Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / .NET SDK / May 2005

Tip: Looking for answers? Try searching our database.

ADAM and AzMan (custom principals)

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Niels Flensted-Jensen - 17 May 2005 18:15 GMT
On a system with Windows 2003 I was unable to add
custom SIDs (e.g. "S-1-9-..." ) to an AzMan store in
ADAM.  This works for for AzMan stores in AD or in plain
XML files.  The informative message is "the parameter is
incorrect"

This KB article lists a hotfix for something of that type
http://support.microsoft.com/default.aspx?scid=kb;en-
us;883933.  Only my SID does not refer to an ADAM
principal, but something in a completely different system.
And the hotfix won't let it self be applied as I'm at
SP1.  (But my Microsoft contact says it's not included in
the SP!!)

As I said, it works with AD and XML stores as also
described here:
http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/technologies/management/athmanwp.mspx#EBAA

What to do?

Thanks,

Niels

PS.  Here's my code sample which fails:
(and I am referencing the newest version (1.2.0) of the
interop assembly)

using System;
using System.Collections;
using System.Security.Principal;
using Microsoft.Interop.Security.AzRoles;

namespace TestAzmanConsole
{
    /// <summary>
    /// Summary description for Class1.
    /// </summary>
    class AzManADAMtest
    {
        /// <summary>
        /// The main entry point for the
application.
        /// </summary>
        [STAThread]
        static void Main(string[] args)
        {
            string sid = "S-1-9-21-117609710-
1644491937-725345543-1507640717";

            AzAuthorizationStoreClass store =
null;
            store = new
AzAuthorizationStoreClass();

            // won't work with an ADAM store:
            store.Initialize
(0, "msldap://localhost:50000/CN=Store,CN=AzManTest,DC=PKA
,DC=DK", null);

            // it works with this AD store:
//            store.Initialize
(0, "msldap://cn=AzManStore,CN=Program
Data,DC=CITEST,DC=cinetworks,DC=net", null);

           
            IAzApplicationGroups azGroups =
store.ApplicationGroups;
            foreach (IAzApplicationGroup
azGroup in azGroups)
            {
                azGroup.AddMember(sid,
null);
                azGroup.Submit(0, null);
            }           
        }
   

    }
}
Reply to this Message
Lee Flight - 18 May 2005 13:05 GMT
Hi

thanks for posting your code which made this easy to test.

I found the same as you: running with

Microsoft.Interop.Security.AzRoles  [1.2.0.0]
ADAM  [1.0.230.36]

I get a stack trace with

 _message=(0x010823a0) "The parameter is incorrect."

I think this must be an ADAM rather than AzMan problem as if
I try running the code against the Windows server 2003 R2 beta 2
release of ADAM the code works (partial ldif dump follows) :

==
Writing out entries.
dn:
CN=TestGroup1,CN=AzGroupObjectContainer-mystore,CN=mystore,CN=AzStores,O=myorg,DC=Myroot

changetype: add
objectClass: top
objectClass: group
cn: TestGroup1
member:
Reply to this Message
Niels Flensted-Jensen - 18 May 2005 14:18 GMT
Hi Lee,

Thanks.

I've gotten as far as narrowing the problem down to ADAM not being able to
create foreignSecurityPrincipals with an authority other than 5, that is not
the "S-1-9-xxx" that I wanted for my custom SID.
Someone with Microsoft is checking whether this is solved in R2 (with
reference to some bug report), but I guess you already showed that.

I will change my code to produce S-1-5-* SIDs instead, even though it seems
a bit hacky (seems that authority 5 is for AD, NT4 domains and LSA?)

But thanks for figuring it out - even though my client is in no position to
upgrade to a beta of R2.

Niels

> Hi
>
[quoted text clipped - 23 lines]
> cn: TestGroup1
> member:
ADAM store:> store.Initialize> (0, "msldap://localhost:50000/CN=Store,CN=AzManTest,DC=PKA> ,DC=DK", null);>> // it works with this AD store:> // store.Initialize> (0, "msldap://cn=AzManStore,CN=Program> Data,DC=CITEST,DC=cinetworks,DC=net", null);>>> IAzApplicationGroups azGroups => store.ApplicationGroups;> foreach (IAzApplicationGroup> azGroup in azGroups)> {> azGroup.AddMember(sid,> null);> azGroup.Submit(0, null);> }> }>>> }> }>
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.