Re: Granting permissions in ADAM
- From: Javier2893 <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 Jan 2007 13:17:01 -0800
Hi Lee,
I would like to ask you a question about transforming users into userproxy's?
Sync my ad with your help of course and follow the instructions on Eric's
website.
modify my xml and re run the sync, check my user properties and trying to
compare the ObjectClass settings I noticed that the userproxy is not in my
objectclass values.
I try to add the the value manually and it comes with the following error:
The specified class is not a subclass.
Here at the exact setting on my XML of course I changed the erictest.local
with my settings:
<?xml version="1.0"?>
<doc>
<configuration>
<description>sample Adamsync configuration file</description>
<security-mode>object</security-mode>
<source-ad-name>erictest.local</source-ad-name>
<source-ad-partition>dc=erictest,dc=local</source-ad-partition>
<source-ad-account></source-ad-account>
<account-domain></account-domain>
<target-dn>ou=SyncTargetOU</target-dn>
<query>
<base-dn>dc=erictest,dc=local</base-dn>
<object-filter>(objectCategory=person)</object-filter>
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>lastAgedChange</include>
<exclude></exclude>
</attributes>
</query>
<user-proxy>
<source-object-class>user</source-object-class>
<target-object-class>userProxy</target-object-class>
</user-proxy>
Thanks and I really appreciate any help on this matter.
Javier2893
"Lee Flight" wrote:
Hi.
if WAB does what you want and is supported on your OS then you are OK.
I do not recall any free AB software I have seen some commercial offerings,
I think it's a case of googling to see what you can find or developing your
own.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A07D66E8-E830-4214-953D-349BD8C749CA@xxxxxxxxxxxxxxxx
Hi Lee, hope you had a good time during the holidays.
Thanks for the info about the ADAM account and WAB. Do you know about any
other program that allows users to perform queries on the ADAM instance?
Something free will be great, for now our users have to use WAB I don't
think there is an upgrade to Vista any time soon.
Thanks again for your time and cooperation,
Javier
"Lee Flight" wrote:
Hi
with your ADAM account in the Readers role you should be good to go so
I'm
not
sure what asking. If you want to test it using Windows Address Book (WAB)
you
will need to create a directory account in WAB. For the account name use
the
distinguishedName of the your ADAM reader account, uncheck the "Log on
using
SPA" on the General tab of the directory service in WAB and under
Advanced
set the Search base to your application naming context.
If it is WAB that you are planning on using then WAB has lots of
issues...
no easy way to distribute account information to clients and WAB no
longer
exists in vista.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:968E06DE-C154-4AA0-BCCD-EB60C556012A@xxxxxxxxxxxxxxxx
Hi Lee,
after I removed the ForeignSecurityPrincipals folder I was able to add
the
authenticated users groups to my adam readers, so that solved the
problem
because all I need is for some people to query the Windows address
book.
Last question,
this is about using one single adam users as an option. let's say I
create
an adam user and add that one to the readers group, how should I
configure
my
settings so I can have the adam user to be able to query the address
book?
Thanks and I really appreciate your time and cooperation,
Javier
"Lee Flight" wrote:
Hi
I got help decoding the DSID error (thanks Dmitri) and that gave me a
hint
how to
repro your problem.
I believe that the problem is that ADAMSync is syncing the
ForeignSecurityPrincipals
container from AD, unfortunately the way that it does this is not
usable
in
your ADAM
instance[1]. This is significant because the attempt to add
Authenticated
Users to the Readers role makes use of the FSP container.
As a workaround I would try removing the
CN=ForeignSecurityPrincipals,DC=SyncTargetDC,DC=com
container from your ADAM application partition and then
try adding the Authenticated Users to the Readers Role again.
That should create a usable FSP container for you.
As ever try this in a test instance,
Lee Flight
[1] the wellKnownObjects attribute on the NC head is not updated
to add the reference to the FSP.
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D6ED91FB-09A9-4BB3-BA38-4089B47DC217@xxxxxxxxxxxxxxxx
Hi Lee,
Hope you have the time to check my post from yesterday, I entered
the
output
of the step you told me to perform.
