Note: FSM communicates with Active Directory using port 389.

Following is the approach that is used in FSM Adapter for applying policy

• Adapter Manager sends user name to Adapter when adding a user to Role in following format:

<HostName or DomainName>\<User Name>

• Adapter queries the user SID (Security Identifier) using following windows call (Win32 API).

BOOL WINAPI LookupAccountName(

o        __in_opt   LPCTSTR lpSystemName,

o        __in       LPCTSTR lpAccountName,

o        __out_opt  PSID Sid,

o        __inout    LPDWORD cbSid,

o        __out_opt  LPTSTR ReferencedDomainName,

o        __inout    LPDWORD cchReferencedDomainName,

o        __out      PSID_NAME_USE peUse

);

For More Info Refer: http://msdn.microsoft.com/en-us/library/aa379159(VS.85).aspx

• Adapter Stores SID of the user in metadata along with user name.
• When a user tries to open a secured file, FSM adapter receives the SID of the user in token information.
• FSM Adapter Searches for the SID in metadata and applies the policy accordingly.

Note:

• FSM uses port 389 to communicate to Active Directory
• For local users and domain user same approach is followed when applying policy. 
• For groups also FSM users same Win32 API. 

Following is the information regarding Win32 calls used to retrieve domain users and groups.

LDAP with ADO?s are used to retrieve users and groups in domain.

The following win32 calls are used to login to the domain, and gets Users/Groups and then Logoff.

• LogonUser                                 (Lib  - advapi32.dll)
• ImpersonateLoggedOnUser         (Lib - advapi32.dll)
• CloseHandle                              (Lib - kernel32)
• RevertToSelf                              (Lib  - advapi32.dll)        

 A VB function call GetObject is used to retrieve the ADSPath of the domain.

Ex: GetObject (LDAP://corp.emc.com)

Requires: ADSI and LDAP provider