Re: Granting permissions in ADAM
- From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
- Date: Thu, 15 Feb 2007 22:49:50 -0000
Hi
thanks that helps. If that tree is being built by a sync (ADAMsync ?) then
you do not have much scope for restructuring.
What you can try is:
[1] remove your user from the Readers role
[2]create a new group and add your user to that group
[3] grant that group List Children permission on the root of the tree
[4]grant that group Generic Read permission and set inheritance on the OUs
you want
to be searchable
So if your new group is
cn=myreaders,cn=roles,dc=mydom
[3] looks like
dsacls \\localhost:389\dc=mydom /G "cn=myreaders,cn=roles,dc=mydom":LC;;
[4] looks like, for your users OU
dsacls \\localhost:389\ou=users,dc=mydom /G
"cn=myreaders,cn=roles,dc=mydom":GR;; /I:T
that's all one line ignore line wraps.
Note that the user will still be able to see the names of the other OUs
(it's possible but painful to work around that).
As ever, try this in a test ADAM instance first.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:36C2B504-BA54-4347-9EF2-5C29EE794B13@xxxxxxxxxxxxxxxx
Hi Lee,
Here is my settings now, createad an adam user and added him to the
readers
group, however if I do it this way this users is quering everything. I
would
like this user to query only the users folder and another OU that contains
branches information. I syncked all my AD so it looks like this:
Mydomain.com
Biultin
Computers
Disabled Accounts (OU)
Domain Controllers(OU)
Domain Admins(OU)
Foreign Security Principals
LostAndFound
Microsoft Exchange System Objects
MS Exchange(OU) *****
NTDS Quotas
Octel
Programd Data
ServiceAccts(OU)
System
Users*****
I want my adam reader to be able to query only the MS Exchange OU and the
Users folder. I dont know if you can define those two things on the search
base or assign permissions to those to things and prevent the adam user to
read the rest of the directories.
Thank you,
Javier
"Lee Flight" wrote:
Hi
you can do most things with permissions, ideally you want to have the
directory tree structured in such a way that you can apply inherited
allow
permissions at point where you know that objects below that point all
want those permissions.
If you give more detail of your structure we might be able to give
options.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A2DE23C7-1379-490E-B35F-A923340EDCF2@xxxxxxxxxxxxxxxx
Hi Lee,
I will like to ask you a question about hinding ou's or folders in
ADAM.
is
there any attribute that you can enable or disable to for example I do
have
an OU call service accounts and do not want to be query?
as of today and with your help my ADAM is running properly, I was just
wondering about excluding information during the query.
Thanks,
Javier
"Lee Flight" wrote:
Hi
we really need a new thread for this question.., anyway
you say "re run the sync" - if you have performed a sync before
from AD into your ADAM application naming context the you
will not be able to transform the objectClass subsequently.
Try creating a clean ADAM instance, extending the schema
with the ms-userproxy.ldf, and running your sync into that
new instance, you should get userProxy objects for your
source users.
Note you cannot add structural classes to objectClass, user and
userProxy are different structural classes so you cannot have
both for an object instance.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1FECA681-E56A-404B-8948-C0667DE324EC@xxxxxxxxxxxxxxxx
Hi Lee,
I would like to ask you a question about transforming users into
userproxy's?
Sync my ad with your help of course and follow the instructions on
Eric's
website.
modify my xml and re run the sync, check my user properties and
trying
to
compare the ObjectClass settings I noticed that the userproxy is not
in
my
objectclass values.
I try to add the the value manually and it comes with the following
error:
The specified class is not a subclass.
Here at the exact setting on my XML of course I changed the
erictest.local
with my settings:
<?xml version="1.0"?>
<doc>
<configuration>
<description>sample Adamsync configuration file</description>
<security-mode>object</security-mode>
<source-ad-name>erictest.local</source-ad-name>
<source-ad-partition>dc=erictest,dc=local</source-ad-partition>
<source-ad-account></source-ad-account>
<account-domain></account-domain>
<target-dn>ou=SyncTargetOU</target-dn>
<query>
<base-dn>dc=erictest,dc=local</base-dn>
<object-filter>(objectCategory=person)</object-filter>
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>lastAgedChange</include>
<exclude></exclude>
</attributes>
</query>
<user-proxy>
<source-object-class>user</source-object-class>
<target-object-class>userProxy</target-object-class>
</user-proxy>
Thanks and I really appreciate any help on this matter.
Javier2893
"Lee Flight" wrote:
Hi
if WAB does what you want and is supported on your OS then you are
OK.
