Re: Group Authentication against ADAM using WSS v3 provider model.
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Jan 2007 12:23:36 -0600
Do you remember what role provider you were using when this was working,
because as far as I know, there is no LDAP-based role provider that ships
out of the box like an ActiveDirectoryRoleProvider. The membership/role
provider framework allows you to mix and match, so you could use AD (or
ADAM) for membership and SQL for roles (for example), but that wouldn't
allow you to take advantage of group membership in ADAM to drive the role
provider unless you had a sync going from ADAM to SQL via a different
channel.
What I can do if you are interested is send you the prototype AD role
provider for you to inspect. You'd then need to figure out how to change
the code that converts SIDs into friendly names to work in a way that would
give you ADAM-based friendly names (which is the crux of that whole
discussion from my previous message). Ch 10 from our book also discusses
some of these details from a different angle as well (see link in sig
below).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ratman" <Jake.Attis@xxxxxxxxx> wrote in message
news:1168881282.519631.13810@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I had at one point successfully implemented a role provider, using the
built in one, not a custom one. I was able to resolve the group names,
but not able to log in as a group memebr. I wonder if what you say is
related. I would like to discuss this further if you have the time.
Also, I seemed to have lost those settings that actually worked.
Thanks.
Joe Kaplan wrote:
You do need a role provider. We wrote one for AD that is a bit
experimental, but is basically functional. We never tested it with ADAM
though. ADAM has some particular issues with it because the naming model
for groups in ADAM is different.
To explain what I mean, in AD, a group could have a SAM name of
"mygroup", a
SID of "S-1-5-20-xxxx" and an NT name of "domain\mygroup", as well as a
distinguished name in AD like CN=mgroup,OU=groups,DC=domain,DC=com. You
would generally refer to the group via in Windows security as
"domain\mygroup".
With ADAM, you don't really have any such thing as an NT account name.
The
group just has a SID and a distinguished name that are guaranteed unique.
As such, you need to carefully consider how you want to refer to the ADAM
group by a friendly name. The DN and SID are both unwieldy. However, if
you choose something else, you run the risk of uniqueness being violated
and
your security accidentally be subverted. This can be overcome by using
an
attribute like "displayName" in ADAM as your friendly name and then being
VERY careful to ensure that you never duplicate a displayName in the ADAM
store (since the store won't enforce this for you).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Ratman" <Jake.Attis@xxxxxxxxx> wrote in message
news:1168875679.486959.131600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
All,
I have successfully implemented an ADAM membership provider and can
authenticate using ADAM in a WSS v3 site. I need to be able to
organize my users into groups and add the groups to the securables in
SharePoint as opposed to adding users explicitly. When I do this, I am
not able to log on as a group member. Does anyone know if this
requires me to implement a Roles provider, and if so, has anyone out
there done this before that woud be willing to share their experience?
Thanks.
.
- References:
- Prev by Date: Re: Everyone group in AD/Server 2003 - change password permission
- Next by Date: Re: Can you Stop KCC replication and just set manual replication?
- Previous by thread: Re: Group Authentication against ADAM using WSS v3 provider model.
- Next by thread: Re: Dynamic Groups
- Index(es):
Relevant Pages
|
