Re: adam:set the password for the users in the ldif file
From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 04/09/04
- Next message: Andrew Powell: "Server retirement. AD - 2k server"
- Previous message: Rob: "Re: Changed Domain Controllers, now exchange is down!!"
- In reply to: RMD: "Re: adam:set the password for the users in the ldif file"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 9 Apr 2004 10:23:00 -0700
My bad, apologies. It is not in ADAM.CHM, it's in release notes. Run
start_here.htm, it's in "security considerations" section. What this does is
it sets the 13th bit of dsHeuristics value.
Allowing the setting of passwords over a non-SSL connection
By default, and to help ensure the highest level of password security,
passwords for Active Directory Application Mode users can only be set over
an SSL connection. You can remove this requirement on an ADAM instance using
the dsmgmt administration tool, as described in the following procedure.
Note that disabling the SSL requirement greatly reduces the security of ADAM
user passwords.
To allow or deny password operations over a non-SSL connection
Note
a.. You must be logged on as the ADAM administrator to complete this
procedure.
1.. Open an ADAM tools command prompt.
2.. At the command prompt, type: dsmgmt
3.. At the dsmgmt: prompt, type: ds behavior
4.. At the ds behavior: prompt, type: connections
5.. At the server connections: prompt, type:
connect to server computername:portnumber
where computername:portnumber represents the ADAM instance that you want
to configure.
6.. At the server connections: prompt, type: quit
7.. At the ds behavior: prompt, do one of the following:
a.. To allow password settings over a non-SSL connection, type:
allow passwd op on unsecured connection
b.. To deny password settings over a non-SSL connection, type:
Deny passwd op on unsecured connection
8.. Type quit at the ds behavior: prompt and at the dsmgmt: prompt.
-- Dmitri Gavrilov SDE, Active Directory Core This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "RMD" <rmd@nospam.sorry.com> wrote in message news:e1E8$akHEHA.3276@TK2MSFTNGP09.phx.gbl... > I am unable to find the information in ADAM help about disabling the > encrypted connection requirement. > > Can you give me a hint? :-) > > RMD > > > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message > news:uHUDyecHEHA.1048@TK2MSFTNGP12.phx.gbl... > > Oh, you did post here. > > > > First of all, please use ADAM's version of ldifde, and it should print the > > extended error info. > > There are several possible problems here: > > > > 1) by default, pwd operations can only be done on an encrypted connection. > > So, you need to connect to the SSL port (-t 636). I am afraid ldifde won't > > be able to do it if your ssl port is not 636. The requirement of encrypted > > connection can be disabled -- see ADAM.CHM. > > > > 2) unicodePwd values need to be formatted in a special way -- it should be > a > > unicode string enclosed in double-quotes. I suggest using userPassword > > attribute -- there you supply password as clear text. One disadvantage of > > using userPassword is that AD does not understand if by default > > > > 3) maybe the user does not have sufficient permissions to reset password. > > Only ADAM admins can do this by default. > > > > -- > > Dmitri Gavrilov > > SDE, Active Directory Core > > > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > Use of included script samples are subject to the terms specified at > > http://www.microsoft.com/info/cpyright.htm > > > > "RMD" <rmd@nospam.sorry.com> wrote in message > > news:e4SORcbHEHA.2480@tk2msftngp13.phx.gbl... > > > Dmitri, > > > > > > I'm attempting to set passwords as you describe, but I'm unable to get > the > > > changes to be committed. I have the following LDIF file: > > > > > > dn: CN=SomeUser,OU=Users,O=MyCompany,C=US > > > changetype: modify > > > replace: unicodePwd > > > unicodePwd:: TQBvAG4AawBlAHkA > > > - > > > > > > I run the following command line: > > > > > > C:\Windows\ADAM\LDIFDE.exe -i -f "C:\testPassword.ldif" -c > > > CN=Schema,CN=Configuration,CN=X #schemaNamingContext -k -s localhost -h > > > > > > The output is as follows: > > > > > > Connecting to "localhost" > > > Logging in as current user using SSPI > > > Importing directory from file "C:\testPassword.ldif" > > > Loading entries.. > > > 0 entries modified successfully. > > > > > > The command has completed successfully > > > > > > It should have modified 1 entry. What am I doing wrong? > > > > > > Thanks, > > > RMD > > > > > > > > > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message > > > news:eSlKMY5CEHA.1588@tk2msftngp13.phx.gbl... > > > > You only need to base64-encode the value if you use unicodePwd > > attribute. > > > > There's a KB on that. > > > > If you use userPassword, then all you need is a secure channel, SSL > that > > > is > > > > (easier said than done though). > > > > You can disable secure channel requirement for pwd operations. See > > > ADAM.CHM > > > > for details. > > > > > > > > -- > > > > Dmitri Gavrilov > > > > SDE, Active Directory Core > > > > > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > Use of included script samples are subject to the terms specified at > > > > http://www.microsoft.com/info/cpyright.htm > > > > > > > > "Eric Fleischman [MSFT]" <efleis@online.microsoft.com> wrote in > message > > > > news:uavJNa2CEHA.3256@TK2MSFTNGP09.phx.gbl... > > > > > It's been a while, but let's see if I remember this: > > > > > 1) you need to base64 encode your password > > > > > 2) You need to load it over a secure channel for ADAM users (unless > > > you've > > > > > disabled the requirement to do password mod's over a secure channel) > > > > > > > > > > I think if you cover those two bases that'll do it, but let me know > > (you > > > > too > > > > > Dmitri! ;)) if I forgot anything. I don't do this often. > > > > > > > > > > ~Eric > > > > > > > > > > -- > > > > > Eric Fleischman [MSFT] > > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights > > > > > Use of included script samples are subject to the terms specified at > > > > > http://www.microsoft.com/info/cpyright.htm > > > > > > > > > > > > > > > "Eric" <anonymous@discussions.microsoft.com> wrote in message > > > > > news:de5e01c40b60$37a654b0$a501280a@phx.gbl... > > > > > > Hi > > > > > > I have generated an ldif file to be imported to the ADAM > > > > > > instance but I can't set the password for the users in the > > > > > > ldif file. Is there any other way to do that? > > > > > > Here is a sample user from my ldif file: > > > > > > dn: CN=CAAAAA, OU=orgunit0, O=userstore > > > > > > > > > > > > name: CAAAAA > > > > > > > > > > > > instanceType: 4 > > > > > > > > > > > > objectClass: top > > > > > > > > > > > > objectClass: person > > > > > > > > > > > > objectClass: organizationalPerson > > > > > > > > > > > > objectClass: user > > > > > > > > > > > > distinguishedName: CN=CAAAAA,OU=orgunit0,O=userstore > > > > > > > > > > > > objectCategory: CN=Person,CN=Schema,CN=Configuration,CN= > > > > > > {235583FA-6DD0-429D-A80B-2F7467A15D96} > > > > > > > > > > > > cn: CAAAAA > > > > > > > > > > > > > > > > > > > > > > > > If I add "userPassword: xyz", it does not load the ldif > > > > > > file. > > > > > > I was wondering if you could give me some clue.. > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Eric > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Andrew Powell: "Server retirement. AD - 2k server"
- Previous message: Rob: "Re: Changed Domain Controllers, now exchange is down!!"
- In reply to: RMD: "Re: adam:set the password for the users in the ldif file"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
