ADAM Active Directory w trybie aplikacyjnym Active Directory in Application Mode Ewa Baćmaga Integral Technologies http://www.integral-tech.pl
Agenda Nowe cechy AD w systemie Windows Server 2003 Wprowadzenie do ADAM Interfejsy programistyczne ADAM ADAM z poziomu .NET Framework DSML Zalety ADAM Our agenda is closely mapped to the demonstrations that we will be covering. The agenda items include: An introduction to ADAM. Security with ADAM. Looking at the programmatic interfaces available when using ADAM. Using ADAM from the .NET Framework. Using DSML to access ADAM. Finally, discussing the key benefits of using ADAM.
Nowe cechy AD w systemie Windows Server 2003 Ulepszone mechanizmy współdzielenia danych w rozproszonym środowisku Partycje aplikacyjne Adaptacyjne struktury danych Obsługa dynamicznych danych Deaktywacja schematu Obsługa klasy InetOrgPerson Enhanced Application Data Sharing across the Distributed Network: Users can use Active Directory to create new objects or to extend existing objects required by their application. For example, a human resource application may add a new attribute called Purchasing-Limit to user class to store purchasing limit data for the users. Storing this data in the directory service makes it available to the human-resource application and other authorized applications across the distributed systems environment. Following new enhancements in Active Directory will make is easier for applications to share data across the distributed network: Application Directory Partitions: Software application vendors want a directory service dedicated to fulfill the requirements of their product. Windows Active Directory allows the creation of a directory partition, referred to as Application Directory Partition, to achieve this goal. This partition can be used by software application vendors to store any type of objects except security principals (users, groups and computers). This partition is not replicated by default, but can be configured to replicate to any set of domain controllers in the forest, not necessarily all in the same domain. This directory partition feature provides the flexibility of hosting dynamic data in Active Directory without significantly impacting network performance. Directory replication scope and topology of the replicas can be selectively configured according to application requirements. Adaptable Data Structures: Software developers want to extend individual instances of a class without replicating the change to all other instances of that object. Windows Active Directory now supports dynamically associating an auxiliary class, which adds the attributes that are defined by the auxiliary class, with individual object instances. In Windows 2000, an auxiliary class could only be statically associated with a structural class definition in the schema, which meant that all instances of that structural class got the attributes from the auxiliary class added to them.
Nowe cechy AD w systemie Windows Server 2003 Zwiększona dostępność dla aplikacji Ulepszone zarządzanie replikacją danych Ulepszona obsługa grup Efektywniejsza synchronizacja globalnego katalogu Increased Network Application Accessibility Applications written to operate in networks require an easy and simple mechanism for clients to access them in a distributed environment. Active Directory makes this possible by offering the “Service Publication” functionality. Service Publication is the creation, storage, and maintenance of information about a service in the Active Directory. Network clients and network administrators can use this information to find, connect to, and manage a service. Service Publication in Active Directory enables clients and administrators to view the distributed network as a collection of services rather than as a collection of individual computers. To publish a service in Active Directory, a directory-enabled application must store, as a minimum requirement, its binding information. Service bindings are the information a client uses to connect, or bind, to an instance of a given service. The information needed to bind to a service includes the service name and its location. For example, a World Wide Web browser binds to a Web server by using a Uniform Resource Locator (URL). Service publication allows network services to change their properties without changing client configuration. Clients can search in Active Directory and bind to application services. New Active Directory features have made service publication more reliable and increased network application accessibility.
Nowe cechy AD w systemie Windows Server 2003 Zmniejszenie kosztów zarządzania aplikacjami Uproszczone zarządzanie dystrybucją aplikacji Pełna instalacja aplikacji przypisanych użytkownikowi podczas logowania Bardziej produktywne interfejsy administracyjne Reduced Cost of Managing Applications Independent Software Vendors (ISVs) often use the registry to store configuration information for their applications. It is difficult to create and maintain registry settings, especially when it requires modifying these settings across multiple client and server machines each time a configuration value changes. The use of Active Directory to store this information reduces the cost of managing them. The following new features will help independent software vendors to further reduce cost of ownership of their applications. Simpler Distributed Application Management Developers need an efficient infrastructure to manage distributed applications. Using Windows Active Directory, Windows Management Interface (WMI) event infrastructure has been expanded to operate in a distributed environment. The enhancements consist of components that will enable configuring subscription, filtering, correlation, aggregation, and transport of WMI events. An ISV can enable health monitoring, event logging, notification, auto recovery, and billing of their application with the addition of a User Interface and definition of a policy type. Full Install of User Assigned Applications at Logon The Application Deployment Editor contains a new option that allows a user-assigned application to be installed completely at logon, instead of on demand. More Productive Administrative Interfaces System administration and maintenance costs organizations resources and time. In Windows Server 2003, administrators can now edit multiple user objects simultaneously, reset ACL permissions to the default, show effective permissions on a security principal, and indicate the parent of an inherited permission. These operations now require significantly less time from administrators, making them more productive.
