A Customer has asked a number of questions about SCA, that I can not find the answers too. I've added what I think are the answer but can someone plse have a look over them and let me know. Also if it is not included now, will it be added in a later release ?
1. Secure LDAP?: LDAP authentication to the AD LDS must be done over a secure link to ensure that passwords are not sent over the network in the clear. This is implemented by using SSL certificates. Application teams should verify that the application will query LDAP over SSL (sometime referred to as LDAPS).
I think the answer is NO we only use LDAP not LDAPS, though I did see a mention about port 635 which might be tha answer ??
2. Multiple Domains for AD? The AD implementation has over 300,000 users in a single forest across four domains. Application teams should verify with the vendors that the application will function across multiple domains (making use of the global catalogue).
I do not think this will be any problems as we look at AD, but do we do it over multiple domains ?
3. Data Synchronisation? Some applications synchronise certain items of data from the LDAP database into an internal store. Application teams should ask the vendors if this is the case with their application, and if so provide details to the AD team.
I think the answer is NO
4. Schema Changes? Applications will not be allowed to write information to the HSBC AD, nor make schema extensions, except under extraordinary circumstances. Vendors need to confirm whether their application requires changes in the schema as it may be that a different approach needs to be considered.
I think the answer is NO
5. Userproxy Objectclass in AD LDS? Our objects in AD LDS are of the type userproxy. This is a standard implementation. It means passwords are not stored in AD LDS, but AD LDS knows to check the password on the linked AD account. Applications should be able to support this process of proxy authentication which is, in the main, handled entirely by AD LDS.
I think the answer is YES as we allow AD and if this is controlled by it we sould not see any problems
Please consider moving this question as-is (no need to recreate) to the proper forum for maximum visibility. Questions written to the users' own "Discussions" space don't get the same amount of attention and questions can go unanswered for a long time.
You can do so by selecting "Move" under ACTIONS along the upper-right. Then search for and select: "Ionix Support Forum" which would be the most relevant for this question.