i c... It seems like the problem here is that the tool you are using (ldapmodify, which I've never heard of actually) seems to want a local DN path to bind against. That is, it wants to use a simple bind (or some other bind type that mandates a DN path to bind against). The user principal is in AD, not ADAM, therefore to use it you really need to secure bind, but your tool won't let you do that. Enter this problem. A few choices: 1) create an adam user and use that instead (probably not a good choice) 2) Read up on bind proxy in the adam documentation. The scope of this feature is to allow local-DN based simple binds for users in another auth store. In essense we redirect the cred check to the NOS and then treat the user like it is local, even if it is not. This feature is documented in ADAM RTM-shipping documentation as well as the tech reviewers guide on microsoft.com/adam. ~Eric
________________________________ From: Harpreet_Kapoor [mailto:[EMAIL PROTECTED] Sent: Mon 8/16/2004 8:39 AM To: Mulnick, Al; [EMAIL PROTECTED] Cc: Eric Fleischman Subject: RE: [ActiveDir] Problem in importing schema in ADAM Hi Al, I am not able to get the FQDN(Fully Qualified Domain Name) of the Built-in Administrator. When I added the built-in admin to cn=administrators,cn=roles,dc=abcd,dc=com it displayed the following dn: CN=S-1-5-32-544,CN=ForeignSecurityPrincipals,DC=abcd,DC=com. Even though, this looked specific to dc=abcd,dc=com, I tried giving this as it showed the container as BUILTIN & the Name as administrators. However, I got the error - "invalid credentials". How do I get to know the FQDN of the built-in administrator. Thanks, Harry -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Monday, August 16, 2004 6:45 PM To: '[EMAIL PROTECTED]' Cc: Harpreet_Kapoor; '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problem in importing schema in ADAM Harry, when you used the built-in admin account, did you use the account used to install ADAM? That's the one that by default has administrative rights to the ADAM instance and is able to modify the schema. As Eric mentioned, to do this with a user in a new naming context, you'll need that hotfix and instructions (which would be nice to have; is it public or just via support?) -Al [I cc'd you both because I can't tell if an off-line conversation has fixed this issue] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harpreet_Kapoor Sent: Monday, August 16, 2004 3:53 AM To: Eric Fleischman Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problem in importing schema in ADAM Hi Eric, I tried to import the schema using ldifde command on the machine where ADAM was installed. For this, I used the following command : ldifde -i -f<path of the schema file to be imported> -s localhost -t <portno> -z -v Then , I tried using ldapmodify remotely to import schema by giving the following command : ldapmodify -v -h<ip> -p<port> -f<schema file to be imported> -D<bind-dn> -w<passwd> It again gave me the error "Invalid credentials". This user however has admin rights over dc=abcd,dc=com. Someone suggested that I used the built-in administrator account. So, I gave the built-in admin ,admin rights over dc=abcd,dc=com & used its dn.This also fails for the same reason. What could be wrong? My computer on which ADAM is installed is in a Workgroup & the computer from which I am trying ldapmodify is in a domain. Could this have anything to do with the issue at hand? ~Harry -----Original Message----- From: Harpreet_Kapoor Sent: Monday, August 16, 2004 11:01 AM To: 'Eric Fleischman' Cc: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Problem in importing schema in ADAM Hi Eric, I agree that " Schema elements are not specific to a single application partition". However, even when we use ldapmodify with AD , I need to do the following : 1)Create an OU=test 2)Right click on Active Dir Schema and select "Operations Master". There, select the check box(The schema may be modified on this domain controller). 3)Right click on AD Schema again , select "Permissions". Give full control to administrators & schema admins. Now, when I import the schema using ldapmodify , this gets done successfully. In case of ADAM, 1) I create a user and give it admin rights over dc=abcd,dc=com . 2) Now , I create an OU=test in dc=abcd,dc=com. Here, I understand that my admin user has full control over dc=abcd,dc=com 3)However, when I right click on ADAM schema, operations master is disabled. Also, the permissions option does not appear. So, how do I grant my admin user permissions over this. Is this the reason that I get "Insufficient access" when I import schema using ldapmodify? How do I overcome this problem? Thanks, Harry -----Original Message----- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Sunday, August 15, 2004 9:09 PM To: Harpreet_Kapoor Subject: RE: [ActiveDir] Problem in importing schema in ADAM Schema elements are not specific to a single application partition. When you import a schema element it must be inserted in to cn=schema,cn=configuration..... They are global for all application partitions