Programowanie Active Directory
Agenda Nowe cechy AD w systemie Windows Server 2003 Wprowadzanie do ADAM Interfejsy programistyczne ADAM ADAM z poziomu .NET Framework DSML Zalety ADAM Our agenda is closely mapped to the demonstrations that we will be covering. The agenda items include: An introduction to ADAM. Security with ADAM. Looking at the programmatic interfaces available when using ADAM. Using ADAM from the .NET Framework. Using DSML to access ADAM. Finally, discussing the key benefits of using ADAM.
Wprowadzenie do ADAM Nowe możliwości Prosta instalacja i konfiguracja brak DCPROMO kreator Nie odbywa się przekształcenie maszyny w DC Restart i reinstalacja bez konieczności restartu systemu Wiele instancji na pojedynczej maszynie Każda instancja ma swój schemat X.500-style O=, C= Naming It is quite simple to install and setup ADAM. The setup program (adamsetup.exe) requires you to answer a couple of questions for installation of your ADAM instance. Unlike with Active Directory, ADAM does not require your machine to be a Domain Controller, and you do not need to run DCPROMO. When installing or starting your ADAM instance, you are not required to restart your machine. You can have more than one instance of ADAM on a single machine. You can create a unique schema per instance of ADAM. If you wish, you can use X.500-style naming conventions when specifying your ADAM schema. X.500 is an ISO and ITU standard that defines how global directories should be structured. X.500 directories are hierarchical, with different levels for each category of information, such as country, state, and city. X.500 supports X.400 systems.
Wprowadzenie do ADAM To po prostu nowy tryb! Ten sam model programowania co AD Model replikacji i administracji podobny do AD Ten sam sposób przechowywania danych Daje to samo co AD, z wyjątkiem Obsługi rekordów DNS SRV Obsługi protokołu MAPI Because ADAM is a new mode for AD, you can use the same programming model that you currently use for Active Directory. ADAM also has replication and an administration model similar to AD (this will be covered in later slides). Storage is the same as AD – the DIT file and LOG file layout is the same. Some important differences between ADAM and AD is ADAM does not interact with DNS like AD does. Also, there is no MAPI support with ADAM (you will not be able to use Exchange with ADAM).
Wprowadzenie do ADAM Obsługiwane platformy Windows Server 2003 Standard, Enterprise i Datacenter Windows XP Professional Restrykcje przy uruchamianiu na Windows XP Wykorzystanie tylko w celu tworzenia aplikacji Limit 10000 obiektów You have support for ADAM on Windows Server 2003 and Windows XP. There are some restrictions with Windows XP, however. The support for Windows XP is for development purposes only, there is a limit of 10,000 total objects quota, and there are no password or account policies.
Wprowadzenie do ADAM Nowe pojęcia Instancja Identyfikowana przez nazwę i porty Porty: LDAP & SSL (konfigurowalne) Log zdarzeń Jeden na instancję Zestaw konfiguracyjny (configuration set) Kolekcja instancji replikujących między sobą – współdzielą partycję konfiguracji i schematu As mentioned earlier, you can have multiple instances of ADAM on a single machine. Each instance of ADAM is uniquely identified on a machine by its name and the ports used for the instance. For each instance, you will have unique files, a unique service, unique registry entries, and unique ports. There are two ports specified by per instance, one for LDAP (unsecured port) and one for SSL (secured port). You also have a unique application event logs per instance (you specify the log directory during installation). You can configure your ADAM instances to replicate with each other. A collection of instances that replicate with each other is called a configuration set. The members of a configuration set share configuration and schema partitions.
Wprowadzenie do ADAM Architektura Active Directory Active Directory in Application Mode LSASS ADAM LDAP MAPI REPL KDC Lanman LDAP REPL DSA DSA SAM Active Directory requires several key components in order to run. These include the Security Accounts Manager, File Replication Services, and DNS. ADAM does not have these dependencies. Because of this, you can install ADAM on a server that does not have the components required for AD. This model is more appropriate for applications that only need access to a directory service. zależności DNS FRS ADAM to po prostu nowy tryb AD Model programowania, narzędzia administracyjne identyczne jak w AD (brak konieczności nabywania nowych umiejętności)
Wprowadzenie do ADAM Składniki Kluczowe elementy Zawiera warstwy DSA, LDAP oraz replikacji Obsługiwnay przez własny proces/serwis Konfiguracja Skopiowanie binariów oraz zainstalowanie i uruchomienie serwisu Narzędzia Analogiczne jak w AD The directory core contains the Directory Services Agent, LDAP, and Replication layers. The directory core runs as its own process and as a separate service. The core binaries are copied to the machine during the install. After the install, you can set the properties for the service using the Service Control Manager. If you are currently using tools to manage AD, you can continue to use these tools to manage ADAM installations. For documentation, there is a programmers reference in Platform SDK that is downloadable from www.microsoft.com. The Directory System Agent (DSA) is the process that provides access to the store. The store is the physical store of directory information located on a hard disk. In Active Directory, the DSA is part of the local system authority (LSA) subsystem in Microsoft Windows 2000. Clients access the directory using one of the following mechanisms supported by the DSA: LDAP clients connect to the DSA using the LDAP protocol. LDAP is an acronym for Lightweight Directory Access Protocol. Active Directory supports LDAP 3.0, defined by RFC 2251, and LDAP 2.0, defined by RFC 1777. Microsoft Windows 2000 clients (and Windows 95 and Windows 98 clients) with Active Directory client components installed use LDAP 3.0 to connect to the DSA. MAPI clients such as Microsoft Exchange connect to the DSA using the MAPI remote procedure call interface. Windows clients that use a previous version of Windows NT connect to the DSA using the Security Account Manager (SAM) interface. Active Directory DSA's connect to each other to perform replication using a proprietary remote procedure call interface.
