Application Security, Part 14


I would like to mention to you that a tool that I find invaluable for working with both Active Directory and ADAM is the simple Active Directory Service Viewer, ADSVW.EXE, that shipped with the Windows 2000 Resource Kit.    When you absolutely, positively need to see what is inside a Microsoft Directory Service, it’s the tool you need. 


 


There is one more tool for working with ADAM that you need to know about.  It is the ADAM Schema Editor.  Like the ADAM ADSI Editor, the Schema Editor is a Management Console snap-in, but not shortcut to it is installed.    You will recall me having said earlier that network administrators are highly resistant to changes being made to the schema of an organization’s directory service, and that one of the benefits of ADAM is that it provides a directory service solely for use by one’s application, and so the prospect of changes to its schema should not concern administrators.  One makes changes to a directory service’s schema by adding or updating definitions of attributes, and then adding those attributes to classes.  When one creates an attribute, one needs to assign it what the user interface describes as a Unique X500 Object ID.  Those are commonly referred to as object identifiers or OIDs, and were defined in the X.500 specification as a way of uniquely identifying schema elements.  OIDs were carried over into the LDAP specification.  They take the form of a string of numbers interspersed with periods, and are intended to be globally unique.  Hence, the initial set of digits in an OID, called the arc, is meant to be unique to the organization defining the attribute or class.  There are two ways to obtain an arc for one’s organization.  One can apply to the American National Standards Institute at http://web.ansi.org/public/services/reg_org.html: there is a one-time fee and the turnaround can take several weeks.  Alternatively, one can apply to IANA, the Internet Assigned Numbers Authority, by filling out the form at http://www.iana.org/cgibin/enterprise.pl.  IANA does not charge any fee, and their response time is quite brief. 


 


 


[This posting is provided "AS IS" with no warranties, and confers no rights.]


Skip to main content