Directory Programming .NET

We have an Adam instance sitting in our DMZ. We need to bulk load about 1-2M users into this Adam from a SQL server database. This SQL server is our database of record for users, attributes and roles and also contains the users passwords encrypted.

I am using the System.DirectoryServices classes to perform the major operations so far. If I do not send over passwords, I get about 100 users per second throughput adding users into the Adam. If I do send over passwords this drops down dramatically to about 3 users per second. This won't be acceptable so I'm looking for alternative means to push the passwords over.

Currently, I am setting the passwords using the following method:

DirectoryEntry newUser = new DirectoryEntry (....)

You might be able to get our sample from ch 10 that uses SSPI (Negotiate) authentication along with encryption to work with a local ADAM user by using Digest auth and encryption.  I remember trying that once and having success.

You can also use Windows auth to ADAM; it just has to be with a user on the local machine and using the NTLM protocol.  Make sure the local machine user has the appropriate permissions if you go that direction.

Another thing you might consider would be to relax the requirement to set passwords using encryption.  In that case, you can use whatever binding mechanism you want.

If you are planning to use ADAM for bind authentication, you probably should still be using SSL though.  If SSL is an option, then it should not be a big deal to get the required channel encryption to set the password as well.

One big advantage with using SDS.P for the bulk load is that you can also create the user in one big modification operation instead of having to do multiple ones.  That should increase perf significantly.

Joe,

Can you recommend any reading on using SDS.P for adding users/passwords to ADAM? Wading through the Microsoft documentation is tedious at best.

I also don't see that sample you mention from ch 10 using SSPI. Can you clarify this for me please?

Thank you.

-Dave

There really isn't any good reading on SDS.P unfortunately.  Microsoft's documentation is essentially a waste of time, although the white paper Ethan Wilansky wrote for them on it is pretty good.

Sample 10.16 is the one I'm referring to.  It doesn't mention SSPI directly but it is using the default for one of the if conditions which is Negotiate.  If you wanted to use Digest there, you would just set the AuthType to Digest and specify credentials for an ADAM user (null domain parameter).  It should be fairly simple to modify.  The trick is being able to set the Sealing SessionOption because that's how you get the channel encryption without SSL.  You can get Sealing with either Negotiate or Digest.

The rest of the add operation is pretty straightforward.  You just set all the attributes you want including the unicodePwd attribute as we demonstrate in the sample.  Our is aimed at modifying existing users but it can be adapted pretty easily to an add operation.  The key is really in getting channel encryption and the mechanism for building the unicodePwd value.