CODEWITHSUNDEEP
active-directoryldap
John Hansen
John Hansen

Reputation: 123

Is this an appropriate reason to extend an Active Directory schema?

We use Active Directory as the user store for our web application. All of our user information, such as first name, last name, email, phone, company, etc, is stored on the user record there.

Now we need to store a couple more pieces of info, except for these fields there aren't pre-existing fields on the schema that we can use. The fields we need are security question and security question answer.

I feel that we should extend the Active Directory schema to include these fields, thus keeping all of our user information in a single data store. However, our IT department feels that Active Directory should never be extended because they feel it is too dangerous and that Active Directory isn't intended to be used like this.

Who is right, and what is the philosophy for determining what types of attributes are ok to add to the schema?

Th

Upvotes: 3

Views: 2431

Answers (2)

JimSTAT
JimSTAT

Reputation: 765

AD schema is meant to be extended. Casual AD admins have always been afraid of extending the schema especially because the word "permanent" usually followed. But the fact is that peramanent in ldap really is meaningless. If the new schema attributes or objects are never utilized then there is no adverse performance effect on the directory unless you can't bare the thought of looking at unused schema. The only risk of permanent schema is if it conflicts with existing or future schema and that is rare especially if you use unique naming such as "JohnsCompanySecurityAttribute1" etc. I worked at a hospital for 9 years and extending the schema was common place and is part of the value of AD or ADAM. Your IT guys can always temporarily take a couple DCs offline during the schema extension if they're still unconvinced. Here is some shameless self promotion related to heavy AD/AM usage in a sensitive clinical environment.

Upvotes: 3

geoffc
geoffc

Reputation: 4100

Active Directory initially had really crappy schema support. That is, you could not delete something, you could not change schema much.

With the later releases (2008 R2) you get the ability to do much more with schema. People using other directory services will not have this irrational fear.

Do consider encrypting the data as you store it.

Upvotes: 1

Related Questions