Re: ADAM - AD_Schema load fails with error

Sorry... missed a word there. I got my code to authenticate against ADAM.
However, it only seems to work when the ADAM server is connected to the
network.

The idea is that we have an application, which will be taken out of the
office. Not an unusual idea presented like that, but we are taking a server
and a team of users out of the office. So a team will have a 2003 server
running a ASP.net application. The team will access this using forms based
security, which will hopefully be able to authenticate them against the ADAM
instance. A requirement is that they access the application using the
credentials that they use when in the office.

So we are looking at populating an ADAM instance while they are still in the
office, then using this for authentication while they are away.

We have discovered that the authentication code does seem to need to be
connected to the network containing the AD, otherwise it fails. Is it
possible to authenticate against ADAM while the ADAM instance is not
connected to the AD network?
--
Regards,
Andrew Stanford


"Lee Flight" wrote:

> Hi
>
> I think the problem with lockoutTime may be a bug. I will chase
> it up. As a workaround add lockoutTime as an <exclude> attribute
> in your XML configuration file and reapply the install.
>
> I'm confused by the statement "got my code to authenticate against"
> as ADAMSync cannot synch. passwords between AD and ADAM.
> If what you are saying is that you used a windows account from the
> domain that the ADAM server is a member of and authenticated OK
> then that's fine.
>
> Thanks
> Lee Flight
>
> "Andrew Stanford" <AndrewStanford@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:EF6C14D3-ED60-41EA-8DE3-7C05E056C8D5@xxxxxxxxxxxxxxxx
> > Hi,
> >
> > Finally... SUCCESS. I have managed to syncronize a Group from AD to my
> > ADAM
> > instance. I even got my code to authenticate against.
> >
> > So, just continuing on with my investigation of this technology... I
> > changed
> > a password in AD then tried to run the adamsync again to get the new
> > password
> > down into ADAM. The following is a dump from the command prompt;
> >
> > C:\WINDOWS\ADAM>adamsync /sync localhost:389
> > dc=btweb,dc=bakertilly,dc=net,dc=ad
> > am /log -
> > Adamsync.exe v1.0 (5.2.3790.1939)
> > Establishing connection to target server localhost:389.
> > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
> > Saved configuration file.
> > ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
> > Establishing connection to source server btdccy.btweb.bakertilly.net:389.
> > Using file .?dam3A.tmp as a store for deferred dn-references.
> > Populating the schema cache
> > Populating the well known objects cache
> > Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
> > Starting DirSync Search with object mode security.
> >
> > Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
> > Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
> > Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
> > Modifying target object CN=Harding-Rolls
> > Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
> > ly,DC=net.
> > Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
> > Ldap error occured. ldap_modify_sW: Constraint Violation.
> > Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
> > 0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE),
> > data
> > 0,
> > Att 90296 (lockoutTime)
> > .
> > Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
> > Saved configuration file.
> >
> > Any ideas on this one.
> > --
> > Regards,
> > Andrew Stanford
> >
> >
> > "Lee Flight" wrote:
> >
> >> Hi
> >>
> >> sorry I had not picked up you want to sync from an Exchange extended
> >> AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
> >> the schema in sync then you do not need to fiddle with exclude attrs.
> >> More below....
> >>
> >> "Andrew Stanford" <AndrewStanford@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> >> message news:23E0B5E2-5B60-42C0-BB79-4CF18219E32E@xxxxxxxxxxxxxxxx
> >>
> >> > I didn't think there would be this many problems with the schema as I
> >> > have
> >> > loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
> >> >
> >> > I then run the ADSchemaAnalyzer loading the ADAM instance as the
> >> > "target
> >> > schema" and the AD server as the "Base schema". I then check the "Mark
> >> > non-present elements as included" menu option and then "Create LDIF
> >> > File...".
> >> >
> >> > I load the resulting LDIF file into my ADAM instance. Shouldn't the
> >> > ADAM &
> >> > AD schemas be the same at this point? Is there an easier way to figure
> >> > out
> >> > the required "exclude" tags?
> >>
> >> What works for me is:
> >>
> >> Install an ADAM instance and create the naming context that you want in
> >> it,
> >> do not apply any LDIFs
> >>
> >> Run ADSchemaAnalyzer load the exchange extended schema from the DC
> >> as the *target*, load the (minimal) ADAM schema as the base. Then check
> >> the "Mark all non-present elements as included" menu option and then
> >> "Create LDIF File...". The resulting LDIF is around 3MB (2091 entries)
> >>
> >> Load the LDIF just created into the ADAM Schema
> >>
> >> Load MS-AdamSyncMetadata.LDF into the ADAM schema
> >>
> >> Create the ADAMSync XML file and assuming that it is only user objects
> >> that
> >> you want, use
> >>
> >>
> >> <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter>
> >> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: ADAM handshaking very slow in a DMZ
    ... If you look at the network trace of a slow connection from the DMZ can you ... I've got a server in a DMZ that has a web service which uses forms based ... authentication to verify user credentials against ADAM. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - ldp bind credentials change when using machine account
    ... co-worker has dubbed ADAM as 'Another Day Another Migraine':). ... Unfortunately I dont think I had the server running without ADAM long enough ... System account to run the ADAM instance or a fixed service account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM handshaking very slow in a DMZ
    ... During the time when the web app is establishing a conneciton to the ADAM ... Below is a CSV output of the activity on the IIS server in the DMZ ... Key Exchange, Change Cipher Spec, Encrypted Handshake Message" ... If you look at the network trace of a slow connection from the DMZ can you ...
    (microsoft.public.windows.server.active_directory)
  • ADAM handshaking very slow in a DMZ
    ... I've got a server in a DMZ that has a web service which uses forms based ... authentication to verify user credentials against ADAM. ... So, I fire up LDP, make the conneciton to the host, bind. ... initial connection to ADAM from the DMZ web server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - ldp bind credentials change when using machine account
    ... Ok, if you do a search in AD for the domain the ADAM server is a member of, ... Perhaps your connection to ADAM is staying open for a very long time and the ... ADAM instance or a fixed service account? ...
    (microsoft.public.windows.server.active_directory)
Loading