Re: Bug in ADAM/AzMan integration? Roles placed in AzTaskObjectCon
From: Patrick Barnes (PatrickBarnes_at_discussions.microsoft.com)
Date: 12/31/04
- Next message: Lee Flight: "Re: MS ADAM/AD: Absolute simplest repl/sync solution for MS ADAM on 2 or more WinXP machines?"
- Previous message: Michael Herman \(Parallelspace\): "Re: MS ADAM/AD: Absolute simplest repl/sync solution for MS ADAM on 2 or more WinXP machines?"
- In reply to: Lee Flight: "Re: Bug in ADAM/AzMan integration? Roles placed in AzTaskObjectContain"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 30 Dec 2004 20:49:01 -0800
Thanks, Lee! I was thrown by Role Definitions vs Role Assignments. It still
puzzles me why Role Definitions are placed in a "task" container, but I did
get it all to work now: a full AzMan store deployment using an LDIF file.
"Lee Flight" wrote:
> Inline below...
>
> "Patrick Barnes" <PatrickBarnes@discussions.microsoft.com> wrote in message
> news:49174C45-A3E1-4302-95B2-581742C1956F@microsoft.com...
> > I'm on a project where we are storing Authorization Manager (AzMan)
> > objects
> > in an ADAM partition. This appears to be fairly uncharted territory, so
> > perhaps no one else has seen this; but I've discovered that when I create
> > a
> > role in AzMan.msc and then view it in ADAM ADSI Edit that the role is
> > placed
> > in the AzTaskObjectContainer, not the AzRoleObjectContainer as I would
> > expect.
>
> When I tried this I created a new Role definition for an application,
> that definition was created in AzTaskObjectContainer as an instance of the
> msDS-AzTask class.
>
> I then assigned the role under Role Assignments for the application in the
> AzMan MMC and the role was created in the AzRoleObjectContainer
> as an instance of the msDS-AzRole class.
>
> That seemed like reasonable behaviour and was the same for stores in both
> AD (W2003) and ADAM.
>
> > P.S. While I'm on it, I could find no documentation for opening or
> > creating
> > an AzMan store in ADAM. Through trial and error my dev partner discovered
> > that you have to specifiy an LDAP connection string as the Store name
> > (after
> > selecting the Active Directory option in the Open Authorization Store
> > dialog). For example:
> >
> > LDAP://localhost:1129/CN=Program Data,DC=contoso,DC=com
> >
> > Note that "CN=Program Data," must come before your partition name.
>
> Generally you want to create an application partition in ADAM
> e.g. DC=Contoso,DC=com and then create a container
> for your stores say, CN=AzStores and then in the AzMan MMC specify
>
> msldap://ADAMServer:ADAMport/cn=mystore,cn=AzStores,dc=contoso,dc=com
>
> i.e. specify a container below the parent and let AzMan create it.
>
>
> If you are interested in using ADAM principals in AzMan you might want to
> look
> at
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;883933
>
>
> Lee Flight
>
>
>
- Next message: Lee Flight: "Re: MS ADAM/AD: Absolute simplest repl/sync solution for MS ADAM on 2 or more WinXP machines?"
- Previous message: Michael Herman \(Parallelspace\): "Re: MS ADAM/AD: Absolute simplest repl/sync solution for MS ADAM on 2 or more WinXP machines?"
- In reply to: Lee Flight: "Re: Bug in ADAM/AzMan integration? Roles placed in AzTaskObjectContain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
