The easy part would be to create a separate object for each server. When
starting up, the server queries ADAM for config info then starts. It's the
user connections AFTER the server starts that I'm having trouble with....
I've seen where ADAM can use a "userproxy" object to authenticate users
against AD. What I'd like is to do is have users connect to the application
server, which in turn queries ADAM with the user's Windows credentials. ADAM
validates the credentials against AD, and then returns a set of attributes
from its own directory about the user to the application.
Where can I find more information on how to do this? White papers,
how-to's, case studies, shaman voodoo rituals, etc? The info that comes with
ADAM is pretty sparse, as are web-searches on MSFT and Google on this issue.
TIA,
Mike
Here's what you can do. You can bind to ADAM as a Windows user, you do this
by using a secure bind type. Make sure the windows user has sufficient
rights to read ADAM objects. The simplest (but the most coarse) way to do
this is to add Authenticated Users or Domain Users as a member of ADAM's
Readers group.
Now, you can create an object in ADAM to store your user's data. You create
your own class in the schema with all required attributes. Now, you have to
link your AD user to your ADAM "user data" object somehow. One way is to use
some ADAM attribute as a key. For example, you create an octet string
attribute userSid, and put your AD user's sid there. Then, after you bind,
you get user's SID from the token and do a search in ADAM for
(userSid=sidValue). Make sure userSid is an indexed attribute.
UserProxy provides exactly this type of functionality. objectSid that is
written in the proxy object is the key pointing to an AD user. When you do a
proxy bind, you automatically have the "user data" object, it is your proxy.
You are free to extend the proxy class with your own attributes.
The downside of using userProxy is that it only supports simple ldap binds,
which are not secure. The password travels across the wire in clear text.
And this is your user's Windows password! By default, we require that proxy
bind is done on an encrypted connection (SSL or encrypted LDAP).
So, in general, we recommend that you implement your own "linking" and use
secure bind and authenticate as a windows principal. But I see that it is
way simpler for you to use userProxy, and many people actually use them for
this exact reason.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Mike S." <Mi...@discussions.microsoft.com> wrote in message
news:6977EE69-198B-4E0D...@microsoft.com...
- You said that using the UserProxy causes the password to be sent via
clear-text. If a user has already logged in to AD, is this true as well?
Maybe I'm not understanding this that well, but I thought if a DC had
authenticated you, you received a token that was then used when connecting to
other resources on the network. If ADAM is used in this instance, does the
bind process require another login? Or can a bind occur with a token
generated during an AD login?
- Is there a "how-to" or "step-by-step" example of how to program this out
there? I'm relearning VB, and would probably understand this better by
seeing a sample project or some code.
Thanks again,
Mike
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Mike S." <Mi...@discussions.microsoft.com> wrote in message
news:82DB98EA-71EE-46B9...@microsoft.com...
> Thanks Dmitri. I appreciate the info. One or two more questions, though
> (and I apolgize for sounding like a "noob", but if the shoe fits...... :-)
>
> - You said that using the UserProxy causes the password to be sent via
> clear-text. If a user has already logged in to AD, is this true as well?
> Maybe I'm not understanding this that well, but I thought if a DC had
> authenticated you, you received a token that was then used when connecting
to
> other resources on the network. If ADAM is used in this instance, does
the
> bind process require another login? Or can a bind occur with a token
> generated during an AD login?
UserProxy is an object in ADAM. When you bind as an object in ADAM, you must
use ldap_simple_bind, which sends the pwd in clear text over the wire. You
can protect it by using an encrypted connection.
When you bind as a Windows user (not as a proxy!), then a secure bind
mechanism is used (ldap_bind). In this case, the password is never sent over
the wire, only some hashes are.
>
> - Is there a "how-to" or "step-by-step" example of how to program this out
> there? I'm relearning VB, and would probably understand this better by
> seeing a sample project or some code.
There's ADAM SDK on MSDN. There's some sample code in ADAM.CHM that came
with the package. Plus there's an excellent doc called ADAM Technical
Reference, somewhere on MS site.