ADAM supports authentication by AD through a proxy object and bind redirection. With this method of authentication, users use their domain credentials to sign on to ADAM with a DN. This method of authentication lets you build directories that support applications for users who have AD accounts and for external users who have ADAM accounts. Duplicating user objects in ADAM for users who have accounts in AD raises management concerns and problems with keeping the objects synchronized. To use the ADAM proxy object, you need to import the MS-UserProxy LDIF file and the ADAM server must be a member server in a domain. Users represented in ADAM by proxy objects must have their objectSID attribute in the UserProxy class set to the value of their SID in AD.
ADAM defines four default roles that ADAM instances use as broad authorization controls. Roles are implemented as group objects in ADAM. The predefined roles are Administrators, Readers, Users, and Instances. For a user to hold a role, the user must be added to the role object's multivalued member attribute through the ADSI Edit snap-in, the ldp.exe tool, or programmatically. Roles are limited in scope to partitions and, along with other objects in the directory, are replicated between instances of ADAM in a configuration set. Administrators have full administrative access to an ADAM instance, Readers can view any object in a partition, and Users have only the permissions afforded to them through ACLs. Instances is a largely undocumented role.
You can view and set permissions to objects and object attributes in an ADAM instance by using the dsacls.exe command-line tool. ADAM supports a wide range of permissions and inheritance of permissions—you can find the full list of permissions and how to specify them by typing
dsacls /?
at a command line to view the online Help. When you set permissions, you can specify users and groups in several formats, including DN and domain\user formats.
Principals in ACLs are identified by their SID. Because users and groups, whether Windows- or ADAM-based, have SIDs, you can add both users and groups to an ACL. ADAM generates and maintains the SID for ADAM users and groups, and the SID is still guaranteed to be unique.
Going Deep
I've barely scratched the surface of ADAM in this article. To learn about additional features, such as application partitions and replication, I recommend you visit the Microsoft Web site at http://www.microsoft.com/windowsserver2003/adam/default.mspx, at which you can download white papers, reviewer guides, and the ADAM Feature Pack.
In an upcoming article, I'll describe how to use the Identity Integration Feature Pack for Microsoft Windows Server Active Directory to populate an ADAM directory with data from another ADAM directory or AD. This approach can be useful for applications and directories hosted in a DMZ. It also provides an alternative to using ADAM replication, proxy objects, or integrated Windows security, all of which might require opening ports in the firewall between the DMZ and the internal network.