I do not recall any free AB software I have seen some commercial
offerings,
I think it's a case of googling to see what you can find or
developing
your
own.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:A07D66E8-E830-4214-953D-349BD8C749CA@xxxxxxxxxxxxxxxx
Hi Lee, hope you had a good time during the holidays.
Thanks for the info about the ADAM account and WAB. Do you know
about
any
other program that allows users to perform queries on the ADAM
instance?
Something free will be great, for now our users have to use WAB I
don't
think there is an upgrade to Vista any time soon.
Thanks again for your time and cooperation,
Javier
"Lee Flight" wrote:
Hi
with your ADAM account in the Readers role you should be good to
go
so
I'm
not
sure what asking. If you want to test it using Windows Address
Book
(WAB)
you
will need to create a directory account in WAB. For the account
name
use
the
distinguishedName of the your ADAM reader account, uncheck the
"Log
on
using
SPA" on the General tab of the directory service in WAB and
under
Advanced
set the Search base to your application naming context.
If it is WAB that you are planning on using then WAB has lots of
issues...
no easy way to distribute account information to clients and WAB
no
longer
exists in vista.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:968E06DE-C154-4AA0-BCCD-EB60C556012A@xxxxxxxxxxxxxxxx
Hi Lee,
after I removed the ForeignSecurityPrincipals folder I was
able
to
add
the
authenticated users groups to my adam readers, so that solved
the
problem
because all I need is for some people to query the Windows
address
book.
Last question,
this is about using one single adam users as an option. let's
say
I
create
an adam user and add that one to the readers group, how should
I
configure
my
settings so I can have the adam user to be able to query the
address
book?
Thanks and I really appreciate your time and cooperation,
Javier
"Lee Flight" wrote:
Hi
I got help decoding the DSID error (thanks Dmitri) and that
gave
me
a
hint
how to
repro your problem.
I believe that the problem is that ADAMSync is syncing the
ForeignSecurityPrincipals
container from AD, unfortunately the way that it does this is
not
usable
in
your ADAM
instance[1]. This is significant because the attempt to add
Authenticated
Users to the Readers role makes use of the FSP container.
As a workaround I would try removing the
CN=ForeignSecurityPrincipals,DC=SyncTargetDC,DC=com
container from your ADAM application partition and then
try adding the Authenticated Users to the Readers Role again.
That should create a usable FSP container for you.
As ever try this in a test instance,
Lee Flight
[1] the wellKnownObjects attribute on the NC head is not
updated
to add the reference to the FSP.
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:D6ED91FB-09A9-4BB3-BA38-4089B47DC217@xxxxxxxxxxxxxxxx
Hi Lee,
Hope you have the time to check my post from yesterday, I
entered
the
output
of the step you told me to perform.
Thanks,
javier
"Lee Flight" wrote:
Hi
I have not seen this kind of problem before. The attribute
owned
by the system error -- was it really the member attribute
that
you
were
trying to update (not say memberof)?
Maybe we can get some more information if you try using an
ldf
file
to add the Authenticated Users group to the Readers role.
Create
an
ldf file containing
dn: CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
changetype: modify
add: member
member:: PFNJRD1TLTEtNS0xMT4=
-
save as authusers.ldf and import with
ldifde -i -f authusers.ldf -s <adamserver>:<adamport>
What happens? You might want to create yourself a clean
ADAM
instance for testing this.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in
message
news:51425FB1-24B2-46FC-B9B3-33A08CD7F60E@xxxxxxxxxxxxxxxx
yes, I am using and ADAM admin to do this step.
As a matter of fact it is the only account that can
query
the
address
book.
I try to add another group to the Readers roles using
the
ADSIedit
but
it
comes down with the same error:
A directory service error has occurred. have another
instance
that I
was
able to sync and then following the steps from Eric
modify
my
XML
file
to
convert my users into proxy users the command completed
successfully.
and
I
noticed that my windows account has the userproxy title
and
I
was
able
to
add
that account in particular to the Readers role. However
when I
try
to
add
any
other account it comes down with the following error:
The attribute cannot be modified because it is owned by
the
system.
These are two different instances running on two
different
windows
2003
.
- Follow-Ups:
- Re: Granting permissions in ADAM
- From: Javier2893
- Re: Granting permissions in ADAM
- References:
- Re: Granting permissions in ADAM
- From: Javier2893
- Re: Granting permissions in ADAM
- From: Lee Flight
- Re: Granting permissions in ADAM
- From: Javier2893
- Re: Granting permissions in ADAM
- Prev by Date: Re: Connecting to ADAM using JNDI and Tomcat
- Next by Date: Re: Security Logging in ADAM
- Previous by thread: Re: Granting permissions in ADAM
- Next by thread: Re: Granting permissions in ADAM
- Index(es):
Relevant Pages
|
Loading
