Re: DSACLS for ADAM permission & ADSI for ADAM authentication

From: Sasi (anonymous_at_discussions.microsoft.com)
Date: 04/16/04 

Date: Fri, 16 Apr 2004 13:01:06 -0700

Hello,

  Thanks for the information, the command worked but it does not seem to have an effect on the permissions. Acutallly
when I used the command
"dsacls.exe \\localhost:389\ou=company,dc=testdom,dc=com /I:T /G "NT AUTHORITY\SELF":GR".

It says it granted the permission but when I use the ldp tool to authenticate a user which is under the ou=company it authenticate but when I searches for the attributes it bring nothing. Here is the message

***Searching...
ldap_search_s(ld, "DC=testdom,DC=com", 1, "(samaccountname=user*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 0 entries:

  Also I tried the following command to grant an appid "cn=webapp" to be able to only the ginenName, but it not working the way I understood, could you please let me know wheather the command is correct or not??

dsacls.exe \\localhost:389\ou=users,ou=company,DC=testdom,DC=com /N /G "cn=webapp,ou=apps,dc=testdom,dc=com":RP;givenName;

 It says it succesfully granted the special permission Read for the object webapp to the property "gvienName", but it seems not working, when I tried to authenticate against the LDAP it authenticate and searches all the users with all the attributes. The WEBAPP is also a memeber of CN=Readers group.

Thanks,
Sasi
     ----- Dmitri Gavrilov [MSFT] wrote: -----
     
     The simplest way to do this is to add Users group to Readers role. Then each
     user will be able to read anything in this partition.
     
     If you want to only allow reading his own object, then you need to:
     1) grant LIST_CONTENTS on the container to the user (or better to Users
     group)
     2) grant READ_PROPERTY on the user object. You can add an inheritable ACE at
     the container level granting READ_PROPERTY to NT AUTHORITY\SELF.
     
     What you are missing in your dsacls call is server and port. It should be
     something like this:
     
     dsacls.exe \\servername:port\ou=users,ou=app,dc=testdom,dc=com /I:T /G "NT
     AUTHORITY\SELF":GR
     
     --
     Dmitri Gavrilov
     SDE, Active Directory Core
     
     This posting is provided "AS IS" with no warranties, and confers no rights.
     Use of included script samples are subject to the terms specified at
     http://www.microsoft.com/info/cpyright.htm
     
     "Sasi" <anonymous@discussions.microsoft.com> wrote in message
     news:2C5A777A-9691-4F73-B285-F43EBA92B20F@microsoft.com...
> Hello
>> I was trying to work with AD for authentication and ADAM for application
     info, I am able to define proxy objects in the ADAM. Now when I create a
     user of inetOrgPerson in ADAM and when I connect to ADAM using the ldp it
     authenticates but it does not read its own information, the problem we are
     having is when we are using VB ADSI it failing when it tries to authenticate
     to itself. I supposed the problem is when it binds it tries to read it own
     information for which it does not have permission and so it fails.
>> Now I am trying to grant self read for all the inetOrgPerson and
     userProxy object using DSACLs but its not working somehow. Here is the
     command i am using for defining the acls..
>> dsacls.exe ou=users,ou=app,dc=testdom,dc=com /G cn=user
     test,ou=users,ou=app,dc=testdom,dc=com:GA;;inetOrgPerson
> Or I tried the below also
> dsacls.exe ou=users,ou=app,dc=testdom,dc=com /G cn=user
     test,ou=users,ou=app,dc=testdom,dc=com:GA;;userProxy
>> a lot of times it saying "Parameter is incorrect" or "No Sid defined for
     the object" or "No Specified file found on server".
>> Could some one give me sample of the dsacls cmds for defining read
     permissions for self to inetorperson / userproxy or please let me know if
     there is a way to grant default self read when creating inetOrgPerson or
     userProxy. Because our application needs the inetOrgPerson or userProxy
     should be able to read themselves and the appplication id should be able to
     read all the users. So we added the appid to the
     cn=readers,cn=roles,dc=testdom,dc=com group and we haven't defined any group
     for the inetOrgPerson or userproxy objects.
>> Thanks in Advance,
> Sasi
>

Relevant Pages

  • Re: DSACLS for ADAM permission & ADSI for ADAM authentication
    ... authenticate a user which is under the ou=company it authenticate but when I ... grant LIST_CONTENTS on the container to the user (or better to ... user of inetOrgPerson in ADAM and when I connect to ADAM using the ... userProxy object using DSACLs but its not working somehow. ...
    (microsoft.public.windows.server.active_directory)
  • Controlling Schatties Destiny
    ... For each day you post to this group, I have granted you permission ... you have obeyed my command to stay away. ... If someone else comments on their ski equipment, ... price, or the skiing ability of the purchaser. ...
    (rec.skiing.alpine)
  • Re: Cant launch graphical apps from php exec() on Ubuntu 8.04 system.
    ... You can't open server programs in remote clients via HTTP. ... command on a WAMP stack, so I think the problem is likely to ... permission based, having just switched to linux, but I'm not sure. ... account if used as a service. ...
    (comp.lang.php)
  • Re: group membership needed for looking at network usage?
    ... still run it by supplying the full path in the command. ... E.g. several programs run only as root; ... the user has execute permission. ...
    (comp.os.linux.networking)
  • Re: Opening cmd.exe to IUSR_<machine>
    ... does enable me to execute the shell command ... I think the permission I need is related ... >Perl requires use of cmd.exe in order to execute ...
    (microsoft.public.inetserver.iis.security)