Developing .Net that deploys to a different Active Directory.

Question

Situation is you have to develop an application against an Active Directory Tree. Want to use Role based security based on AD user groups. The deployment tree is unavailable, no trust exists or is allowed between the development tree and deployment tree.

What are the best practices for developing the application and then deploying. First problem is the role names are different because of the domain prefix. A lot of these are declarative in nature; say using attributes. The problem then is obviously in the deployed environment the role strings will be different.

The other problem is being able to debug running as a different account on the development. Logging off and logging is defeats having the debugger attached. How is this solved?

Thanks In Advance.

Answer 1

You might want to have a look at Active Directory Lightweight Directory Services (AD LDS) - formerly known as AD/AM (Active Directory/Application Mode).

It basically allows you to create an AD instance on a dev box and program against it almost as if it were a full-blown AD. However: AD LDS cannot be used to authenticate users - so maybe that won't really be helpful in your scenario then :-(

Marc

Answer 2

You probably shouldn't be using checks against pre-existing security groups in any AD environment.

Your application should have it's own set of roles that it uses and knows about.

Upon installation you'd generate the appropriate security groups into active directory and add existing groups/users to those groups which you added.

Keeping it agnostic of where the roles come from means you won't have to worry about IT rearranging things in the 'live' AD instance and also gives you the flexibility to completely change the back end if you need/want to (e.g. switch to an sql server from AD or mock it during testing)