ADAM - AZMan interop question

Discussion in 'Active Directory' started by Jims, Jul 21, 2004.

  1. Jims

    Jims Guest

    Dmitri, no luck posting this on the security groups. Could you route this
    question the appropriate people. At TechEd I was referred to someone named
    "McPherson" I think but was unable to track him down.

    Authorization manager can store application information in ADAM. Can
    AZman work with ADAM users? For instance; userProxy objects (users) in ADAM
    and leverage their individual attributes for LDAP filter based AZMan roles?
    We would like to use AZman to control authorization for .net web apps for
    users that would be in an ADAM directory.

    Jim S.
    Jims, Jul 21, 2004
    1. Advertisements

  2. At this point, ADAM can only be used as a policy store, not a user store.

    There have been enhancements discussed that might allow this, but at this
    point it is for Windows/AD users only.

    There does seem to be some ability to create custom AzMan contexts based on
    a custom SID that you provide, but you don't get the LDAP group support or
    other group integration with that.

    Joe K.
    Joe Kaplan \(MVP - ADSI\), Jul 22, 2004
    1. Advertisements

  3. Yes, Dave McPherson is the guy. I'll ask him to reply.

    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    Dmitri Gavrilov [MSFT], Jul 22, 2004
  4. Today, other than what Joe describes, AzMan does not support ADAM
    principals. We do plan to add interfaces to provide some support for ADAM
    principals in Windows Server 2003 SP1. This will allow applications that can
    retrive a cleint's ADAM user and group sids to add them to an AzMan client
    context object. This will not update the UI to work against an ADAM
    principal store, so a custom UI will be needed.
    Dave McPherson [MSFT], Jul 22, 2004
  5. This is really great. I think this will really help open up AzMan in terms
    of applicability. In my opinion, the API that you program against is where
    the core value is, and getting developers to use that consistently will
    really help improve things. Being able to initialize a custom context with
    a custom user SID AND custom group SIDs will be good.

    It is too bad that the UI won't support ADAM principals directly, as the
    other great benefit of AzMan is the runtime configurability that admins can
    do to change application policy. Not having this is a drag. However, maybe
    the community will fill in and help create an alternate UI or perhaps you
    guys can get that in a future revision.


    Joe K.
    Joe Kaplan \(MVP - ADSI\), Jul 22, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.