Wprowadzenie do ADAM Reprezentacja fizyczna Serwis Jeden serwis na instancję Zarządzany za pośrednictwem Service Control Manager Uruchamiany w imieniu NetworkService lub wskazanego użytkownika Pliki Każda instancja ma własne binaria Instancje mogą być uaktualnianie niezależnie od siebie (SP, nowe wersje) Each instance of ADAM will run as a separate service. As with other services, you can manage the service using the Service Control Manager. Services can run under a specific security context. During setup, you can specify the context for the service to run under. Each instance has it has its own binaries. This is nice, because instances can be upgraded independently of one another – whether it’s a new Quick Fix Engineering (QFE) Update, service packs (SP), or version. The registry is used by ADAM, although the services registry key is the only place where data is stored. The parameters and keys are similar to those used by AD.
Wprowadzenie do ADAM Konfiguracja domyślna - schemat Schemat domyślny Zawężony (~30 obiektów i <200 atrybutów) Możliwy do poszerzenia z wykorzystaniem dostarczanych plików LDIF w celu zapewnienia zgodności z RFC n.p. obsługa InetOrgPerson obsługi specyficznych aplikacji Pełna rozszerzalność schematu Klasy rozszerzające (auxiliary classes) takie same jak w AD Deaktywacja i reaktywacja elementów schematu The default schema is much smaller than that of AD (~30 objects and <200 attributes). To extend the schema, ADAM comes with several LDIF files. They include LDIF files for RFC compliance, e.g., InetOrgPerson support and specific applications. From the abstract of the RFC for InetOrgPerson: While the X.500 standards define many useful attribute types [X520] and object classes [X521], they do not define a person object class that meets the requirements found in today's Internet and Intranet directory service deployments. We define a new object class called inetOrgPerson for use in LDAP and X.500 directory services that extends the X.521 standard organizationalPerson class to meet these needs. For example, an LDIF file will be used in demonstration to extend support for the InetOrgPerson specification. The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used for performing batch operations against directories that conform to the LDAP standards. You can extend the schema as you wish. The auxiliary classes are the same as AD, and you can add other elements as needed by your applications. You can also use activate and deactivate your schema elements if you do not wish to delete the elements from the schema.
Wprowadzenie do ADAM Konfiguracja domyślna - partycje Brak partycji domeny Partycje konfiguracji i schematu obecne w każdej instalacji Partycja aplikacyjna tworzona w czasie konfiguracji lub później za pomocą narzędzi lub programowo konwencja nazewnictwa DC lub X.500 Unlike AD, there is no Domain partition in ADAM. Created in Active Directory, partitions allow users in a domain to access COM+ applications throughout the domain. During creation, each specific user or organizational unit (OU) is assigned, or mapped, to a partition set. In all instances of ADAM, there will be both configuration and schema partitions. You can create Application Directory partitions. This can be done at setup time or later, using tools or programmatically. Application Directory partitions are the same as in AD, except you can use either DC style naming or X.500 style naming, and you can use any ObjectClass allowed for partition head. In AD, A single user or OU can access multiple partitions and their applications because there is a one-to-one correlation between a user identity or OU and a partition set. Without a partition set, a user or OU would need multiple user identities to access applications in different partitions. Cross-partition references are not allowed in ADAM.
Agenda Nowe cechy AD w systemie Windows Server 2003 Wprowadzanie do ADAM Interfejsy programistyczne ADAM ADAM z poziomu .NET Framework DSML Zalety ADAM Our agenda is closely mapped to the demonstrations that we will be covering. The agenda items include: An introduction to ADAM. Security with ADAM. Looking at the programmatic interfaces available when using ADAM. Using ADAM from the .NET Framework. Using DSML to access ADAM. Finally, discussing the key benefits of using ADAM.
