Active Directory employee information - active-directory

Usually in companies, the employee information is stored on an Active Directory server. So I am guessing when we log on to our machine using ID/pwd, it goes and checks an Active Directory. I am wondering why Active directory is so universal in use when storing employee information.
Why not use a db? I am aware theoretically of the differences between AD and DB, but from what I know, I do not see why AD is a natural choice for storing employee information.

Here are some reasons why AD is preferred compared to a Relational Database when storung user data
AD is heirarchical so if your data is like an employee record where you have a superior then AD is a natural choice having said that AD schema consists of objectclasses and attributes rather than an a DB's tables. This means it uses objectclass inheritance model which is cleaner than linking multipe tables together.
Read performance in AD is faster then DB in most cases. But remember DB is faster in saving data.
Data Synchronizatoin happens out of the box and nearly no administration at all.
Probaly not related to your question but worth mentioning, AD already has a built in functionalities such as secure storage for hashed passwords, password policies, permissions around password changes and password resets which if you use a DB you have to build this on your own
Since AD is LDAP then you dont need database drivers to connect to it.
With AD you can have multiple values in one attribute if you do this on a normalized database you have to store each attribute value into multiple table linked to the master table.
Schema is standardized in AD so where ever you go it will remain the same
I hope this helps

Related

Multiple companies in same database

I'm working on a system which for every "company" has their own "users" and their own "bills". That scenario is better in performance and management? Handle all companies in the same database and link everything to an idempresa, or database for each client?
This is called multi tenancy architecture and each customer is a tenant. There are various strategies to deal with it and each one might bring potential problems.
Having a separate database for each tenant is an option that provides data separation and do not require you to add a column to identify each tenant in your tables and queries, but also has the downside to keep multiple databases up to date.
Having a column in each table of a single database to identify your tenants is also a good strategy, but then it brings problems when scaling and managing different features for different customer for example.
You need to study all available strategies and decides which one is best based on your requirements and pain points.
Putting a tenant data in a separate Database is a straight forward approach and less painful option but then in a long run, when your product gets wildly successful, maintaining this database will become a nightmare.
On the Other hand keeping all the Tenants data in a single database could also make your application non scalable and less performable. The better approach would be the combination of both, the decision of making the choice between these two is completely based on the type, usage and size of the customer.
In certain cases, you may need to provision a separate database for a particular module or feature of your application may be for security or to isolate the specific data alone. I have written an article on these lines; kindly have a look at http://blog.techcello.com/2012/07/database-sharding-scaling-data-in-a-multi-tenant-environment/
I think the scaling problem of multi-tenant in a single database can be overcome by proper planning up-front. Plan to make it easy to migrate a tenant and their data to another database anything they become big enough to justify it.
If you can automate this migration, based on tenant ID, in each table then it should be easy and safe. I'd just make sure I tested it often as development of new features are going on.
You can mitigate the risks of multi-tenant on one database. You can't really do much when there are multiple databases. You can only be diligent and disciplined to make sure all the databases stay in sync.
Good luck!!!
This is an old thread, but it's worth mentioning this for others with this question who may come across this post in the future.
I've had great success on projects in the past by using PostgreSQL and putting the global tables in the "public" schema (like users, groups, etc.) and the same set of tables for each tenant in their own separate schemas.
For example:
For every tenant that's added to the system, a new schema is created with a standard set of tables for the application:
CREATE SCHEMA tenant1;
CREATE TABLE tenant1.products (...);
CREATE TABLE tenant1.orders (...);
etc.
Each tenant's schema would have its own isolated section within the database with the same set of tables that every other tenant has but filled with their own data.
In the default "public" schema you'd have global "users" and "tenants" tables (along with tables for things like groups and access control lists). Every user belongs only to a single tenant. Upon login, the tenant for that user is looked up and from that point forward any time you connect to the database you set it to use that tenant's schema:
SET search_path TO tenant1, public;
Once the schema search_path is set, all your SQL queries can be written as if you're working with a single database with tables named "products", "orders", and so forth (along with the tables in the "public" schema). So you can just use something like "SELECT * FROM products" and it would get the products belonging to this user's tenant.

Referential Integrity of Data Between Services

In SOA I have been confused about how a service that works with data from different databases, or different services even, can have referential integrity so that minimal data is duplicated across databases or services.
For example, you have a user table in some kind of authentication database and you want to reuse this user information in another database. You also want to enforce that user's record to exist in the authentication database. Let’s say you want to associate a user’s account in the authentication database with a news article in another database. How is that done? How would you do that using something like LDAP?
If the authentication information was contained in the same database, just a different table, then I could see how you could just use foreign keys to create an association between a news article and the user account.
I have been trying to search for answers about this concern but I must be using the wrong phrases because I am not coming up with anything useful.
Some platforms allow foreign key constraints between databases, and some don't. If you need referential integrity between databases, you need to pick a platform that supports it. Normalization--a different issue--never says "move these columns to a different database."
In a multi-tenant database, you'd usually choose a different architecture. (You wouldn't normally put authentication for all users in one database, and the stuff they're authenticated to use in another.)
Browse questions tagged "multi-tenant"; that might be a term that will help you. MSDN has a fairly good bird's-eye view.

