Thursday, August 30, 2007

Does your application support Active Directory?

When I was at Microsoft I would have frequent discussions with ISVs that went something like this:

J: So, what does your product do?
I: Our product does "x".

J: It's integrated with Active Directory?
I: Of course, we use LDAP!

J: OK, let's get clear about it. You use LDAP, right? Do you use ADSI?
I: No, just LDAP.

J: So, you're integrated with LDAP directories. You're not integrated with Active Directory.
I: Well, Active Directory supports LDAP.

J: Correct, it does. But I'm really interested in advanced integration with Active Directory like "serverless bind", Group Policy integration, the ability to modify permissions on resources...
I: Ah, well, you see, but, we...sometimes, ah, our customers, bzzzt, click, blue screen

These memories came back after I read a post over at JoeWare on this topic...

I am about sick to death of running into LDAP apps that need hardcoded host names. What the hell is wrong with you people? There is a perfectly good RFC out there for locating LDAP Services (as well as other services) that works quite well and you still refuse to use it. FYI, if you don’t know about it, it is RFC 2782 - A DNS RR for specifying the location of services (DNSSRV) -

All you are doing is making your apps susceptible to single server failure and requiring businesses to try to solve issues with failover for you. You look like a bunch of schmucks, stop that shit. I know it can be done, I saw people doing it on UNIX more than five years ago.

Right on, Joe!

Just by using a bit of ADSI an ISV could tout another great benefit to their customer's and make it look like they did all the work themselves: "Mr. Customer, our widget provides automatic failover in an Active Directory environment without any additional hardware or software!!"

Wake up and smell the coffee ISVs! Active Directory is deployed in 85% of the enterprises in the US. Pay it some respect for crying out loud.

Technorati Tags:
, , ,


gpoguy said...

Generally, I agree with you 100% Jackson on the need for ISVs to do the right things against AD. But, use of ADSI doesn't guarantee that you play friendly with AD and in fact, there are many circumstances where ADSI just doesn't cut the mustard and you have to fall back to LDAP. Its not a bad thing, its just the limitations in ADSI. But, APIs are sort of besides the point here.

The one thing I fault MS here on is total lack of *real* guidance in this area. Where are the training classes on how to write "proper" AD-enabled apps?

Hell, I gave two classes to a *very* large OEM who shall remain nameless on this very topic. And you would think that they, of all people would have access to this information but they did not, nor could they find anyone who had the "correct" story on how to enhance and extend AD. I think MS has maybe a few pages on their website that vaguely talk about the right way to extend AD, but generally speaking, the guidance is pathetic.

Jackson Shaw said...

I totally agree with you Mr. gpoguy. I've been thinking about writing a white paper on this very subject but part of me balks at the idea simply because why tell my competitors what they should build and why?

Microsoft's guidance is lame.