A question on Active Directory LDS
Hi all. I read that if choosing AD Lightweight Directory Services for application integration, this is one way to keep the application from adding to the Active Directory, and so decrease the need to expand out the DIT which increases replication and all that good stuff. My question is perhaps 2 parts, first, is that assumption correct? And for the main question, If I was to deploy apps in the future to AD LDS, how does LDS integrate into the main Active Directory, if AD LDS is separate to the directory itself? What am I missing here?
Any help appreciated.
Any help appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can't directly sync passwords to AD LDS. That's the one attribute it won't allow you to sync to AD LDS, because it's only readable (in clear text, anyway) by the System account on a DC. You can theoretically use Microsoft Identity Manager or similar application to sync the password to AD LDS, but that's not the best use case for it. A better solution for authentication would be to use ADFS/SAML to authenticate users, and AD LDS to hold and present user data to the application.
ASKER
Brilliant responses Adam, thank you. I also think you just helped me on a question of DIT house keeping? If you, thanks again for that. Brilliant responses both.
ASKER
If so, if we allow Ad LDS to pull across the username and password attributes, then in theory, the application can point to AD LDS to check userA can access said application, and Ad LDS with authorise the application access. I have it?