locked
ILM V2 password sync legacy systems RRS feed

  • 質問

  • I have been tasked with researching ILM. We have several legacy applications we have to maintain (most run a SQL DB). I am trying to find out if ILM will assist in resetting and maintaining accounts on those applications. If so, what type of technology would it be. For example, would there need be code written, or a defination created within ILM?

    From the sources I have found on the web and TechNet it looks like ILM works great if you are in an entire Microsoft shop.

    Regards,

    Jason
    • 移動 Ahmad Abdel-wahed 2009年10月13日 18:15 Wrong forum (From:Identity Lifecycle Manager)
    2009年8月11日 16:10

回答

  • Jason,

    You will find that you can accomplish your goal using both the current ILM 2007 offering and the future ILM "2" aka FIM2010 offering. Account management will be slightly simpler using FIM2010 for the reasons you will find described on the FIM2010 website.

    For password management for your SQL applications I will suppose that you are talking about actual SQL accounts. You will find an approach on how to work with those on Alex Tcherniakhovski's blog at http://blogs.msdn.com/alextch/archive/2006/06/05/ADtoOra.aspx. Though the article describes Oracle, the approach for SQL Server will be exactly the same. This will give you an extensible MA that will allow you to manage your SQL Server users. The next step will then be to extend your solution to also manage passwords. You do this by coding a Password Extension. An example of how to build this you will find the Developer help that comes with your system: just search for "Creating Password Extensions" and you will find what you need.

    I hope this helps ...
    Paul.
    Paul Loonen (Avanade)
    2009年8月11日 20:18

すべての返信

  • Jason,

    You will find that you can accomplish your goal using both the current ILM 2007 offering and the future ILM "2" aka FIM2010 offering. Account management will be slightly simpler using FIM2010 for the reasons you will find described on the FIM2010 website.

    For password management for your SQL applications I will suppose that you are talking about actual SQL accounts. You will find an approach on how to work with those on Alex Tcherniakhovski's blog at http://blogs.msdn.com/alextch/archive/2006/06/05/ADtoOra.aspx. Though the article describes Oracle, the approach for SQL Server will be exactly the same. This will give you an extensible MA that will allow you to manage your SQL Server users. The next step will then be to extend your solution to also manage passwords. You do this by coding a Password Extension. An example of how to build this you will find the Developer help that comes with your system: just search for "Creating Password Extensions" and you will find what you need.

    I hope this helps ...
    Paul.
    Paul Loonen (Avanade)
    2009年8月11日 20:18
  • HI paul,

    I was actually talking about applications that store username and passwords in a SQL or Oracle database. Most of the usernames are the same in several applications but the passwords are all different. I am hoping to connect them with ILM so when you reset your AD password it can reset your password inside a SQL or Oracle database.

    Thanks,

    Jason
    2009年8月14日 18:20
  • Do I understand correctly that you are storing the username and password in a SQL or Oracle table in your database to support your application? Also in that case, you would need to code a password extension that pushes the password to your database table. You will need to provide again the code to store the data that you need in your database. The article in pointed you to above is your guide to accomplish this.
    Paul Loonen (Avanade)
    2009年8月14日 21:06
  • Just to add a little bit to what Paul has been wisely saying, with ILM 2007 and with FIM 2010 you can synchronize password changes from AD to other systems (using PCNS), including password stored in SQL tables (assuming you follow Paul's instructions to build a password extension). However, Self-Service Password Reset is a feature that only comes with FIM 2010.

    So here is the work involved:
    After defining each app and learning how passwords are managed in each (confirming that they can handle complex passwords from AD):


    Setup FIM 2010
    Create the AD MA
    Create the SQL MA (one for each SQL app you want to manage)
    Import from AD and SQL MAs
    Defining how to join between AD and the SQL data
    Writing code for the Password Extensions for each SQL MA
    Installing PCNS
    Setting up the SQL MAs as Password Sync Targets
    Setting up the AD MA to receive PCNS

    David Lundell www.ilmBestPractices.com
    2009年8月15日 5:15