Bug in ADAM/AzMan integration? Roles placed in AzTaskObjectContain

Discussion in 'Active Directory' started by Patrick Barnes, Dec 30, 2004.

  1. I'm on a project where we are storing Authorization Manager (AzMan) objects
    in an ADAM partition. This appears to be fairly uncharted territory, so
    perhaps no one else has seen this; but I've discovered that when I create a
    role in AzMan.msc and then view it in ADAM ADSI Edit that the role is placed
    in the AzTaskObjectContainer, not the AzRoleObjectContainer as I would
    expect.

    I tried to do an LDIFDE export, change the container for the roles to
    AzRoleObjectContainer and then re-import. The import was successful and the
    roles now reside in the AzRoleObjectContainer. However, when I re-open the
    AzMan store in AzMan.msc, the roles don't appear at all.

    Is Microsoft aware of this problem? Is there a work-around so that I can
    deploy my AzMan store via LDIF? I don't want to use an XML file to create the
    store as this is not best practice and unsecure.

    P.S. While I'm on it, I could find no documentation for opening or creating
    an AzMan store in ADAM. Through trial and error my dev partner discovered
    that you have to specifiy an LDAP connection string as the Store name (after
    selecting the Active Directory option in the Open Authorization Store
    dialog). For example:

    LDAP://localhost:1129/CN=Program Data,DC=contoso,DC=com

    Note that "CN=Program Data," must come before your partition name.

    Cheers,

    Patrick Barnes
     
    Patrick Barnes, Dec 30, 2004
    #1
    1. Advertisements

  2. Patrick Barnes

    Lee Flight Guest

    Inline below...

    When I tried this I created a new Role definition for an application,
    that definition was created in AzTaskObjectContainer as an instance of the
    msDS-AzTask class.

    I then assigned the role under Role Assignments for the application in the
    AzMan MMC and the role was created in the AzRoleObjectContainer
    as an instance of the msDS-AzRole class.

    That seemed like reasonable behaviour and was the same for stores in both
    AD (W2003) and ADAM.
    Generally you want to create an application partition in ADAM
    e.g. DC=Contoso,DC=com and then create a container
    for your stores say, CN=AzStores and then in the AzMan MMC specify

    msldap://ADAMServer:ADAMport/cn=mystore,cn=AzStores,dc=contoso,dc=com

    i.e. specify a container below the parent and let AzMan create it.


    If you are interested in using ADAM principals in AzMan you might want to
    look
    at

    http://support.microsoft.com/default.aspx?scid=kb;en-us;883933


    Lee Flight
     
    Lee Flight, Dec 31, 2004
    #2
    1. Advertisements

  3. Thanks, Lee! I was thrown by Role Definitions vs Role Assignments. It still
    puzzles me why Role Definitions are placed in a "task" container, but I did
    get it all to work now: a full AzMan store deployment using an LDIF file.
     
    Patrick Barnes, Dec 31, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.