Re: ADAM Permission Questions (Hiding the Existence of Objects)

Hi

if I understand the first requirement you want to hide the
attributeSchema object in the schema? Schema has Authenticated
Users Read inherit, I'm not sure how supported hiding schema
objects is...

on the hiding objects in a naming context you can use List object mode
as Christoffer points out which will do what you want but, in addition to a
performance overhead, LO can be a real pain to manage due to the
absence of inheritance and the fine-grained permission management.

Lee Flight

"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:A99F9C68-CF09-4A33-BD76-4AC1D9324179@xxxxxxxxxxxxxxxx
I want to restrict access to OUs and attributes in ADAM; specifically, I
want
to hide them in the directory.

I know how to configure restrictions on attributes in the Application
Directory using the searchflag confidentiality bit, but is there a way to
hide an attribute in the schema partition itself? I can restrict access
to
the attribute configuration in the schema partition by placing access
controls on the attribute object itself, but I cannot determine how to
actually hide the existence of the attribute itself (in our environment,
these are application specific attributes which only a bind account for
the
application should be accessing, so we do not want different application
bind
accounts to be able to see these attributes). If attributes can be hidden
this way, will the inability of an account to see an attribute in the
schema
cause problems accessing user objects in the directory, even if those same
accounts are prevented from accessing the values of the attributes by the
confidentiality bit?

Similarly, is there a way to hide specific objects in the directory tree
under a common leaf object without hiding all of them? If we have:

OU1 ---
OUa
OUb
OUc

Is there a way to hide the existence of OUa and OUb from a specific
account
or group without hiding the existence of all of them by placing an access
control on OU1? We want a specific account to be able to see OU1 and OUc
in
the directory tree, without seeing OUa and OUb. If we put the access
control
on OU1, then the account cannot see OUc without changing the base dn to
OU=OUc. If we put the access controls on OUa and OUb, then the account
can
still see that OUa and OUb exist.

Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.


.

Relevant Pages

  • Re: Trouble Extending Schema
    ... The SMS Server account has full control of the new system ... I've tried running the extend schema application from each of the domain ... Could you be more specific on how you are "manually" extending the AD ...
    (microsoft.public.sms.setup)
  • Re: ADAM Permission Questions (Hiding the Existence of Objects)
    ... Yeah he can try to ACL attribute definitions in the schema but who knows what that would break. ... will the inability of an account to see an attribute in the schema ... Is there a way to hide the existence of OUa and OUb from a specific account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Child Domain
    ... users can log into OWA with the win.example.com account to access the ... The schemas of the two forests are completely separate. ... I wouldn't 'pound away' at the schema in win.example.com though as if you ... mailboxes in the same forest as the Exchange organisation. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Schema
    ... "Herb Martin" wrote: ... account not all the fields are copied over to the new account. ... I have tried to edit the schema in Active Directory but with no luck; ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Permission Questions (Hiding the Existence of Objects)
    ... will the inability of an account to see an attribute in the ... Is there a way to hide the existence of OUa and OUb from a specific ... If we put the access controls on OUa and OUb, ...
    (microsoft.public.windows.server.active_directory)