Interfejsy programistyczne ADAM Sięganie do ADAM LDAP API Klienci Windows®: wldap32.dll Active Directory dostępne z innych platform ADAM w pełni dostępny via LDAP ADSI COM, dostępny z poziomu skryptów Wykorzystuje LDAP w celu komunikowania się z AD .NET Framework: System.DirectoryServices Zalety zarządzanego kodu, prostota Dostęp przez XML/SOAP DSMLv2 There are several ways you can access ADAM, including: LDAP API: Windows® Clients can use the API exposed in wldap32.dll to access ADAM. Active Directory is accessible from other platform. All of the features of ADAM can be accessed via the LDAP API. ADSI : ADSI is COM-based, scriptable, and provides a multi-provider architecture. This is a simple model to work with for development (many administrators currently use script). LDAP is used by ADSI to talk to AD or other LDAP servers including ADAM. .NET Framework: System.DirectoryServices provides access to ADAM (this is covered in a later section on this topic). You can take advantage of all the benefits of managed code, including a simplified development model. You can use these services from various types of clients including Web-based and WinForm clients. XML/SOAP Access : DSMLv2 specifies the format of SOAP requests to a directory service. These requests and the corresponding response can by sent over several different types of transports, including HTTP and HTTPS.
Interfejsy programistyczne ADAM Sięganie do ADAM Klienci nie Windows-owi Kod zarządzany System.DirectoryServices SOAP LDAP DSMLv2 ADSI Here we see the different ways to access ADAM. Note that System.DirectoryServices relies on ADSI and that ADSI relies on the LDAP API. Also note that non-Windows clients can access ADAM using either LDAP or using DSML. WinNT NDS LDAP HTTP DSMLv2 Server Active Directory ADAM
Instalacja ADAM
Agenda Nowe cechy AD w systemie Windows Server 2003 Wprowadzenie do ADAM Interfejsy programistyczne ADAM ADAM z poziomu .NET Framework DSML Zalety ADAM Our agenda is closely mapped to the demonstrations that we will be covering. The agenda items include: An introduction to ADAM. Security with ADAM. Looking at the programmatic interfaces available when using ADAM. Using ADAM from the .NET Framework. Using DSML to access ADAM. Finally, discussing the key benefits of using ADAM.
ADAM z poziomu .NET Framework System.DirectoryServices Część .NET Framework Assembly: System.DirectoryServices.DLL Napisane na bazie ADSI Dwie podstawowe klasy zapewniają zasadniczą funkcjonalność DirectoryEntry DirectorySearcher Realizują dostęp do serwerów LDAP, w tym ADAM oraz Active Directory System.DirectoryServices is a part of .NET Framework. It is available from the System.DirectoryServices.DLL assembly. The assembly uses Active Directory Services Interfaces (ADSI) technology. Two major classes that do the majority of the work are the DirectoryEntry class and the DirectorySearcher class. These classes allow access to LDAP servers, including ADAM and Active Directory. Along with that, they allow access to any ADSI provider (current providers are Internet Information Services (IIS), Lightweight Directory Access Protocol (LDAP), Novell NetWare Directory Service (NDS), and WinNT).
ADAM z poziomu .NET Framework System.DirectoryServices System.DirectoryServices intensywnie wykorzystuje koncepcje CLR: kolekcja, dostosowany indekser, słownik, tablica Rezultat? Działanie spójne z innymi technologiami .NET Korzyści, które zapewnia CLR Automatyczne zarządzanie pamięcią, prostota instalacji aplikacji, bezpieczeństwo oparte na dowodach, obsługa wyjątków Prostota Prostsze niż ADSI System.DirectoryServices adopts CLR concepts heavily, including utilizing collections, custom indexers, dictionaries, and arrays. The net result of this characteristic is consistent behavior with other .NET technologies Since this is managed code, you have the benefits of the Common Language Runtime environment, including automatic memory management, easy deployment, modern true OO framework, evidence-based security, and exception handling.
ADAM z poziomu .NET Framework Obiekt w katalogu Każdy obiekt ma nazwę Nazwa względna N.p. OU=Sales Do każdego obiektu prowadzi ścieżka Zbudowana bazie nazwy obiektu oraz nazw jego poprzedników N.p. OU=Sales, O=Fabrikam Każdy obiekt ADAM ma również GUID Nie ulega zmianie O=Fabrikam OU=Sales CN=Alice Reed CN=John Smith Directory objects have a Relative Distinguished Name (E.g., OU=Sales) and Distinguished Name (E.g., OU=Sales, O=Fabrikam). Distinguished Names are based on the object’s name and its ancestors Each ADAM object also has GUID that does not change.
