Re: Architectural question for product security deployment
- From: evansight <evansight@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 23 Aug 2005 13:53:02 -0700
Hi Al, thanks for your fast reply.
Question on unattended deployment:
In order to bind to ADAM as a separate ADMIN user:
1) I Installed ADAM by first logging in a system admin and creating the
separate admin account on the ADAM serve ( A Win3K server box).
2) I then logged in again as that admin account
3) I then installed ADAM.
At first I tried to install ADAM as the system admin and then bind to the
ADAM server via the admin account. This did not work. I also tried running
the Access scripts to set permissions which also did not work. In any event,
I couldn't determine the right place to set the permission so that it would
be inherited by all other objects within the ADAM store.
Question on Binding to Windows Principal Object
We're able to code LDAP queries that access the user's account and then
instantiate a new Windows Principal Object. However, the desired process is
to enable the workstation to already be aware of the identity of the user in
a workgroup, as opposed to domain, connectivity scenario.
Question on changing another user's password as the ADMIN. Attempts to bind
as the ADMIN and use LDAP queries to change another user's password fail.
However other attributes can be updated. Is this prohibited as a matter of
policy or is there a different set of permissions needed to set passwords for
other users programmatically. The questsions are also the same for
programmatically locking a users account.
Thanks for your help!
--
- evansight
"Al Mulnick" wrote:
> I think you'll need to have some logic to figure out whether it's in domain
> or workgroup setting. That's something I envision as being like a wrapper
> around the setup process. You would make decisions based on that.
>
> Other thoughts inline.
>
> Al
>
>
>
> "evansight" <evansight@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:0E4284D9-FA09-47F4-BA8A-240737ED348C@xxxxxxxxxxxxxxxx
> > I'm fairly new to ADAM, though not to Active Directory. I've downloaded
> > ADAM
> > and have succesfully implemented some test users.
> >
> > I've been asked to deploy a VS .Net windows application software product
> > that potentially would utilize ADAM to manage and authenticate users via
> > role
> > based access. The product currently utilizes SQL Server 2000 for business
> > entitlements and for a transactional as well as analytic data store. I've
> > successfully set up sample users and a complete set of roles to which the
> > users are mapped as members.
> >
> > The existing application is a VS 2003 .Net remoting application that
> > includes a well defined set of layers for client and server processing.
> >
> > Here's our need:
> >
> > The goal is to find a way to deploy an identity management and policy
> > store
> > for a windows application that works in a network workgroup as well as a
> > domain environment, that can be automatically deployed through an
> > installation script, without manual configuration of a windows server.
> >
> > Before I started the project ADAM had been deployed successfully in a
> > workgroup environment. However, after my own redeployment,
> > reconfiguration
> > there are the following issues:
> >
> > 1) It does not appear that the store can be fully deployed without manual
> > configuration of the server environment. This is an issue since the
> > majority
> > of our target install base is not technically savvy and we don't have the
> > resources to send engineers to every site for an install.
> >
>
> When you say it requires manual setup, what exactly are you doing that you
> need manual interference?
>
>
> >
> > 2) It does not appear the Workgroup implementation allows a direct bind to
> > the Windows Principal object in the way that Active Directory does in a
> > domain solution. This seems to be verified by documentation for ADaM,
> > specifically the "Administering users and groups" table that shows that
> > integrated security is not supported in the Workgroup, as opposed to
> > Domain,
> > deployment.
> >
> > 3) Deployment of an ADMIN user who can, via .Net code, reset other user
> > passwords seems to be an issue. Perhaps this is just a permissions issue,
> > but I was pretty careful to set up the correctly delegated permissions of
> > the
> > ADAM ADMIN user account, including importing the fully defined schema for
> > users, e.g. inetorg, etc.
>
> Again, what steps are you taking here. I would expect that the credentials
> used to setup ADAM were sufficient for you to be able to do this. But I'm
> interested in the steps you took to see why it wasn't working for you.
>
>
> >
> > The identity management workflow we are trying to provide is a way for a
> > person in the ADMIN role to create new users through a custom interface,
> > and
> > assign or reassign temporary passwords. Upon subsequent logon, the user
> > set
> > up by the admin would then be prompted to set up a permanent password, as
> > well as create a security reminder (question and answer). While this
> > would
> > seem to be fairly standard workflow, I've not seen any complete scripting
> > examples.
> >
> > In summary, I'm looking for confirmation as to whether the above problems
> > are in fact known issues or ADAM product limitiations or if we're just not
> > following the right process. And if we're not following the right
> > process,
> > what would that be?
> >
> > Thank in advance for your help.
> >
> > --
> > - evansight
>
>
>
.
- Follow-Ups:
- Re: Architectural question for product security deployment
- From: Al Mulnick
- Re: Architectural question for product security deployment
- References:
- Architectural question for product security deployment
- From: evansight
- Re: Architectural question for product security deployment
- From: Al Mulnick
- Architectural question for product security deployment
- Prev by Date: Re: cmd.exe
- Next by Date: Keeping a user account from accessing more than 1 website
- Previous by thread: Re: Architectural question for product security deployment
- Next by thread: Re: Architectural question for product security deployment
- Index(es):
Relevant Pages
|
