Create your LDAP data store with the Active Directory Application Mode (ADAM) directory service
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
There may be circumstances in which the Active Directory directory service is not available (for example, in a Linux-based network) or when an organization chooses not to use its network operating system Active Directory to authenticate Project Server users. In such cases, an external directory service can be used to create the Lightweight Directory Access Protocol (LDAP) data store that users will be authenticated against.
Active Directory Application Mode (ADAM) is a directory service designed to meet the needs of organizations that cannot rely solely on Active Directory to provide directory services for directory-enabled applications, or for organizations that do not have Active Directory available. While Active Directory offers many benefits for managing network infrastructure, organizations often need a more flexible directory service to support directory-enabled applications. ADAM is an LDAP directory service designed specifically for directory-enabled applications, such as Microsoft Office Project Server 2007. ADAM runs as a user service rather than as a system service. You can run ADAM on servers and domain controllers running operating systems in the Windows Server 2003 family (except for Windows Server 2003, Web Edition) and on computers running Windows XP Professional.
ADAM can serve as a directory service for Office Project Server 2007 users in the following scenarios:
A company wants to give business partners or contract workers access to a specific set of company resources through Project Web Access (PWA). Company policy prohibits adding them to the company Active Directory structure so that they can log into PWA with Windows authentication, because the company does not want these users having unauthorized access to company resources. ADAM can be used to create a separate directory in which these users can be authenticated when logging on to an extranet site through Project Web Access.
A company previously used Microsoft Office Project Server 2003 in which intranet and extranet users were authenticated through Project Server authentication. Users were authenticated against a directory that was in the Project Server 2003 database. The company has now upgraded to Office Project Server 2007, in which Project Server authentication is not supported. The company uses ADAM to create a new directory and then adds the migrated Project Server 2003 accounts to it. It then creates respective PWA sites for both intranet and extranet users, both accessing the same content. These users can now access Office Project Server 2007 and are authenticated through the directory created by the ADAM instance.
A company chooses to use its network operating system (NOS) Active Directory only for NOS authentication and authorization. It does not want to add the additional overhead of having to maintain it for application authentication. ADAM is used to create a separate directory of users that access Office Project Server 2007.
For more information about ADAM, see ADAM Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=92703\&clcid=0x409).
Downloading and installing ADAM
You can download ADAM from the Microsoft Download Center. It is also available as part of Microsoft Windows Server 2003 R2 and can be installed through the Optional Component Manager.
The procedure below describes downloading and installing ADAM on your computer. Review the system requirements located on the ADAM download page that is listed below.
Download and install ADAM
In a Web browser, go to the Active Directory Application Mode (ADAM) download page (https://go.microsoft.com/fwlink/?LinkId=92704\&clcid=0x409).
Find the file named ADAMSP1_x86_English.exe and click Download.
On the File Download — Security Warning page, click Run.
On the initial Software Update Installation Wizard page, click Next.
On the License Agreement page, select I Agree and click Next.
After the installation is done, click Finish.
Creating a new instance of ADAM
After installing ADAM onto your computer, you can configure a new instance of ADAM to create the directory structure. The following procedure enables you to select the ports through which the directory is accessed, create an application directory partition, and import LDIF files to provide a template for your active directory.
Create a new ADAM instance
Click Start, click All Programs, and in the ADAM program group click Create an ADAM Instance.
On the Welcome to the Active Directory Application Mode Setup Wizard page, click Next.
On the Setup Options page, select A unique instance. Click Next.
On the Instance Name page, type a unique name for the instance in the Instance name box. Note that the service name will be the name that you typed, with "ADAM_" inserted in front of it. For example, if you typed "Instance1," the service name will be "ADAM_Instance1."
Click Next.
On the Ports page, in the LDAP port number box, enter an available port number (for example, type 50000). In the SSL port number box, enter another available port number (for example, type 50001). Click Next. If you do not enter port numbers, it selects the default ports for LDAP and SSL.
On the Application Directory Partition page, select Yes, create an application directory partition.
When you create a new application directory partition during installation, you must specify a unique distinguished name for the partition. ADAM supports both DNS and X.500 style names for top-level directory partitions, including the distinguished name components in the following table:
Attribute Description C=
Country/region
CN=
Common name
DC=
Domain component
L=
Location
O=
Organization
OU=
Organizational unit
In the Partition name box, enter the distinguished name that you want for this application directory partition. Separate each component with a comma. For example, OU=Contoso,O=Marketing,C=US.