ADAM z poziomu .NET Framework DirectoryEntry Każdy obiekt w katalogu reprezentowany jest jako DirectoryEntry Co można robić z obiektami? Modyfikować ich właściwości Zmieniać nazwę, przesuwać Wymienić ich dzieci Utworzyć dziecko Usunąć dziecko Uzyskać identyfikację Pobrać rodzica Each object in the directory is represented as DirectoryEntry. The DirectoryEntry class encapsulates a node or object in the Active Directory hierarchy. Use this class for binding to objects, reading properties, and updating attributes. Together with helper classes, DirectoryEntry provides support for life-cycle management and navigation methods, including creating, deleting, renaming, moving a child node, and enumerating children. DirectoryEntry DirectoryEntry
ADAM z poziomu .NET Framework Przykład DirectoryEntry Ścieżka w katalogu, napis zawierający unikalną nazwę Utworzenie pozycji katalogu w pamięci, nie w rzeczywistym katalogu Ścieżka, nazwa, GUID, rodzic Using System.DirectoryServices; DirectoryEntry entry = new DirectoryEntry( path); Console.WriteLine(entry.Path); Console.WriteLine(entry.Name); Console.WriteLine(entry.GUID); DirectoryEntry parent = entry.Parent; This code example shows creating a directory entry object and displaying some of the properties of the object, including the path, the name, and the GUID for the entry.
ADAM z poziomu .NET Framework Sięganie do obiektu Klient musi wskazać serwer ADAM N.p. “LDAP://srv01”, LDAP://srv02” Klient może wskazać inny niż domyślny numer portu N.p. ”LDAP://srv01:1026” Klient może sięgnąć do dowolnego obiektu w katalogu Wymagane określenie nazwy jednoznacznie wyróżniającej obiekt Format ścieżki LDAP://serverName[:port]/DistinguishedName Klient może przekazać dodatkowe informacje dotyczące uwierzytelniania, szyfrowania, etc. There are a number of ways to bind to an ADAM instance. In all cases, you must at least specify the ADAM server name (E.g., “LDAP://srv01”, LDAP://srv02”). If the ADAM instance was installed on another port, you can specify that when binding as well (E.g.,”LDAP://srv01:1026”). You can also bind to any object in the directory by specifying an object’s distinguished name. This type of bind is subject to access check for the object you are attempting to access. The path format for this is LDAP://serverName[:port]/DistinguishedName. Clients may also pass the alternate credentials, authentication method, encryption, etc.
ADAM z poziomu .NET Framework Przykłady sięgania do obiektu DirectoryEntry(“LDAP://srv01/CN=Alice, OU=HR, O=Fabrikam”); DirectoryEntry(“LDAP://srv01/OU=HR, DC=Fabrikam,DC=COM”, userName, password); This code example shows creating a directory entry object and specifying a couple of different ways to bind to an LDAP source. The first example initializes a new instance of the DirectoryEntry class that binds this instance to the node in Active Directory located at the specified path. The second example initializes a new instance of the DirectoryEntry class. The Path, Username, and Password properties are set to the specified values. The third example initializes a new instance of the DirectoryEntry class. The Path, Username, Password, and AuthenticationType properties are set to the specified values. DirectoryEntry(“LDAP://srv01:1025/DC=Fabrikam,DC=COM”, userName, password, AuthenticationTypes.SecureSocketsLayer );
ADAM z poziomu .NET Framework Nawigacja Każda pozycja DirectoryEntry ma kolekcję o nazwie Children Sięgnięcie do wskazanego dziecka realizuje .Find() Pobranie rodzica umożliwia .Parent foreach(DirectoryEntry child in entry.Children) { Console.WriteLine(child.Name); } DirectoryEntry parent = entry.Parent; DirectoryEntry child = entry.Children.Find(“OU=Sales”); Navigating around ADAM is simple. Each DirectoryEntry has a collection object, named Children (DirectoryEntries class that supports IEnumerable interface). You can use a foreach loop to display all of the children in the collection. This makes it convenient for you to work with Children. To get to a specific child, you can use the Find method to return child with the specified name. To get its parent, you can use the Parent property to get the entry's parent in the hierarchy.
ADAM z poziomu .NET Framework Cykl zarządzania Tworzenie N.p. child=entry.Children.Add(“CN=Joe”,”user”); CommitChanges() zatwierdza zmiany Usuwanie N.p. entry.Children.Remove(childEntry); DeleteTree() umożliwia usunięcie całego poddrzewa; Zmiana nazwy i przesuwanie N.p. entry.Rename(“CN=John”); Przesunięcie obiektu do innej ścieżki Sięgnięcie do obiektu będącego nowym rodzicem Użycie MoveTo(), n.p. ent.MoveTo(targetParent); You can create children using the Add method (E.g., child = entry.Children.Add(“CN=Joe”,”user”);). You will then call CommitChanges() to commit the changes to the directory. To delete children you can use the Remove method (E.g., entry.Children.Remove(childEntry);). You can also delete whole subtrees using DeleteTree(); To rename, you can use the Rename method (E.g., entry.Rename(“CN=John”);) To move an object to a different parent, you will need to bind to the new target parent and use the MoveTo method (e.g., ent.MoveTo(targetParent);)
ADAM z poziomu .NET Framework Właściwości obiektu DirectoryEntry .Properties [“name”] Object Property givenName Fred Johnson sn Johnson To get to an object’s properties, you use the Properties property and specify the name of the property you wish to retrieve. Sales memberOf Admin … Consultant
ADAM z poziomu .NET Framework Pobranie wartości właściwości Każda wartość właściwości (nawet pojedyncza) reprezentowana jest jako kolekcja Wartości właściwości mogą być również dostępne za pośrednictwem tablicy Dla wygody .Value może być używane w celu pobierania wartości atrybutów mających jedną wartość Console.WriteLine(ent.Properties[“sn”].Value); Console.WriteLine(ent.Properties[“sn”][0]); // The same as .Value foreach( object val in ent.Properties[“memberOf”]) { Console.WriteLine(val); } Console.WriteLine(ent.Properties[“memberOf”][0]); Each property value, regardless of whether it is a single or multi-value, is represented as a collection. The values can also be accessed as an array. For convenience, .Value represents a value in a single value AD attribute.
