Using ADAM w/AD to support an application..... - microsoft.public.windows.server.active_directory

Message from discussion Using ADAM w/AD to support an application.....

Dmitri Gavrilov [MSFT]

View profile

More options Aug 10 2004, 1:15 pm

Newsgroups: microsoft.public.windows.server.active_directory

From: "Dmitri Gavrilov [MSFT]" <dmit...@online.microsoft.com>

Date: Tue, 10 Aug 2004 10:15:26 -0700

Local: Tues, Aug 10 2004 1:15 pm

Subject: Re: Using ADAM w/AD to support an application.....

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

ADAM is a good match for your app.

Here's what you can do. You can bind to ADAM as a Windows user, you do this
by using a secure bind type. Make sure the windows user has sufficient
rights to read ADAM objects. The simplest (but the most coarse) way to do
this is to add Authenticated Users or Domain Users as a member of ADAM's
Readers group.

Now, you can create an object in ADAM to store your user's data. You create
your own class in the schema with all required attributes. Now, you have to
link your AD user to your ADAM "user data" object somehow. One way is to use
some ADAM attribute as a key. For example, you create an octet string
attribute userSid, and put your AD user's sid there. Then, after you bind,
you get user's SID from the token and do a search in ADAM for
(userSid=sidValue). Make sure userSid is an indexed attribute.

UserProxy provides exactly this type of functionality. objectSid that is
written in the proxy object is the key pointing to an AD user. When you do a
proxy bind, you automatically have the "user data" object, it is your proxy.
You are free to extend the proxy class with your own attributes.

The downside of using userProxy is that it only supports simple ldap binds,
which are not secure. The password travels across the wire in clear text.
And this is your user's Windows password! By default, we require that proxy
bind is done on an encrypted connection (SSL or encrypted LDAP).

So, in general, we recommend that you implement your own "linking" and use
secure bind and authenticate as a windows principal. But I see that it is
way simpler for you to use userProxy, and many people actually use them for
this exact reason.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Mike S." <Mi...@discussions.microsoft.com> wrote in message

news:6977EE69-198B-4E0D-8335-BAC523DD4867@microsoft.com...

> I'm new to ADAM, and looking for info on how to use it in an AD
environment
> to support an application. Currently, the app has a custom XML-based
config
> file that must be installed on every server. Many of the entries also
> involve specific AD user accounts (i.e. defining what a user can/can't do
on
> the server). Instead of having to manually administer separate XML files
on
> each app server, I'd like to use ADAM to centrally admin (and be able to
> report on) configs for all servers deploying the app.

> The easy part would be to create a separate object for each server. When
> starting up, the server queries ADAM for config info then starts. It's
the
> user connections AFTER the server starts that I'm having trouble with....

> I've seen where ADAM can use a "userproxy" object to authenticate users
> against AD. What I'd like is to do is have users connect to the
application
> server, which in turn queries ADAM with the user's Windows credentials.
ADAM
> validates the credentials against AD, and then returns a set of attributes
> from its own directory about the user to the application.

> Where can I find more information on how to do this? White papers,
> how-to's, case studies, shaman voodoo rituals, etc? The info that comes
with
> ADAM is pretty sparse, as are web-searches on MSFT and Google on this
issue.

> TIA,
> Mike

Reply to author Forward