locked
ADAM only for Roles RRS feed

  • Question

  • I am folowing the design pattern for using ADAM for roles in ASP.Net(http://msdn2.microsoft.com/en-us/library/ms998331.aspx)
     
    I have a web application, in which all the users for this application are present in the AD. But I dont want to create roles for my application inside AD. So I am planning to use ADAM as a role store. I am following the above link to implement ADAM as role store.
     
    Everything worked fine, But I have a few questions. 
     
    I have imported the azman.ldf (which is the schema for Azman) while creating my ADAM instance. I opened the azman, created a store in my ADAM instance, then created an application. Created a role named "Reader" and added some windows users to these roles from Azman. Now , when I open the "ADAM ADSI EDIT" and connected to my ADAM instance. When I browsed it, I could see the roles that I created in Azman in it. But it doesnt show me the users added to the roles.
     
    Now I am confused. When I add a user to a role from AD to Azman thru Azman, what is happening in the backgroud? Is the user attributes available in ADAM?
     
    - If yes, why I am not able to see the user? How can I edit the user attributes from ADAM? Can I add some extra attributes to the user?
     
    - If the user doesnt exist, I wonder how I will do the synchronisation of AD and ADAM? If a user gets deleted from AD, how will my ADAM gets to know about it?
    Wednesday, January 16, 2008 8:48 PM

Answers

  •  

    Here is a very high level starting point(there are a lot of snags along the way).

     

    You need to add the user.ldf to your ADAM store.

    Create a group for users within your adam store. If in Asp.net

    Create a custom membership provider which authenticates against your ADAM store (you need to use the bind with the users identity or query the group for the user)

    Use the AzMan Role provider

     

    If not in Asp.Net check out the Enterprise library.

     

    have fun. 

      

    Friday, February 22, 2008 7:02 PM

All replies

  •  

    Hi,

     

    I haven't check what happens underground, but I am just courious, why does this matter to you, as long as the authorization works. Why is the storage (ADAM) so important. You actually use AzMan, ADAM is just a storage.

     

    Regards,

    Friday, January 18, 2008 2:02 PM
  • Thatz true, but I have to design a synchronisation mechanism in between adam and ad.

    Adam is my role store, The users that I add thru azman is from AD.(Add windows user option in azman).

     

    And I can see that, once I add a windows user to a role thru azman, an entry gets added to foreignsecurityprinciples in ADAM.

     

    I have to know what all attibutes of that user is getting stored in ADAM for finalising on a synchronization mechanism

    Friday, January 18, 2008 8:08 PM
  • May I ask what is the reason why you want to perform a sync between ADAM and AD ? I mean, they recommend using ADAM when you don't have the rights to change AD. But if you can change AD, you can store directly the AzMan content in AD.

     

    Maybe I don't get the whole picture here... do I ?

     

    Friday, January 18, 2008 9:16 PM
  • I guess, there is a communication gap between us.

    I have all the user details in AD. I am using ADAM only for storing roles. Using ADAM as a roles store is a good solution for applications accessed over an intranet or extranet where the user accounts store is Microsoft Active Directory directory service and where the application requires application-specific roles that are different from Active Directory groups. I add users from AD to ADAM to the roles created in ADAM thru azman. I don't prefer storing my roles in AD. My main app has many small applications within it, so I dont want to create all these roles inside the AD). I am following this design pattern : http://msdn2.microsoft.com/en-us/library/ms998331.aspx

     

    Tuesday, January 22, 2008 1:45 PM
  •  

    Here is a very high level starting point(there are a lot of snags along the way).

     

    You need to add the user.ldf to your ADAM store.

    Create a group for users within your adam store. If in Asp.net

    Create a custom membership provider which authenticates against your ADAM store (you need to use the bind with the users identity or query the group for the user)

    Use the AzMan Role provider

     

    If not in Asp.Net check out the Enterprise library.

     

    have fun. 

      

    Friday, February 22, 2008 7:02 PM
  • Oops I forgot

     

    Insert Directory Services programming magic here

    Look for Kaplan and Dunn's web site.

     

    Friday, February 22, 2008 7:08 PM
  • One more thing, theoretically you could add users to the foreignSeucityPrincipal group. However, those users have an AD generated SID, I've never tried that. Though I intended to, at on time test that, so I could use identities from both the ADAM store and AD together, I never did after I discovered ADFS and Federated Identities. 

     

    Friday, February 22, 2008 7:15 PM