ADAM z poziomu .NET Framework Ustawienie wartości właściwości .Add() dodaje do istniejącej wartości nową .Addrange() dodaje do istniejącej wartości zakres nowych wartości .Insert() wstawia wartość na pozycji wskazanej przez indeks Sięganie do wartości odbywa się przez .Value lub za pośrednictwem tablicy Use the Add method to append the existing value with a new value. You can use the AddRange method to append an existing value with multiple values. You can use the Insert method to insert a value by index position. The Value property can also be used. ent.Properties[“sn”].Value = “Smith”; ent.Properties[“description”].Add(“Fabrikam Corporation”); ent.Properties[“operator”].AddRange(new string[] {“Mary”,”Joe”}) ent.Properties[“telephoneNumber”].Insert(2,”(425)999-1111”); ent.Properties[“wwwHome”][0] = “http://www.fabrikam.com”;
ADAM z poziomu .NET Framework DirectorySearcher Wyszukiwanie obiektów w katalogu Wykonanie zapytania FindAll() umożliwia przetworzenie wszystkich obiektów w zbiorze wyników FindOne() umożliwia przetworzenie pojedynczego obiektu w zbiorze wyników Elementy konieczne przy wyszukiwaniu Baza wyszukiwania (Search Base) Zakres (Scope) Zapytanie (Query) Określenie właściwości, które mają być zwracane w zbiorze wyników Use the DirectorySearcher class to perform queries against the Active Directory hierarchy. LDAP is the only system-supplied Active Directory Service Interfaces (ADSI) provider that supports searching. A search of the Active Directory hierarchy through DirectorySearcher returns instances of SearchResult, which are contained in an instance of the SearchResultCollection class. To execute a query, use the FindAll method to retrieve all objects in a result set and use the FindOne method to retrieve one object Searching components include the: Search Base Scope Query Properties to be returned in the result set Optional: Search options, e.g. PageSize, TimeOut, SizeLimit.
ADAM z poziomu .NET Framework Elementy konieczne przy wyszukiwaniu Baza wyszukiwania (Search Base) 1 LDAP://adam01/OU=Sales,O=Fabrikam Filtr wyszukiwania 2 (&(sn=Sm*)(title=Assistant)) Zakres (Scope) 3 For the Search Base, set the SearchRoot property. This sets the node where the search starts. The Search Filter is set using the Filter property. The search filter string in LDAP format, such as "(objectClass=user)". The default is "(objectClass=*)", which retrieves all objects. The following options are available for scope: Base - Limits the search to the base object. The result contains at most one object. OneLevel - Searches one level of the immediate children, excluding the baseobject. Subtree - Searches the whole subtree, including all children and the baseobject itself. The properties returned by default are cn, ADsPath, sn, and givenName. Base, oneLevel, subtree Zwracane właściwości 4 cn,ADsPath,sn,givenName
ADAM z poziomu .NET Framework Zakres wyszukiwania (Search Scope) Base 1 Baza wyszukiwania (Search Base) One Level 2 Subtree 3 Here you can see the scope for the base, one level, and subtree scopes.
ADAM z poziomu .NET Framework Przykłady zapytań DirectoryEnty ent = new DirectoryEntry(“LDAP://adam01/O=Fabrikam”); DirectorySearcher src = new DirectorySearcher( ent, “(anr=john)”); DirectorySearcher src = new DirectorySearcher( ent, “(anr=john)”, new string[ ] {“sn”,”title”,”telephoneNumber”}); DirectorySearcher src = new DirectorySearcher(ent, “(anr=john)”, new string[ ] {“sn”,”title”,”telephoneNumber”}, SearchScope.OneLevel); This slide shows some of the various options for searching ADAM. // Search Base and specify an alternate credentials DirectoryEntry ent = new DirectoryEntry(“LDAP://server01/OU=Marketing, DC=Fabrikam,DC=COM”, userName, password); // Filter DirectorySearcher src = new DirectorySearcher(ent, “(anr=john)”); src.ScopeLevel = SearchScope.OneLevel;
ADAM z poziomu .NET Framework Zbiór wyników wyszukiwania Zbiór wyników wyszukiwania stanowi kolekcję Każdy pozycja tej kolekcji jest analogiczna do DirectoryEntry, z tą różnicą, że dostępna jest tylko do odczytu (ale może zostać przekształcona w DirectoryEntry) foreach(SearchResult res in src.FindAll()) { Console.WriteLine(res.Properties[“Name”][0]); // You may also get its DirectoryEntry DirectoryEntry entry = res.GetDirectoryEntry(); } As you expected, the result set is a collection. Each item in the collection is similar to DirectoryEntry, but it’s read-only. You can convert it to DirectoryEntry to work with it.