in this ADAM instance, much like the schema is global for all domains in a forest. ~Eric ________________________________ From: Harpreet_Kapoor [mailto:[EMAIL PROTECTED] Sent: Sun 8/15/2004 3:43 AM To: Eric Fleischman Subject: RE: [ActiveDir] Problem in importing schema in ADAM Hi Eric, I have imported the file ms-user.ldf during the installation process. I have created the user in dc=abcd,dc=com under the ou=People. Now, I wish to import the schema in an ou=test created under the same dc=abcd,dc=com. What I meant by saying "there is no provision for creating & adding a user" was that in mmc(Microsoft Management Console), I selected ADSI Edit & ADAM Schema. In ADAM Schema, there is no provision to add a user. ~Harry -----Original Message----- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Sunday, August 15, 2004 1:29 PM To: Harpreet_Kapoor; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problem in importing schema in ADAM To create users you need to import ms-user.ldf, one of the ldif's provided with the ADAM installer. You can do this during GUI-mode setup or after the fact (see the header of the file for sample import syntax). You need to do this w/admin cred's to the instance. That would be the admin cred's that you supplied during install, or others you add to the admin group in the config partition. I discussed what I did because you explicitly stated: > When I created a user in ADAM..... If you created the user in ADAM I would point out that you probably have imported ms-user.ldf already, knowing or unknowingly, or created your own class which is a bindable object. I can't answer your second question as there is some mixed info here. On one hand you are saying "there is no provision for creating & adding a user" but on the other you said "when I created a user in ADAM...". Once that point is cleared up I can answer your question. That is, are you creating ADAM users or Windows users? It isn't clear to me from the info provided below. ~Eric ________________________________ From: Harpreet_Kapoor [mailto:[EMAIL PROTECTED] Sent: Sun 8/15/2004 2:12 AM To: [EMAIL PROTECTED] Cc: Eric Fleischman Subject: RE: [ActiveDir] Problem in importing schema in ADAM Hi Eric, In the ADAM schema, there is no provision for creating & adding a user. Will I be able to import the schema by adding the user & giving it admin rights in CN=Configuration,CN={guid} (I got this by right clicking on ADAM ADSI Edit, selecting "Connect to..." and then selecting the "Well known naming context". In the combo box , I selected "Configuration" .) I mean, will giving admin rights to the user over cn=config,cn={guid} help me import schema into ADAM schema. There is another issue regarding this. I have created an OU under dc=abcd,dc=com. My user has admin rights over this NC. Still, I am not able to import schema into this OU. Is this issue again caused by the same reason that you stated? Thanks, Harry -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, August 14, 2004 10:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Problem in importing schema in ADAM So by definition you created a user that is in an app partition. Adding them to the admin's role in that app partition does give the admin over the partition but not over the config/schema. So what you're thinking is now "oh so I just need to add them to the admin group in the config." Seemingly easy task, but in ADAM we won't allow cross-NC membership. That is, a user from NC1 can't be a member of a group in NC2. In this case that prevents the user from being in the admin group in the config. Ah hah, but wait. What if you could create a user in the config? You can. You need a post-RTM QFE package where we added this ability + need to flip a setting in the config that will allow for it, but you most certainly can turn on the ability to create users in the config. Then you can add those users to the cn=admin,cn=roles,cn=config,cn={<guid>} group and they can be admin over the config/schema as you seem to desire. If you need this package ping me offline and I'll send it to you + instructions. Please include your phone # in that ping as the system requires I enter that (incase there is some awful problem with the package found and we want to try and reach you). ~Eric ________________________________ From: [EMAIL PROTECTED] on behalf of Harpreet_Kapoor Sent: Sat 8/14/2004 7:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Problem in importing schema in ADAM Hi guys, I am trying to import schema into ADAM. However, I get the message that the user has insufficient access. When I created a user in ADAM,I went to CN=Roles. There I right clicked on CN=Administrator , selected Properties and added the user dn in the member attribute by selecting <ADD ADAM ACCOUNT>.Hence, I made this user the administrator. However, while trying to import the schema, I got the error code 50 or 0x32 which means Insufficient access rights. What could be wrong? Do I need to do something else also before importing the schema? Thanks, Harry List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
