Re: Changing ADAM user password
- From: "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Jun 2006 08:54:54 -0700
Please do post it back, it'd be interesting to know.
Things that come to my mind:
1) give auth users read
2) allow pwd operations on non-encrypted channel
3) allow users in config NC
Hmm... What else? Some schema extensions?
--
Dmitri Gavrilov
SDE, DS Admin eXperience
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
<compurhythms@xxxxxxxxx> wrote in message
news:1150816146.499648.110980@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I would go father than Dmitri and say there are about 4 core
configuration tweaks that need to be done before ADAM is usable. I'm
scripting them right now. If I remember I'll post the LDF back to the
group when I get a chance.
Thanks for your help. The SID addition worked. Also kudos on your
book. It's not often that you come across a definitive work on any
given subject but yours comes as close as any when it comes to
accessing AD and ADAM via SDS.
Mike
Joe Kaplan (MVP - ADSI) wrote:
Indeed. The <SID=xxxx> is a valid DN syntax, so you can use that in
place
of standard DNs. When you add a SID from a foreign domain (or Windows,
when
using ADAM), the FSP is automagically created by the directory. Handy
feature. :) AD does this too.
I understand what you are saying on FastBind. It does indeed prune the
non-IADs interface methods as it does not bother to get the object's
objectClass and therefore doesn't know to allow IADsUser (where
ChangePassword resides). So, that's not a solution for you.
Anyway, I hope the SID trick works for you. That was originally the
default
setting in ADAM, but it was removed to make ADAM "secure by default".
I've
heard Dmitri argue that it makes ADAM "not useful by default" as a
result.
:) It is typically one of the first things I do when I bring up a new
instance.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
<compurhythms@xxxxxxxxx> wrote in message
news:1150754753.833930.89440@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I think I found it. Just add <SID=S-1-5-8> to the members list on the
role, and it looks like the FSP is created for you, correct?
Mike
compurhythms@xxxxxxxxx wrote:
Joe,
FastBind is causing some ADSI methods to be pruned (as described on
pages 89-90 of your book ;) So I can't call Invoke("ChangePassword",)
(I get a COM IDispatch error).
I've never added a raw SID to a role before, do I have to add it to
the
ForeignSecurityPrincipals in the Configuration NC first? How would I
do that?
Mike
Joe Kaplan (MVP - ADSI) wrote:
I'd suggest either adding the FastBind flag (which might work here;
not
sure) or just adding the authenticated users SID (<SID=S-1-5-8>) to
the
Readers role. That way, you don't have to add each user
individually.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
<compurhythms@xxxxxxxxx> wrote in message
news:1150732879.477067.118130@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sorry, the full path to my user should read:
string ldapPath = "LDAP://localhost:9389/CN=My User,OU=My
Unit,DC=MYPARTITION,DC=ADAM";
Also, the creating the directory entry should look like:
DirectoryEntry changeEntry = new DirectoryEntry(ldapPath, userID,
oldPassword, AuthenticationTypes.None);
compurhythms@xxxxxxxxx wrote:
I've got an existing ADAM user. I'm trying to change its
password
in
c#. I know the current password is set correctly because I can
bind
to
the instance via LDP with its credentials. Here is how I am
trying
to
change the password:
string ldapPath = "LDAP://CN=My User,OU=My
Unit,DC=MYPARTITION,DC=ADAM";
string userID = "myUser"; // this is the userPrinicpalName for my
user's ADAM entry
DirectoryEntry changeEntry = new DirectoryEntry(fullDN, userID,
oldPassword, AuthenticationTypes.None);
if (changeEntry != null)
{
// ** code fails on next line
changeEntry.Options.PasswordEncoding =
PasswordEncodingMethod.PasswordEncodingClear;
changeEntry.Options.PasswordPort = 9389;
changeEntry.Invoke("ChangePassword", new Object[]
{oldPassword,
newPassword });
}
At the code marked "**" above, I get an exception "no such object
on
the server".
Now this usually means one of two things:
1. The object really does not exist - It does in my case
2. There is a security issue accessing the entry
So #2 sounds more likely, but I'm providing the user's current
userPrincipalName and password to bind to the entry. Do I have
to
add
all my ADAM users to the "Readers" role just to allow them to
change
passwords on their own object?
Mike
.
- Follow-Ups:
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- References:
- Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Changing ADAM user password
- Prev by Date: Re: FRS Failure
- Next by Date: Re: Lost admin access to ADAM
- Previous by thread: Re: Changing ADAM user password
- Next by thread: Re: Changing ADAM user password
- Index(es):
Relevant Pages
|
Loading