Korzystanie z instancji ADAM
Agenda Nowe cechy AD w systemie Windows Server 2003 Wprowadzanie do ADAM Interfejsy programistyczne ADAM ADAM z poziomu .NET Framework DSML Zalety ADAM Our agenda is closely mapped to the demonstrations that we will be covering. The agenda items include: An introduction to ADAM. Security with ADAM. Looking at the programmatic interfaces available when using ADAM. Using ADAM from the .NET Framework. Using DSML to access ADAM. Finally, discussing the key benefits of using ADAM.
DSML Wprowadzenie Directory Services Markup Language Komitet techniczny (Microsoft, Sun, IBM, Novell, Bowstreet, Oracle, Access 360, Netscape etc.) DSMLv1 grudzień 1999 Reprezentacja obiektów katalogu w XML DSMLv2 listopad 2001 Reprezentacja operacji LDAP w XML Cele rozwiązania: Niezależność od platformy transportowej Pełna współpraca z LDAP DSMLv2 NIE jest nadzbiorem DSMLv1 The Directory Services Markup Language (DSML) provides a means of representing directory structural information and directory operations as an XML document. The intent of DSML is to allow XML-based enterprise applications to leverage profile and resource information from a directory in their native environment. DSML allows XML and directories to work together and provides a common ground for all XML-based applications to make better use of directories.
DSMLv2 Request (przykład) <batchRequest xmlns="urn:oasis:names:tc:DSML:2:0:core" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <addRequest dn="cn=John Smith, ou=Sales,dc=Foo,dc=com"> </addRequest> <modifyRequest dn="ou=Sales,dc=fabrikam,dc=com"> </modifyRequest> </batchRequest> <attr name="objectClass"><value>contact</value></attr> <attr name="sn"><value>Smith</value></attr> <attr name="givenName"><value>John</value></attr> <attr name="title"><value>Vice President</value></attr> <modification name="street" operation="replace"> <value>23315 Main Street</value> </modification> <modification name="l" operation="replace"> <value>Seattle</value> </modification> Build: The request is sent using XML. In this request, you can see the XML required to add a new user (John Smith) And modify the XML required to modify an existing Sales organizational unit.
DSMLv2 na bazie SOAP <se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/"> <se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core"> </se:Body> </se:Envelope> <batchRequest> <searchRequest dn="dc=fabrikam,dc=com" scope="wholeSubtree" derefAliases="neverDerefAliases" sizeLimit="1000"> <filter> <substrings name=“anr"> <final>davej</final> </substrings> </filter> <attributes> <attribute name="telephoneNumber" /> </attributes> </searchRequest> </batchRequest> Build: The request is sent using SOAP. The request is sent in the body of the SOAP message.
DSMLv2 Soap Response <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" > <soap:Body> </soap:Body> </soap:Envelope> <batchResponse xmlns="urn:oasis:names:tc:DSML:2:0:core“> <searchResponse> <searchResultEntry dn="CN=David Johnson,…”> <attr name="telephoneNumber"> <value>+1 (243) 8430432</value> </attr> </searchResultEntry> <searchResultDone> <resultCode code="0"descr="success"/> </searchResultDone> </searchResponse> </batchResponse> Build: The response is sent as a SOAP message. Here you see an example of a search response. The searchResultEntry has an dn attribute for each result. The searchResultDone shows the results of the search (where if the value of the code attribute is 0 then it was a successful search).
DSML Implementacja DSML DSMLv2 Zaimplementowane jako SOAP Listener Produkt: DSML Services for Windows Działa w Windows 2000 oraz Windows 2003 Server DSMLv2 is implemented as a SOAP Listener and comes as a product called DSML Services for Windows. It runs on Windows 2000 and Windows 2003 Server. After installing DSML Services for Windows, you can configure the installation, specifying the location of the SOAP listener on the local server.
Agenda Nowe cechy AD w systemie Windows Server 2003 Wprowadzenie do ADAM Interfejsy programistyczne ADAM ADAM z poziomu .NET Framework DSML Zalety ADAM Our agenda is closely mapped to the demonstrations that we will be covering. The agenda items include: An introduction to ADAM. Security with ADAM. Looking at the programmatic interfaces available when using ADAM. Using ADAM from the .NET Framework. Using DSML to access ADAM. Finally, discussing the key benefits of using ADAM.
