tags:

views:

374

answers:

5
+2  Q: 

Is it possible to store database connection string information in Active Directory?

Let's say you have many applications in your environment all of which store their connection strings to SQL Server in a web config. Is it possible to have the application retrieve those connection strings from Active Directory?

We're moving some database servers around and would like a way to have them read from a central location. Active Directory was suggested as one possibility, but we didn't know if it was possible.

This would, in theory, allow us to gradually change our applications to use AD to read the connection strings, then as we move our database servers, make one change in AD to update all the applications.

Is this possible? Maybe you have a better suggestion. Thanks!

+2  A: 

Technically speaking, you can't store the information in LDAP since it is a protocol, not a storage mechanism. However, there is no reason (that I know of) that you couldn't store the information in Active Directory or other directory services type engine, and retrieve them with a query from the application. You would just need to come up with some organizational scheme and I would suggest some common code in a library or something that allows you to access the information.

I'm not saying that storing it in Active Directory is the best option, but I believe you should be able to do it without a problem.

Max Schmeling  2009-10-05 17:42:24
Sorry for the incorrect semantics. By LDAP I did mean Active Directory and I often forget it's a protocol. Thanks :)
Ryan Montgomery  2009-10-05 17:48:53
No problem. I know a lot of people that use them interchangeably, but for some reason it drives me nuts (short trip) lol
Max Schmeling  2009-10-05 17:50:04
Updated to use Active Directory.
Ryan Montgomery  2009-10-05 17:50:47
+1  A: 

We had a design to do that. Our architecture allowed multiple servers, each with multiple databases. We were using Active Directory to manage attributes about the users, including which databases they had access to.

It seemed logical design at the time, since we either had to do that or have a "master" database to direct. Using Active Directory, we no longer had a single point of failure.

Have no idea how it turned out, I left that company.

Cade Roux  2009-10-05 17:42:38
A: 

You could create a non-person user and have the connection string be an attribute in the user, but, that would be misusing the LDAP, IMO.

What may be better is to use dependency injection and just have common information such as a connection string, be in one file and just have it either read in when the application starts, or have it be injected in when recompiling.

For example, you could use Spring or Spring.NET, but there are a myriad of DI frameworks that would work.

UPDATE: You could also just create a database table that has this information, and all the applications could read from the database to get all their configuration information.

An LDAP should be used for directory-related issues, I believe, as well as, now, user-management and account information.

James Black  2009-10-05 17:43:45
We're looking for something that could be updated somewhere outside of the application itself by one of the Network admins actually. We use DI frameworks to inject this information now, but we'd like to grab it from LDAP instead of web.config or a registry key.
Ryan Montgomery  2009-10-05 17:52:52
how do you figure this is a miss use of LDAP database? The entire point of the protocol is to store information that you need to be able to resolve remotely. There is a reason you can create new schema extensions for LDAP (ldif). With that in mind you will probably get better performance out of a local file than a remote LDAP query for a connection string.
Matthew Whited  2009-10-05 17:54:01
With our DI framework (StructureMap) the connection string is injected on application start so the performance hit is negligible. So performance considerations aside, it seems like a decent fit for storing configuration information.
Ryan Montgomery  2009-10-05 17:57:03
@Matthew - The LDAP should be for directory information, I believe. If you need config info somewhere, just use a database. The LDAP was designed for very fast lookups, for directory related issues.
James Black  2009-10-05 18:07:40
A: 

You can store the connectionstrings about anywhere you want. You could even do them as TXT records on your DSN servers. But you would have to build the resolution framework yourself. Also keep in mind that the connection strings make contain secure information. (such as passwords). If you store these in LDAP (I am speaking genericly for any ldap based server) you will want to make sure the attribute is not public. The upside is LDAP proxy accounts (anonymous connections) would not be able to see the information. The downside is you will have to do an LDAP bind before you can get the information back out of the system. As long as you cache a connection string on the client/server that is going to be making the database calls, you shouldn't see any real performace issues. But if you had to query an LDAP server before each database call you might have problems.

a custom object or even an extension attribute for an exsisting object may be best.

Extend AD Schema

Matthew Whited  2009-10-05 17:59:16
Thanks for the info. We try to connect to all our database servers using Trusted connections and have our app pools run as specific AD accounts with limited access to necessary resources. If our app pool account had access to AD, I think it would connect to AD using the app pool identity, which would be perfect.
Ryan Montgomery  2009-10-05 18:05:25
well as long as you are using SSPI then that shouldn't be a problem. I haven't browsed around AD lately but their might even be an object type that would be perfect for this use.
Matthew Whited  2009-10-05 18:25:35
A: 

"The LDAP should be for directory information"

What does that mean? Configuration information is a perfect candidate for being stored in the Dit - it is read intensive, secure, replicated, and easy to access. Most of what is stored in Active Directory is "configuration information".

Adam Tauno Williasm  2009-10-05 19:28:35

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL