ADAM - Schema best practices - and AZMAN

Discussion in 'Active Directory' started by Jims, Jul 20, 2004.

  1. Jims

    Jims Guest

    We are currently piloting ADAM and MIIS. We are using MIIS to populate ADAM
    with Active directory users using the ADAM userProxy object class so we can
    take advantage of the bind proxy features of ADAM. This all works fine. We
    need additional attributes available for the userProxy objects such as
    employeeID and UID, pager etc.

    1.) As far as best practices are concerned for ADAM, is it recommended to
    add additional attributes to the userProxy object class (via mmc schema
    snapin) or should we create an auxillary custom object class and add it to
    the objectclass attribute of the userProxy object class and will this update
    existing instances? What are the best practices for accomplishing this. In
    Iplanet it was a simple task to add additional objectclass to another but
    ADAM seems to complain for instance if I try to add the user object class to
    userproxy. Also, the attributes of an auxillary object class added to
    userproxy for instance do not appear (adsi edit) in preexisting instances of
    the userproxy object (users already created by ADAM).

    2.) ADAM generates a "bad username" error when I try to bind using UID and
    password instead of CN and password. Is there away for ADAM to allow
    binding with attributes other than CN?

    3.) Authorization manager can store application information in ADAM. Can
    AZman work with ADAM users? For instance; userProxy objects (users) in ADAM
    and leverage their individual attributes for LDAP filter based AZMan roles?

    Thanks,
    Jim
     
    Jims, Jul 20, 2004
    #1
    1. Advertisements

  2. Inline...

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm

    UserProxy is a "sample" class. You should be free to extend it with your own
    attributes.

    You could go with the auxclass appoach as well, but as you noticed, ADSIEdit
    is not smart about dynamic auxclasses. But it works better with static
    auxClasses, the ones that you add to the userProxy class definition (as
    opposed to dynamic auxClasses that are added to specific instances of the
    userProxy class).
    You can not bind with UID, but you can bind with userPrincipalName (which,
    unlike in AD, does not have any constraints).
    roles?

    I've heard that this feature (Azman security principals in ADAM) got
    approved for WS03 SP1. But don't quote me on that, I am not the authority. I
    don't know if they would backport this to downlevel OSs.
     
    Dmitri Gavrilov [MSFT], Jul 21, 2004
    #2
    1. Advertisements

  3. Jims

    Jims Guest

    Thanks Dmitri. Too bad about not binding with UID because this is the last
    hurdle to supplanting an Iplanet directory with ADAM w/out having to change
    a single line of application code - code that binds to iplanet with UID and
    password as is my case. I thought I read in the ADAM reviewers guide that
    any ADAM attribute was bindable - maybe I misread and it meant any ADAM
    object was bindable via the cn and password. Can the ADAM userProxy RDN be
    changed? Not to harp on Iplanet but they (since Netscape directory) have
    always had great documentation that covered a lot of fundamental ldap topics
    as they applied to their directory and the standards. Even though every
    directory claims to comply with ldapvX standards they all have personalities
    of their own that require some initial investment of time (and news group
    posts) to learn. It seems all the ADAM docs I've found cover only a small
    amount of ldap fundamentals as they apply to ADAM and focus more on
    importing canned schema extensions and mostly high level administrative
    practices.
    Jim
     
    Jims, Jul 21, 2004
    #3
  4. Jims

    Jims Guest

    Is there an azman newsgroup?
    Jim


     
    Jims, Jul 21, 2004
    #4
  5. We have recently released a draft of ADAM technical reference. That's a very
    comprehensive doc, get a hold of it.

    If you can make a good business case, we may provide a QFE for ADAM to be
    able to bind with UID. If not, I can try to get this into ADAM SP1/R2, due
    some time next year.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Jul 21, 2004
    #5
  6. Don't know. Try microsoft.public.security and perhaps
    microsoft.public.server.security. If you don't get it answered there, post
    here, and I will forward it to the right people. Include ADAM into subj, I
    will notice it then.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Jul 21, 2004
    #6
  7. Would it also be possible for them to just set the UPN to the UID so that it
    looks like they are binding with the UID? Since UPN in ADAM doesn't have
    the validation rules that AD has, perhaps they can get exact matches with no
    problem.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Jul 21, 2004
    #7
  8. Hi Dimitri,

    We are also piloting ADAM, MIIS and AZMan to use it in a huge .NET project.

    We want to store the 'user' data (Default Printer, HomePort, etc) in an
    Application Specific Directory store (ADAM). This because we don't want to
    change our AD worldwide schema. We will use AZMAN to implement role based
    security. The users assigned in ADAM will be AD users.

    MIIS wil be a one way (from AD to ADAM) bridge to 'feed' ADAM with new
    users.

    Now may question is: What is the best practice of creating users in the ADAM
    Store. Do we create ProxyUsers or do we just use a 'basic' user object. Of
    course in both case we do need to extend the schema to allow the storage of
    'custom' properties.

    Kind regards

    Kurt Biesemans

    Cobelfret
     
    Kurt Biesemans, Aug 12, 2004
    #8
  9. If you create a regular ADAM user then you have to populate his password
    with something. MIIS will not do this for you. You don't have this problem
    with userProxy. But then the ldap bind must be simple and thus not secure.

    Do you have full control over the app? If so, I would recommend going with
    the "manual linking" approach. Have MIIS create "userData" objects in ADAM
    and write AD's object guid or sid as a key onto them. UserData would be your
    custom objectClass.

    If you don't need to worry about securing LDAP binds or if you have SSL
    working, then you can use userProxies.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Aug 12, 2004
    #9
  10. Dmitri,

    Thanx for your reply. Maybe one major thing I forgot to say is that we will
    do Authentication based on our AD. So I don't need the passwords in ADAM.
    The reason why I would like to use MIIS is to populate ADAM with the AD
    users. We don't want to administer AD and ADAM. So the 'main' store for user
    details will be AD. ADAM's schema will be extended with some typical
    Application properties.

    Indeed, we are developping a application from scratch so we have full
    control over the APP.

    Kurt
     
    Kurt Biesemans, Aug 13, 2004
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.