Zalety ADAM Replikacja Tak samo jak w AD Plan replikacji może być konfigurowany niezależnie od innych instancji Konfigurowanie planu replikacji - ADSIEdit Repadmin – również dostępny The replication model used in ADAM is the same as in Active Directory. The replication model is called “multi-master loose consistency with convergence.” In this model, the directory can have many replicas; a replication system propagates changes made at any given replica to all other replicas. The replicas are not guaranteed to be consistent with each other at any particular point in time ("loose consistency"), since changes can be applied to any replica at any time ("multi-master"). If the system is allowed to reach a steady state, in which no new updates are occurring and all previous updates have been completely replicated, all replicas are guaranteed to converge on the same set of values ("convergence"). Concept of Sites and the Knowledge Consistency Checker is the same. The KCC is a Windows 2000 component that automatically generates and maintains the intra-site and inter-site replication topology. You can disable the KCC's automatic generation of intra-site or inter-site topology management, or both. Schedules can be set independently of other instances. You can set replication schedules in ADSIEdit and use Repadmin tool available. Replicas can host any subset of application partitions.
Zalety ADAM Narzędzia Model administracyjny analogiczny do AD Znane narzędzia wykonują znane zadania Narzędzia graficzne LDP ADSIEdit - nowa funkcjonalność pozwalająca na zarządzanie planem replikacji Schema Manager – przystawka MMC Narzędzia z linii poleceń: Ntdsutil, LDIFDE/CSVDE Repadmin The administration model is similar to Active Directory. You can use familiar tools to do familiar tasks. These tools include: GUI Tools : LDP - Allows LDAP operations to be performed against Active Directory. This tool has a graphical user interface. ADSIEdit - new functionality to manage replication schedules Schema Manager Snap-in Command Line tools :Ntdsutil, LDIFDE/CSVDE, Dcdiag, Dsacls, Repadmin The LDAP Data Interchange Format (LDIF) is an Internet draft standard for a file format that can be used for performing batch operations on directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as Add, Modify, and Delete to be performed in Active Directory. A utility called LDIFDE is included in the Windows 2000 operating system to support batch operations based on the LDIF standard. CSVDE allows you to export Active Directory information into comma-separated value file. It also allows import information from a file in the same format into the Directory, which effectively creates new accounts. DSACLSView or modify the access control lists of directory objects.
Zalety ADAM ADAM jako App Directory Miejsce przechowywania danych dedykowane dla aplikacji Konfiguracja samodzielna lub replikowana Niezależność od konfiguracji domeny Autonomiczność i pełna kontrola Elastyczność schematu i nazewnictwa Here are some of the benefits of using ADAM as an application directory: You can use ADAM as a dedicated store for application data. It can be standalone or replicated. Setting up ADAM is independent of domain setup. You have local control and autonomy over ADAM. You have schema and naming flexibility.
Zalety ADAM Kiedy używać ADAM? Baza danych kontra Directory Intensywnie zmieniające się, transakcyjne dane -> DB Dane składowane raz, a przetwarzane wiele razy ->Dir AD kontra ADAM AD – identyfikacja użytkowników, aplikacje nastawione na bezpieczeństwo i uwierzytelnianie There are many important factors to make when evaluating using a Database vs a Directory. For data that is highly volatile and transactional, a database is the best choice. For data that is stored once and retrieved many times a directory is the best choice. When evaluating storing data in Active Directory versus ADAM, use Active Directory for identity management and security enabled apps such as Exchange. When evaluating storing data in Active Directory App partitions vs ADAM, use AD for globally interesting data and ADAM for local data AD for Central Management and ADAM for more autonomy
Zalety ADAM Czym ADAM nie jest? Nie może być wykorzystywany przez Exchange 2000 Nie jest serwerem logowania AD/AM nie eliminuje konieczności użytkowania Active Directory! ADAM is not usable by Exchange 2000, because Exchange requires security principals and MAPI protocol support. Factoring application data and infrastructure data is part of the philosophy for the next generation, so ADAM is not appropriate. ADAM is not usable as a Windows logon server. It is not a Kerberos Key Distribution Center (although can Kerberos authenticate if passed credentials of AD-based user) You still have a need for NOS Active directory.
Podsumowanie sesji Podsumowanie Prostota instalacji Instalacja, reinstalacja, usuwanie Platformy Windows 2003 Server i XP Redukcja kosztów infrastruktury Taki sam model administracji jak w AD Zwiększona elastyczność Instalacja w dowolnym miejscu bez wpływu na bieżącą konfigurację Niezawodność i skalowalność We have covered the following benefits of working with ADAM: We have discussed the ease of deployment of ADAM (including installing, reinstalling, and removing) and that it runs on Windows 2003 Server and XP Pro platforms. We Reduced infrastructure costs with a single directory technology that uses the same administration model as Active Directory. We saw the increased security with the integration with Windows Principals. We have increased flexibility because we can install anywhere without affecting Active Directory. We have the same reliability and scalability of Active Directory.
Dziękuję za uwagę