ADAM (AD LDS) & AzMan for Membership and Roles

Question

Well, I'm currently developing an application that must use the local Active Directory for membership. Everything is alright with membership, since I have no domain controllers around and a virtual machine instance is way too much work for my PC, I'm using Active Directory Lightweigth Directory Services (AD LDS) to create a directory instance and added some users.

The application validates users perfectly.

The problem comes when I wanna implement roles. How you implement roles in this case? I've heard of Authorization Manager (AzMan) but when I started configuring it I can only add my local computer users and not the AD instance ones.

I wanna know how to reference the AD users in AzMan so I can use the AzMan role provider, or if there's another way to implement authorization without having to implement a whole new role provider.

Thanks.

Answer 1

I ended up using ADRoleProvider from Codeplex. I made some changes to it because AD LDS user objects don't have the sAMAccountName property and the original source used that one. I just pointed it so it uses the principalUsername property instead.

Answer 2

Primarily referencing this article: http://blogs.msdn.com/b/azman/archive/2006/05/06/591230.aspx

The basic limitation is that the AzMan MMC snap-in uses the Windows Object Picker (the thing that lets you select users or groups from AD), and that does not support ADAM (aka AD-LDS).

The basic solution is that you will have to write code that can select objects (users and roles) from AD-LDS, and determine the SID for these. AzMan uses SIDs for all access control, regardless of where the store is kept (XML files, SQL server, or AD/AD-LDS/ADAM). So as you create Groups and add members, or assign AD-LDS roles directly to Role Assignments, you have to use the SIDs of the roles (aka "User Security Group class") in AD-LDS rather than their names.