Re: ADAM and Authorization and Profile Application Block
From: svesax (sveto.compri_at_gmail.com)
Date: 10/29/04
- Next message: MartinHTN: "Re: unable to join domain"
- Previous message: Al Mulnick: "Re: Old netbios network name appears after domain rename"
- In reply to: Lee Flight: "Re: ADAM and Authorization and Profile Application Block"
- Messages sorted by: [ date ] [ thread ]
Date: 29 Oct 2004 07:26:55 -0700
Hi, I have found a compromise to my problem (using Authorization and
Profile Application Block with ADAM).
What I have see in my little research is also the Authorization
Manager (azMan) present in Win2003.
I liked very much the model of azMan, really complete with roles,
tasks, operations and so...
The problem now was for me integrate Authorization and Profile
Application Block, azMan and ADAM.
Natively, when you install Authorization and Profile Application
Block, it come with azMan provider,
but azMan natively can use only users from AD, not from ADAM.
Then steps for integration are:
-install Authorization and Profile Application Block
-personalize the provider (azManProvider) for getting context of users
in Authorization Store NOT coming from AD, but from ADAM.
this is possible using InitializeClientContextFromStringSid where you
have to pass a SID rather than a token.
the example in http://www.ftponline.com/vsm/codepage.asp?loccode=vs0405dd
show how to do this.
this is the modified provider:
private IAzClientContext GetClientContext(IIdentity identity,
String applicationName, out IAzApplication azApp) {
IAzClientContext clientCtx=null;
AzAuthorizationStoreClass store = new
AzAuthorizationStoreClass();
Debug.Assert(store != null, "store should not be null");
store.Initialize(0, azManStore, null);
azApp = store.OpenApplication(applicationName, null);
Debug.Assert(azApp != null, "could not open the
application");
switch (identity.AuthenticationType)
{
case "NTLM":
WindowsIdentity winIdentity = identity as WindowsIdentity;
if (winIdentity == null)
{
throw new SecurityException(ResourceTable.GetString(ResourceTable.WinIdentity));
}
clientCtx = azApp.InitializeClientContextFromToken((UInt64)winIdentity.Token,
null);
break;
case "ADAM":
BancaWoolwich.Profilation.ADAM.AdamIdentity adamIdentity=
identity as BancaWoolwich.Profilation.ADAM.AdamIdentity;
if (adamIdentity == null)
{
throw new SecurityException(ResourceTable.GetString(ResourceTable.ADAMIdentity));
}
clientCtx = azApp.InitializeClientContextFromStringSid(adamIdentity.AdamUserSID,(int)tagAZ_PROP_CONSTANTS.AZ_CLIENT_CONTEXT_SKIP_GROUP,null);
break;
}
Debug.Assert(clientCtx != null, "could not get the
context");
return clientCtx;
}
how you note, you have to pass an identity containig the ADAM SID
user. This is possible by modifing the Identiy class
adding a property (in my code is adamIdentity.AdamUserSID)
-Authorization Manager, permit you to save the store in XML o Active
Directory. I prefer to save Authorization information (roles,
operations...)
in ADAM, not in a XML file. To do so, you have to create a sore from
Auth Manager MMC by setting the location of the sore
like this: msldap://localhost:389/CN=AuthorizationStore,DC=MyPartition,DC=MyOrganization,DC=COM.
To do this, when you install ADAM you have to import classes User AND
AzMan. Then you can pass to the provider this store location.
The result of this is:
-You have your users in ADAM
-You can create and assign operations to roles with MMC Authorization
Manager (very cool...)
-The definition of roles, operations... are saved in ADAM
-You have to map users in ADAM to roles in Authorization Store with an
application (not with MMC because MMC permit to map only AD users).
The examplke Sync is contained in
http://www.ftponline.com/vsm/codepage.asp?loccode=vs0405dd
-You have the flexibility of Authorization and Profile Application
Block that permitt you to create another provider (I have created one
that read authorization information from a XML file without using
azMan (for Windows 2000 machine that not have AdminPak 2003)
Remember Authorization manager come with Windows 2003 natively, but
you can install it on XP by downloadind AdminPAk for 2003 from
Microsoft site.
I have not found AdminPak 2003 for Windows 2000, if somebody have,
please write.
This is all, maybe was obvious for somebody, but not for me...
bye and enjoy,
sveto
"Lee Flight" <lef@le.ac.uk-nospam> wrote in message news:<#GZQ3$etEHA.3984@TK2MSFTNGP09.phx.gbl>...
> Hi
> if you have a serious intent to look at this I would strongly
> recommend that you obtain the AzMan QFE that Eric
> referred to as it will allow you to use ADAM as a user store.
> This added functionality may well change your line of investigation.
>
> Let us know how you get on,
>
> Lee Flight
>
> "svesax" <sveto.compri@gmail.com> wrote in message
> news:78d60168.0410190606.233c5447@posting.google.com...
> >I have see something on internet suggested from everybody but like you
> > say there isn't nothing really integrated between Authorization and
> > Profile Application Block and ADAM.
> > I realy like azMan model, which permit manipulate roles tasks and
> > operations together but unfortunately this is not integrate in ADAM.
> > I see you can use azMan in a XML file store, where you configure
> > everything, and then you have to import ADAM user through its SID
> > (very nice sample in
> > http://www.ftponline.com/vsm/codepage.asp?loccode=vs0405dd), but I see
> > something not nice in this:
> > -you have two resources to maintain (ADAM and the XML file store)
> > -this solution does not use MS application block
> >
> > I think a nice (and maybe quick) solution can be achieved in:
> > -take the Quick start sample from Authorization and Profile
> > Application Block and adjust it with the sample above (that have ADAM
> > users through SID). this has the benefit of reusing azMan component
> > and appBlock.
> > OR
> > -write another provider in the block that map directly ADAM (then
> > using roles in ADAM and operation or tasks like ADAM objects (maybe
> > properties))...
> >
> > Any idea??
> > tx
- Next message: MartinHTN: "Re: unable to join domain"
- Previous message: Al Mulnick: "Re: Old netbios network name appears after domain rename"
- In reply to: Lee Flight: "Re: ADAM and Authorization and Profile Application Block"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
