Re: ADAM userProxy and ChangePassword
From: Darwin Ten Haken (darwin.tenhaken_at_iowa.gov-NOSPAM)
Date: 09/29/04
- Next message: Daveyjaro: "Re: Adding NT 4.0 Server as member of Windows 2003 SBS Domain"
- Previous message: Phillip Renouf: "RE: Customer info in Active Directory?"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: ADAM userProxy and ChangePassword"
- Next in thread: Lee Flight: "Re: ADAM userProxy and ChangePassword"
- Reply: Lee Flight: "Re: ADAM userProxy and ChangePassword"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 29 Sep 2004 11:37:03 -0700
In working with my programmer we determined that upon doing an LDAP simple
bind for a user who was flagged "Must Change Password at Next Logon" that he
got the following error message reported back to him:
detailMessage= "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F,
comment: AcceptSecurityContext error, data 773, vece
If we take the data 773 and convert 773 from HEX to Decimal we get error
1907 which can then be looked up at the following link:
http://doc.ddart.net/msdn/header/include/winerror.h.html
Error 1907 translates to:
//
// MessageId: ERROR_PASSWORD_MUST_CHANGE
//
// MessageText:
//
// The user must change his password before he logs on the first time.
//
#define ERROR_PASSWORD_MUST_CHANGE 1907L
----------------------------------------
We have also deteremined that data 532 translates to 1330 which is what we
get when a password expires:
//
// MessageId: ERROR_PASSWORD_EXPIRED
//
// MessageText:
//
// Logon failure: the specified account password has expired.
//
#define ERROR_PASSWORD_EXPIRED 1330L
"Joe Kaplan (MVP - ADSI)" wrote:
> Yes, can you show the code you are using to get the detailed information
> back regarding bind errors with LDAP? I'd like to see how you are getting
> that information.
>
> Thanks!
>
> Joe K.
>
> "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
> news:OjEwaYkpEHA.3868@TK2MSFTNGP15.phx.gbl...
> >I think the issue here is that when you bind to a userProxy in ADAM
> > you are doing a proxy login to AD. It appears to be a technique hard-coded
> > into the ADAM LDAP interface whereby it picks up your ms-BindProxy
> > DN and finds the associated SID and then calls into AD using a SASL bind.
> >
> > For native ADAM users the situation is different as the user account
> > control
> > attributes that govern these behaviours exist on the user object, for user
> > proxies they exist only in AD so cannot be controlled in ADAM. I'm not
> > sure how any detailed error code on the back-end Windows authentication
> > could be translated across transport to provide a message that the LDAP
> > client could understand (it's not a referral it's a double hop).
> >
> > I'm intrigued by what you say about the detail you can get back from
> > an LDAP bind to AD, I have never checked that although I ran into an
> > issue this week where the Microsoft LDAP client seemed to be dropping
> > information that did come back over the wire against ADAM. I'll do
> > some testing I guess.
> >
> > Lee Flight
> >
> > "Darwin Ten Haken" <darwin.tenhaken@iowa.gov-NOSPAM> wrote in message
> > news:50381FB0-B3FA-4304-8A0C-852A2A249DA4@microsoft.com...
> >> When I connect via LDAP directly to AD, I do get error codes back that
> >> indicate if it is an account lockout, password expiraction, password must
> >> change at next logon, etc.. but I don't appear to get these error codes
> >> when binding via the ADAM userproxy object. Thus it seems that either
> >> ADAM
> >> doesn't support it or I don't have ADAM setup right.
> >>
> >>
> >>
> >> "Joe Kaplan (MVP - ADSI)" wrote:
> >>
> >>> You are not missing anything. LDAP bind does not reveal any information
> >>> as
> >>> to the nature of the failure. This is in part for security reasons, but
> >>> is
> >>> also one of the major drawbacks of using LDAP for authentication
> >>> purposes.
> >>>
> >>> Joe K.
> >>>
> >>> "Darwin Ten Haken" <darwin.tenhaken@iowa.gov-NOSPAM> wrote in message
> >>> news:E270A512-B8E7-49CA-A04D-842D97398BEA@microsoft.com...
> >>> >
> >>> > I have a test ADAM instance runing on a Win2k3 server. I have built
> >>> > test
> >>> > userProxy objects that point to AD users. When connecting via LDAP to
> >>> > ADAM
> >>> > the proxy is working if the password provided to ADAM is the AD
> >>> > password.
> >>> > If
> >>> > the AD user account is set to change password at next login, password
> >>> > expired, account locked, account disabled, etc... I simply get a bind
> >>> > failure and don't seem to get any detailed LDAP error back as to why
> >>> > the
> >>> > bind
> >>> > failed. Am I missing something?
> >>> >
> >>> > I have also tried to find a way to issue LDIFDE to change a password
> >>> > of
> >>> > the
> >>> > ADAM user proxy and it fails, but when I point LDIFDE to the AD server
> >>> > it
> >>> > works. Is there a way to change a password via the userProxy object?
> >>> >
> >>> > ADAM appears to be a great way to create a flat name space of
> >>> > proxyusers
> >>> > that point to users in multiple forests, but I am limited in how I can
> >>> > recommend its use if the userProxy object doesn't allow for granular
> >>> > LDAP
> >>> > errors and the ability to react to the errors. (Change passwords and
> >>> > unlock
> >>> > of user accounts being the big ones)
> >>> >
> >>> > --
> >>> > Darwin Ten Haken
> >>> > State of Iowa
> >>>
> >>>
> >>>
> >
> >
>
>
>
- Next message: Daveyjaro: "Re: Adding NT 4.0 Server as member of Windows 2003 SBS Domain"
- Previous message: Phillip Renouf: "RE: Customer info in Active Directory?"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: ADAM userProxy and ChangePassword"
- Next in thread: Lee Flight: "Re: ADAM userProxy and ChangePassword"
- Reply: Lee Flight: "Re: ADAM userProxy and ChangePassword"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
