Re: ADAM : Beginner and need help
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Dec 2006 11:58:49 -0600
AzMan probably isn't a good solution for Java, but the AzMan design might be
something you can reapply and you could possibly have your Java tool query
the AzMan policy store (most likely ADAM here as well) to use the same data
source. It might be a bunch of work, but give you something useful that
would work well across platforms. Just a thought...
Regarding your basic suggestion, I think you could do something like that no
problem. You might make this really simple by having a "permission" just be
a group and use a naming convention or a specific attribute value to flag
that particular group as representing a permission. You could also create a
schema extension that subclasses group. There are a bunch of options.
Leveraging the built in attributes for member/memberOf would be useful
though.
ADAM also supports the AD "tokenGroups" attribute which can be used to
generate nested membership info in a single query. You might take a look at
that, as it would allow you to jump straight from the user to permissions
(which is probably what you really want anyway).
Best of luck!
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"John Fly" <JohnFlyTn@xxxxxxx> wrote in message
news:1165500903.479284.85000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Joe,
Thank you for your helpful reply. I wish I had stated
earlier that I'm going to have to implement this solution for JAVA
projects as well.
I'm going to look at Authorization Manager, thank you for the tip.
If I wanted to just set something very basic up in ADAM though could I
have a structure like this(and have it make sense):
Users belong to Groups which belong to Permissions...
This would let me tie a user to a group with an easy LDAP query for
memberOf, then check those groups memberOf attribute for
permissions(which are really just groups themselfs).
Does this make any sense?
Joe Kaplan wrote:
You can definitely do this with ADAM if you want. ADAM makes a pretty
good
store for users as it has nice support for objects that contain passwords
and a reasonable way to authenticate with that password using and LDAP
bind.
ADAM can also support lots of password policy features that Windows
supports
like length, history and complexity requirements and provide account
lockout
if you want it.
ADAM also has support for groups and you can put whatever type of object
you
want in it.
To create some sort of support for an abstract concept like a
"permission",
you'd probably want to consider extending the schema to support something
like that. LDAP schema is different from what you are used to with SQL
(assuming you know SQL, which most application designer people do these
days), but it isn't too bad. Everything is just classes and attributes.
It
would probably be good to do some reading to find out more about this
though. Extending the ADAM schema takes a bit more effort than changing
the
schema of a SQL database and is far more permanent than SQL, so it is a
good
idea to do a little more planning.
One thing you might want to consider is looking at Microsoft's
application
authorization framework (called Authorization Manager or AzMan). It
actually has very strong support for role based security and has a very
useful programming concept called an "operation", which is a granular
unit
that you use to apply security to what your application does. AzMan maps
operations to tasks, tasks to roles and then roles into security
principals,
which are users and groups. Those can come from AD or ADAM.
I think you might be happier trying to apply AzMan to your programming
problem than to reinvent the wheel (although maybe not :)).
Best of luck. Start doing some Google searches to learn more.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John Fly" <JohnFlyTn@xxxxxxx> wrote in message
news:1165432705.333002.192400@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
I've been playing with ADAM for about 3-4 days now, I'm trying to see
if we can use it for user management for a number of software
applications. I am mostly needing to store (Users, Groups,
Permissions)
i.e A *User* is a member of one or more *Groups*. A *Group* is a set
of one or more *Permissions*. A *Permission* might be "View open
orders"
Is this a correct use of ADAM?
if so...
I have been able to setup ADAM on windows server 2003 R2, and have
created an application partition.
Within the partition I have created a few users, and made these users
member of the built-in Roles(Administrators, Users)
ISSUE:
I am not certain how to progress from here. In what way can I
configure ADAM to best express my data in terms of
Users/Groups/Permissions?
Where might I find some tutorials / examples or similar material for
setting up ADAM in such a way?
.
- References:
- ADAM : Beginner and need help
- From: John Fly
- Re: ADAM : Beginner and need help
- From: Joe Kaplan
- Re: ADAM : Beginner and need help
- From: John Fly
- ADAM : Beginner and need help
- Prev by Date: Re: Binding to ADAM with a Windows Account
- Next by Date: Re: Remove DC role from 2003 server
- Previous by thread: Re: ADAM : Beginner and need help
- Next by thread: Re: Changing DNS zone from primary/secondary model to AD integrated
- Index(es):
Relevant Pages
|
