- Using ADAM with the authorization manager
- Posted by Jag on January 29th, 2004
Hi
Is it possible to use ADAM as an authorization store for authorization
manager? If it is then what is the syntax for the store name in the
open store dialog box. In my case the ADAM is not a Windows Server
2003 domain functional level Active Directory. Any help will be
appreciated.
Regards
Jag
- Posted by Dmitri Gavrilov [MSFT] on January 29th, 2004
ADAM can be used as a policy store, but not as a user store (at least not
until the next azman release). The url syntax is
msldap://server
ort/CN=partition,CN=distname. Also, make sure you import
ms-AzMan.ldf (either at install time, or later on by running ldifde
manually).
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Jag" <jagdeepsahdeva@hotmail.com> wrote in message
news:cff00821.0401282022.48fcb440@posting.google.c om...
- Posted by Jag on January 30th, 2004
Thanks for that Dmitri. I am now using the folowing url:
msldap://server/CN=CommSEE,CN=jagdeep,DC=testpartition,DC=whatever ,DC=com
But I keep getting the message you have insufficient rights to perform
this operation. What am I missing ?
Jag
"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message news:<e1Cs$ro5DHA.1804@TK2MSFTNGP12.phx.gbl>...
- Posted by Dmitri Gavrilov [MSFT] on February 3rd, 2004
Did you create that partition when you installed ADAM?
Are you using ADAM admin account?
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Jag" <jagdeepsahdeva@hotmail.com> wrote in message
news:cff00821.0401291811.71bc239a@posting.google.c om...
- Posted by Jag on February 5th, 2004
The partition has been created using a LDF script. The account that I
am using is a part of the Admin group. The DIT for the partition has
the following structure:
CN=Partition (Class container)
O=Organisation1 (Class organisation)
CN=User (Class inetOrgPerson)
The url that I am using is msldap://server/partition (default port).
This returns the error "cannot open authorisation store. The following
problem occurred: The parameter is incorrect."
Is it Ok to use localhost for the server name ?
The ldf file is as under
dn: CN=partition1
changetype: add
objectClass: container
#distinguishedName: CN=partition1
instanceType: 5
dn: o=pfs,CN=partition1
changetype: add
objectClass: top
objectClass: organization
o: pfs
distinguishedName: O=pfs,CN=partition1
instanceType: 4
dn: o=rbs,CN=partition1
changetype: add
objectClass: top
objectClass: organization
o: rbs
distinguishedName: O=rbs,CN=partition1
instanceType: 4
dn: o=ibs,CN=partition1
changetype: add
objectClass: top
objectClass: organization
o: ibs
distinguishedName: O=ibs,CN=partition1
instanceType: 4
dn: CN=User1,o=pfs,CN=partition1
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: inetOrgPerson
cn: User1
distinguishedName: CN=User1,o=pfs,CN=partition1
instanceType: 4
name: User1
DN:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
Regards
Jag
"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message news:<e2dULYi6DHA.2064@TK2MSFTNGP11.phx.gbl>...
- Posted by Dmitri Gavrilov [MSFT] on February 5th, 2004
The URL should be "msldap://server/CN=MyNewStoreName,CN=Partition1"
It will create CN=MyNewStoreName under existing object CN=Partition1.
BTW, in your ldif file below, you don't need updateSchemaNow=1 at the
bottom, because you are not touching the schema. Also, you don't need to set
distinguishedName, and you don't need to set instanceType when it's 4
(that's the default). And you don't need to set the rdn (like "o: rbs"),
because it is computed from the dn. And you don't need to set all
objectClasses, only the most specific one.
Lots of suggestions 
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Jag" <jagdeepsahdeva@hotmail.com> wrote in message
news:cff00821.0402051556.13293876@posting.google.c om...
- Posted by Jag on February 8th, 2004
Thanks Dmitri. Noted and implemented your suggestions. Works like a charm.
Regards
Jag
"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message news:<eejncVE7DHA.2576@TK2MSFTNGP11.phx.gbl>...
- Posted by CY on February 20th, 2004
Hi,
Will I be able to setup ADAM as an authorization store if
I use x.500 naming style for my existing ADAM store?
e.g. msldap://serverort/CN=MyNewStoreName,o=company,c=us
It always gives me a parameter incorrect error.
news:<eejncVE7DHA.2576@TK2MSFTNGP11.phx.gbl>...
hatever,DC=com
- Posted by Dmitri Gavrilov [MSFT] on February 20th, 2004
Ah, hmm. It looks like it wants to create msDS-AzAdminManager object there.
According to the schema, this objectClass can only be created under
domainDns (DC), container (CN) or organizationalUnit (OU) objects. So, you
have two options:
1) create an OU under o=company, and use
msldap://CN=MyNewStoreName,OU=MyNewOU,O=company,c=us
or
2) modify class definition and add organization as a possSuperior to
msDS-AzAdminManager class. That would make it slightly different from the
released version, but I don't expect it will affect the functionality in any
way.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"CY" <anonymous@discussions.microsoft.com> wrote in message
news:19b601c3f75b$944ceda0$3501280a@phx.gbl...
- Posted by CY on February 24th, 2004
Thank you, its working now
One more question, will there be any potential issue if I use x.500 naming convention for ADAM while my NT domain uses active directory naming convention? i.e. if I want to use bind redirection or MIIS integration pack to synchronize my users later..
----- Dmitri Gavrilov [MSFT] wrote: ----
Ah, hmm. It looks like it wants to create msDS-AzAdminManager object there
According to the schema, this objectClass can only be created unde
domainDns (DC), container (CN) or organizationalUnit (OU) objects. So, yo
have two options
1) create an OU under o=company, and us
msldap://CN=MyNewStoreName,OU=MyNewOU,O=company,c=u
o
2) modify class definition and add organization as a possSuperior t
msDS-AzAdminManager class. That would make it slightly different from th
released version, but I don't expect it will affect the functionality in an
way
--
Dmitri Gavrilo
SDE, Active Directory Cor
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified a
http://www.microsoft.com/info/cpyright.ht
"CY" <anonymous@discussions.microsoft.com> wrote in messag
news:19b601c3f75b$944ceda0$3501280a@phx.gbl..
- Posted by Dmitri Gavrilov [MSFT] on February 24th, 2004
The naming schemes are not related, so you are free to use X.500-based names
in ADAM. You should be just fine. Keep in mind -- only your app will be
talking to ADAM. And MIIS, which you configure.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"CY" <anonymous@discussions.microsoft.com> wrote in message
news:773955D1-822D-42EC-BAE7-C281A29F948C@microsoft.com...
convention? i.e. if I want to use bind redirection or MIIS integration pack
to synchronize my users later...
