Re: Changing ADAM user password

I would go father than Dmitri and say there are about 4 core
configuration tweaks that need to be done before ADAM is usable. I'm
scripting them right now. If I remember I'll post the LDF back to the
group when I get a chance.

Thanks for your help. The SID addition worked. Also kudos on your
book. It's not often that you come across a definitive work on any
given subject but yours comes as close as any when it comes to
accessing AD and ADAM via SDS.

Mike


Joe Kaplan (MVP - ADSI) wrote:
Indeed. The <SID=xxxx> is a valid DN syntax, so you can use that in place
of standard DNs. When you add a SID from a foreign domain (or Windows, when
using ADAM), the FSP is automagically created by the directory. Handy
feature. :) AD does this too.

I understand what you are saying on FastBind. It does indeed prune the
non-IADs interface methods as it does not bother to get the object's
objectClass and therefore doesn't know to allow IADsUser (where
ChangePassword resides). So, that's not a solution for you.

Anyway, I hope the SID trick works for you. That was originally the default
setting in ADAM, but it was removed to make ADAM "secure by default". I've
heard Dmitri argue that it makes ADAM "not useful by default" as a result.
:) It is typically one of the first things I do when I bring up a new
instance.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<compurhythms@xxxxxxxxx> wrote in message
news:1150754753.833930.89440@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I think I found it. Just add <SID=S-1-5-8> to the members list on the
role, and it looks like the FSP is created for you, correct?


Mike

compurhythms@xxxxxxxxx wrote:
Joe,

FastBind is causing some ADSI methods to be pruned (as described on
pages 89-90 of your book ;) So I can't call Invoke("ChangePassword",)
(I get a COM IDispatch error).

I've never added a raw SID to a role before, do I have to add it to the
ForeignSecurityPrincipals in the Configuration NC first? How would I
do that?

Mike

Joe Kaplan (MVP - ADSI) wrote:
I'd suggest either adding the FastBind flag (which might work here; not
sure) or just adding the authenticated users SID (<SID=S-1-5-8>) to the
Readers role. That way, you don't have to add each user individually.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
<compurhythms@xxxxxxxxx> wrote in message
news:1150732879.477067.118130@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sorry, the full path to my user should read:

string ldapPath = "LDAP://localhost:9389/CN=My User,OU=My
Unit,DC=MYPARTITION,DC=ADAM";

Also, the creating the directory entry should look like:

DirectoryEntry changeEntry = new DirectoryEntry(ldapPath, userID,
oldPassword, AuthenticationTypes.None);

compurhythms@xxxxxxxxx wrote:
I've got an existing ADAM user. I'm trying to change its password
in
c#. I know the current password is set correctly because I can bind
to
the instance via LDP with its credentials. Here is how I am trying
to
change the password:

string ldapPath = "LDAP://CN=My User,OU=My
Unit,DC=MYPARTITION,DC=ADAM";

string userID = "myUser"; // this is the userPrinicpalName for my
user's ADAM entry

DirectoryEntry changeEntry = new DirectoryEntry(fullDN, userID,
oldPassword, AuthenticationTypes.None);

if (changeEntry != null)
{
// ** code fails on next line
changeEntry.Options.PasswordEncoding =
PasswordEncodingMethod.PasswordEncodingClear;

changeEntry.Options.PasswordPort = 9389;

changeEntry.Invoke("ChangePassword", new Object[] {oldPassword,
newPassword });
}

At the code marked "**" above, I get an exception "no such object on
the server".

Now this usually means one of two things:

1. The object really does not exist - It does in my case
2. There is a security issue accessing the entry

So #2 sounds more likely, but I'm providing the user's current
userPrincipalName and password to bind to the entry. Do I have to
add
all my ADAM users to the "Readers" role just to allow them to change
passwords on their own object?

Mike



.

Relevant Pages

  • Re: Changing ADAM user password
    ... configuration tweaks that need to be done before ADAM is usable. ... Joe Kaplan wrote: ... Co-author of "The .NET Developer's Guide to Directory Services ... DirectoryEntry changeEntry = new DirectoryEntry(ldapPath, userID, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adding to Schema
    ... "Joe Kaplan" wrote: ... ADAM that would basically be pointers to AD users. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing ADAM user password
    ... ADAM is a deal-breaker with some of the deployments I'm facing, ... Joe Kaplan wrote: ... Co-author of "The .NET Developer's Guide to Directory Services ... DirectoryEntry changeEntry = new DirectoryEntry(ldapPath, userID, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Binding to ADAM with a Windows Account
    ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... To bind with a Windows account to ADAM, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adding to Schema
    ... If you really don't want to put the data in AD, you might consider storing it in ADAM and creating a sync setup to sync your AD users with objects in ADAM that would basically be pointers to AD users. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
Loading