if I can be of any help to you. I realize how frustrating it can be...
ASKER CERTIFIED SOLUTION
Avatar of ee_ai_construct
ee_ai_construct
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Hellbentmaster
Hellbentmaster
In case this question is open to somebody, I've found the solution:

Now there's a tool that helps view and manage Active Directory objects collectively.
http://www.adaxes.com/tutorials_ActiveDirectoryManagement_ViewAndManageADObjectsCollectively.htm

Thanks.