Thanks,
javier
"Lee Flight" wrote:
Hi
I have not seen this kind of problem before. The attribute owned
by the system error -- was it really the member attribute that you
were
trying to update (not say memberof)?
Maybe we can get some more information if you try using an ldf file
to add the Authenticated Users group to the Readers role. Create an
ldf file containing
dn: CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
changetype: modify
add: member
member:: PFNJRD1TLTEtNS0xMT4=
-
save as authusers.ldf and import with
ldifde -i -f authusers.ldf -s <adamserver>:<adamport>
What happens? You might want to create yourself a clean ADAM
instance for testing this.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:51425FB1-24B2-46FC-B9B3-33A08CD7F60E@xxxxxxxxxxxxxxxx
yes, I am using and ADAM admin to do this step.
As a matter of fact it is the only account that can query the
address
book.
I try to add another group to the Readers roles using the
ADSIedit
but
it
comes down with the same error:
A directory service error has occurred. have another instance
that I
was
able to sync and then following the steps from Eric modify my XML
file
to
convert my users into proxy users the command completed
successfully.
and
I
noticed that my windows account has the userproxy title and I was
able
to
add
that account in particular to the Readers role. However when I
try
to
add
any
other account it comes down with the following error:
The attribute cannot be modified because it is owned by the
system.
These are two different instances running on two different
windows
2003
standalone servers and part of my domain.
Hope you seen this before,
Thanks,
Javier
"Lee Flight" wrote:
Hi
it's difficult to know what would cause that, are you able to
add
any
other
groups successfully? Are you using an ADAM administrator
account?
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:9A9158AA-6CA3-4CCE-B3C5-02C60094DD0C@xxxxxxxxxxxxxxxx
Hi Lee,
Did that, using ADSIEdit brought up my settings:
CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
Right click on the readers and choose the member option click
on
add
windows
account type authenticated users and choose the computer that
has
ADAM
installed.
searches and find the Authenticated Users NTAUTHORITY
container
with
the
SID
number and all. When I click on Ok to apply the changes comes
up
with
the
a
directory service error has occurred.
Any toughts on that error?
thanks,
Javier
"Lee Flight" wrote:
Hi
the dsacls command is not required here it was an example for
the
discussion
that
started this thread as before the standard Readers
permissions
should
be
adequate
as the output of dsacls shows below.
To add Authenticated Users to the Readers role you can use
ADSIEdit,
bring up the properties of
CN=Readers,CN=Roles,c
edit the member attribute, Add Windows Account... type
Authenticated
and then hit check names - that should give you Authenticated
Users
then
OK...
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:CBD078B1-B390-407B-9AED-3925833FA5A1@xxxxxxxxxxxxxxxx
Hi Lee,
Was able to excute the command:
this is my output:
C:\WINDOWS\ADAM>dsacls
\\localhost:389\cn=users,cn=roles,dc=synctargetdc,dc=com
/G "cn=Readers,CN=Roles,dc=synctargetdc,dc=com":LC
Owner: CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
Group: CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
Access list:
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS
LIST CONTENTS
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS
<Inherited
from
parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
FULL CONTROL
<Inherited
from
parent>
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS
<Inherited
from
parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
FULL CONTROL
<Inherited
from
parent>
The command completed successfully
Then I try to add the authenticated user to the readers
- Follow-Ups:
- Re: Granting permissions in ADAM
- From: Lee Flight
- Re: Granting permissions in ADAM
- References:
- Re: Granting permissions in ADAM
- From: Javier2893
- Re: Granting permissions in ADAM
- From: Lee Flight
- Re: Granting permissions in ADAM
- Prev by Date: Re: VBScript to Output DC of a Domain
- Next by Date: Possible to hide/secure Attributes on an User Object in LDAP?
- Previous by thread: Re: Granting permissions in ADAM
- Next by thread: Re: Granting permissions in ADAM
- Index(es):
Relevant Pages
|
