Re: Group Authentication against ADAM using WSS v3 provider model.

I had at one point successfully implemented a role provider, using the
built in one, not a custom one. I was able to resolve the group names,
but not able to log in as a group memebr. I wonder if what you say is
related. I would like to discuss this further if you have the time.

Also, I seemed to have lost those settings that actually worked.

Thanks.


Joe Kaplan wrote:
You do need a role provider. We wrote one for AD that is a bit
experimental, but is basically functional. We never tested it with ADAM
though. ADAM has some particular issues with it because the naming model
for groups in ADAM is different.

To explain what I mean, in AD, a group could have a SAM name of "mygroup", a
SID of "S-1-5-20-xxxx" and an NT name of "domain\mygroup", as well as a
distinguished name in AD like CN=mgroup,OU=groups,DC=domain,DC=com. You
would generally refer to the group via in Windows security as
"domain\mygroup".

With ADAM, you don't really have any such thing as an NT account name. The
group just has a SID and a distinguished name that are guaranteed unique.
As such, you need to carefully consider how you want to refer to the ADAM
group by a friendly name. The DN and SID are both unwieldy. However, if
you choose something else, you run the risk of uniqueness being violated and
your security accidentally be subverted. This can be overcome by using an
attribute like "displayName" in ADAM as your friendly name and then being
VERY careful to ensure that you never duplicate a displayName in the ADAM
store (since the store won't enforce this for you).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ratman" <Jake.Attis@xxxxxxxxx> wrote in message
news:1168875679.486959.131600@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
All,

I have successfully implemented an ADAM membership provider and can
authenticate using ADAM in a WSS v3 site. I need to be able to
organize my users into groups and add the groups to the securables in
SharePoint as opposed to adding users explicitly. When I do this, I am
not able to log on as a group member. Does anyone know if this
requires me to implement a Roles provider, and if so, has anyone out
there done this before that woud be willing to share their experience?

Thanks.


.

Relevant Pages

  • Re: Adding to Schema
    ... "Joe Kaplan" wrote: ... ADAM that would basically be pointers to AD users. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Schema Extension Question
    ... Might just stick with the modification of the AD schema. ... "Joe Kaplan" wrote: ... The ADAM instances could be ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing ADAM user password
    ... configuration tweaks that need to be done before ADAM is usable. ... Joe Kaplan wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... DirectoryEntry changeEntry = new DirectoryEntry(ldapPath, userID, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group Authentication against ADAM using WSS v3 provider model.
    ... Do you remember what role provider you were using when this was working, ... ADAM) for membership and SQL for roles, ... Joe Kaplan-MS MVP Directory Services Programming ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group Authentication against ADAM using WSS v3 provider model.
    ... You do need a role provider. ... We never tested it with ADAM ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I have successfully implemented an ADAM membership provider and can ...
    (microsoft.public.windows.server.active_directory)
Loading