where to store personnel information LDAP or Database

In our application we are evaluating where to store all personnel information (name, email, phone, department, date of birth,date of hire, licenses/certificates, roles etc.). We will use LDAP/Active Directory for user authentication/authorization so at least some of these data will go into LDAP server. Our HR module and other applications also need some of these information and there is an overlap between them. We are thinking on storing all information in LDAP and just use user ID as a reference in our RDMS to LDAP user and populate other details of user during login process. Other than our application there will be other applications which will also use same user information. If we do not store personnel detail in ldap we will need to duplicate and synchronize user information in each system. LDAP will be needed for login information anyway. What is your recommendation on storing personnel detail in LDAP or DB tables?
Generally speaking, Active Directory isn't a good place to put sensitive PII like what you list. There's absolutely no technical reason that it can't store this data, but, securing it is more difficult. It's certainly not insurmountable, but, I would definetely suggest keeping HR data with HR and synchronizing any demographic information necessary to AD.
Use the Employee ID value in your HR system to maintain the relationship back to AD.
In our company, we built a middleware and an Intermediate Database which is updated 3 times a day. The middleware is an ABAP remote function that generates data from SAP, a C# program which uses SAP .NET connector to invoke the remote function and retrieve that data and save it in an Oracle Database.
This database is used to interchange information with Active Directory. Then systems as Exchange, messenger, SharePoint get the information of this Active Directory. Other internal systems have access to the Oracle database also. The advantage that we experienced is that we avoid the overhead that represents to access SAP and Active Directory everytime. We only access them 3 times a day but the users acces the Oracle database every second.
Hope it helps.

Creating users with or without schemas?

Let's say I want to create simple database, for a simple book store application. I think i should have minimum two users: admin, which has privileges to create, modify and drop objects and user, having just select and insert privileges.
I am a little confused here. Should I create a user account with normal schema or with empty schema? Should the user has privileges to select and query from admin schema which contains tables or it is a user schema that should contain these tables?
There are many different ways to approach this sort of problem. So a great deal depends on your application architecture.
You would generally create one database account that owns the database objects-- tables, packages, views, etc. Let's call this account BOOKSTORE_OWNER. This account would generally be locked so that no one could log in as BOOKSTORE_OWNER other during periodic builds.
Beyond that starting point, however, there are a host of reasonable ways to deal with authentication and authorization. If you wanted to let the database handle both, you would create two roles-- BOOKSTORE_USER and BOOKSTORE_ADMIN. Those roles would be given appropriate privileges on the objects owned by BOOKSTORE_OWNER. You would then create a database user for every person that can use the application and grant the appropriate role to each new user. So if you're an admin and I'm a user, the database account dygi would be created and granted the BOOKSTORE_ADMIN role while the database account Justin would be created and granted the BOOKSTORE_USER role.
This approach worked quite well when people were building client-server applications. If you are using a three-tier application, on the other hand, you want the middle tier connection pool to use the same credentials to connect to the database rather than having each user have their own database connections. The simplest way to accomplish this is to create a single BOOKSTORE_APP database account, grant that account all the privileges of the BOOKSTORE_ADMIN and BOOKSTORE_USER role, and then let the application implement the logic to figure out which front end user has what privileges. This would generally entail a USER, PRIVILEGE, and USER_PRIVILEGE table in the BOOKSTORE_OWNER schema. This approach can work quite well. The downside, though, is that every application has to build its own logic for managing privileges which can get quite complex over time. It also can make it somewhat difficult to report on what privileges users have or to ensure that a user's privileges are kept up to date when users leave the organization or move to a new role.
Oracle in particular addresses many of these challenges by allowing proxy authentication. This allows you to mix the benefits of the client-server approach where every user has their own database account that leverages Oracle's existing privilege management infrastructure with the connection pooling benefits of using a shared database account. This works very well but only works with Oracle and then only with certain protocols (OCI and JDBC) so it is not terribly popular.
Of course, beyond these basics, you can get into quite a bit of complexity. You may want to have enterprise users where Oracle doesn't maintain the password but instead allows the user to authenticate against an external LDAP directory. You may want to manage privileges with LDAP roles rather than with rows in application-specific tables. You may want to integrate with various middle-tier single sign-on (SSO) solutions.

LDAP and database synchronization

I have issue where I need store info about users in DB and authorize via LDAP.
A bit more detailed.
I have two depends system which has common for users (approach something like "stackoverflow" where you can create login based on google account..).
Not all users can have access. For example, have company which have contact persons and some of them have access to developed system. That is mean persons have foring key to company and some of them must have records in LDAP.
I'm new in LDAP. Please suggest architecture solution for this.
Thanks!
Regarding LDAP to database synchronization, you could create a routine for exporting LDAP objects into a .csv file and then importing it's records to the database.
You could, for example, use LDAP's user "uid" attribute to indicate an object's uniquiness on the database.
Also, there's JDBC-LDAP Bridge Driver, that you can use to develop Java applications that can access data stored in a directory server.

Resources