On the File location page, type a location to store your ADAM data and data recovery files. You can use the default locations that are in the Data file and Data recovery files boxes. Click Next.
On the Service Account Selection page, enter the account under which you want to run this instance of ADAM. You can either use the Network service account for the server or specify a user account to run the service. Click Next.
On the ADAM Administration page, assign the user or groups of users that will have administrative permissions on this instance of ADAM. You can select Currently logged on user to specify this user account, or you can select This account and specify a local or domain user or group. Click Next.
On the Import LDIF files page, specify a selection of LDAP Data Interchange Format (LDIF) files. These files contain several user class schema definitions, along with objects for use with Windows Authorization Manager that can be imported into the schema of the new ADAM instance.
The following table describes each of the optional LDIF files that you can import:
LDIF file User classes Import this file if MS-Users.LDF
Person
Organizational-Person
User
You want to create user objects in the ADAM directory, but you do not want to create users of the InetOrgPerson class (as defined in RFC 2798)
MS-InetOrgPerson.LDF
Person
Organizational-Person
Users
InetOrgPerson
You want to create user objects in the ADAM directory, and you want to create users of the InetOrgPerson class (as defined in RFC 2798)
MS-UserProxy.LDF
User-Proxy
You want to create proxy objects in ADAM for use in bind redirection.
MS-ASMan.LDF
Not applicable
You want to use Authorization Manager with ADAM.
Select Import the selected LDIF files for this instance of ADAM, select the LDIF file from the Available files list, and click Add to move the file to the Selected LDIF files list. If you do not want to use an LDIF file as a template, click Do not import LDIF files for this instance of ADAM. Click Next.
Note
You can choose to import LDIF files at a later time using the LDIF Directory Exchange (LDIFDE) command-line tool.
On the Ready to Install page, review your selections, and then click Next to start the installation of the instance.
When installation of the instance is done, click Finish.
Configuring the ADAM instance
You can use the ADAM ADSI Edit tool to configure your instance of ADAM. ADAM ASDI Edit is installed with ADAM and can be opened from the ADAM program group.
Configure an ADAM instance
Click Start, click All Programs, and in the ADAM program group click ADAM ADSI Edit.
In the ADAM ADSI Edit tool, on the Action menu, choose Connect to.
On the Connection Setting page, in the Connection name box, type a unique name.
In the Port box, enter the port number that you specified as your LDAP port when you created your LDAP instance.
In the Connect to the following node section, select Distinguished name (DN) or naming content. In the box, enter the partition name you entered when you created your LDAP instance. For example, OU=Contoso,o=Marketing,C=US.
In the Connect using these credentials section, select The account of the currently logged on user if the current user is the Administrator of the ADAM instance. Select This account if you want to specify a different account. Click OK.
Allowing the farm administrator access to the directory
Verify that the farm administrator's account for Windows SharePoint Services has access to the directory. The following procedure can be used to allow access to the user account by adding it to the Readers role.
Add an account to access the directory
In the ADAM ADSI Edit tool, your ADAM instance should appear in the left pane. Expand the instance name, and then expand the naming context to see the other containers that were created.
In the left pane, click CN=Roles. In the right pane, right-click CN=Readers and click Properties. In the CN=Readers properties page, in the Attribute list, select member, and then click Edit.
On the Multi-valued Distinguished Name with Security Principle Editor page, click Add Windows Account.
On the Select Users, Computers, or Groups page, enter the name of the Windows Account that you want to add, and then click OK.
On the Properties page, click OK.
Add users to the directory
You can now add users to the directory by using the following procedure. You can also create containers for your users within the directory. For example, you might want to create separate containers for Support users and Marketing users. The following procedure creates a single container for all users.
Add users to the directory
In the left pane, right-click the naming context, click New, and then click Object. On the Create Object page, in the Select a class list, select container. Click Next.
On the Create Object page, in the Value box, enter the unique name for the container to which you will add your users (for example, Users or Support). Click Next, and then click Finish.
In the left pane, right-click the user container object you just created, click New, and then click Object.
On the Create Object page, in the Select a class list, select User. Click Next.
On the page in which you add a user name, in the Value box, type the name of your user. Click Next.
On the page on which you can set attributes for the user, click Finish.
In ADAM ADSI Edit, right-click the new user in the right pane and click Reset Password.
On the Reset Password page, type the new password in the New Password box. Retype the password in the Confirm Password box. Click OK.
Note
When you are typing a new password for a user, ADAM will enforce any password policy that exists on the server.
Add additional users to the user container object by repeating steps 3 through 8 as needed.