Re: Changing ADAM user password
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 25 Jun 2006 19:35:57 -0500
I think you should keep the policy as is and just use dsHeuristics to change
it globally. I agree that consistency is important.
Thanks for looking into this.
Joe
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:eO2vweCmGHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
It is possible that digest is figuring encryption is not needed when the
traffic is not hitting the wire. We are checking this.
I am wondering... Should we remove the encrypted channel requirement for
pwd operations when the client is on the local box? Strictly speaking, it
is not needed. There's a downside to it though: inconsistency. Devs
testing their programs on local machine are not going to hit this
constraint, and they'll be unpleasantly surprised when their app is
deployed onto a different server and the requirement kicks in. Hmm...
Probably not then.
Ok, let me get some info from digest folks first. It looks like NTLM does
not mind providing an encrypted channel even to local connections.
--
Dmitri Gavrilov
SDE, DS Admin eXperience
This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:u9kks25lGHA.4596@xxxxxxxxxxxxxxxxxxxxxxx
That's even more interesting. I didn't have an easy way to test that and
would not have thought that going "off box" would make a difference, so I
would definitely have missed that. I wonder if there is a bug in there
though, as I'm pretty sure when doing negotiate auth it works fine on box
or off.
Thanks for the extra investigation.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:%23Zq05V2lGHA.4808@xxxxxxxxxxxxxxxxxxxxxxx
Hi
I just rechecked this on W2K3SP1 and it DOES work.
However only in a client server setup: In my first test
I connected to the ADAM instance (localhost) and
made the digest bind with LDAP_OPT_ENCRYPT=1,
the attempted change of password fails with the error
I posted.
Running the bind from another W2K3SP1 machine
and attempting the same works!
Apologies for the confusion, I have not yet work out
why working locally on the instance (as localhost or FQDNS)
fails.
Lee Flight
"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:Otnp$LwlGHA.1972@xxxxxxxxxxxxxxxxxxxxxxx
I'll show this to digest folks. Something is missing indeed. Maybe by
design, maybe not.
--
Dmitri Gavrilov
SDE, DS Admin eXperience
This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:uammLpglGHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
That's too bad. I assume you tried that using a 2003 client as well.
I know this works ok when using negotiate auth, as I've used that
trick often with ldp. There is probably something missing with the
encryption support in digest or something like that.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:u8tbqEelGHA.3924@xxxxxxxxxxxxxxxxxxxxxxx
I just tried this using ldp and an Delete/Add on unicodePwd:
--
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity,
DIGEST (16518)); // v.3
{NtAuthIdentity:
User='cn=test1,ou=testou1,o=myorg,dc=myroot';
Pwd=<unavailable>; domain = ''}
Authenticated as:
'CN=test1,OU=testOU1,O=myorg,DC=myroot'.
***Call Modify...
ldap_modify_s(ld, 'CN=test1,OU=testOU1,O=myorg,DC=myroot'
,[2] attrs);
Error: Modify: Operations Error. <1>
Server error: 00002077: SvcErr:
DSID-0338070C, problem 5012 (DIR_ERROR), data 8237
Error 0x2077 Illegal modify operation.
Some aspect of the modification is not permitted.
--
Not sure if there is anything in code that could improve on this but
at
first glance it appears that the security of the channel is not being
recognized in this case. Simple bind + SSL worked fine.
Lee Flight
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:%23KRfPgalGHA.4540@xxxxxxxxxxxxxxxxxxxxxxx
I'll give the digest/encryption thing a try as soon as I get a
chance to flip my ADAM back to requiring encrypted password mods.
:)
.
- References:
- Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: Dmitri Gavrilov [MSFT]
- Re: Changing ADAM user password
- From: compurhythms@xxxxxxxxx
- Re: Changing ADAM user password
- From: Dmitri Gavrilov [MSFT]
- Re: Changing ADAM user password
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Changing ADAM user password
- From: Lee Flight
- Re: Changing ADAM user password
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Changing ADAM user password
- From: Dmitri Gavrilov [MSFT]
- Re: Changing ADAM user password
- From: Lee Flight
- Re: Changing ADAM user password
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Changing ADAM user password
- From: Dmitri Gavrilov [MSFT]
- Changing ADAM user password
- Prev by Date: Re: Do you have any check list or documentation
- Next by Date: Re: set up a dc in a remote site (2)
- Previous by thread: Re: Changing ADAM user password
- Next by thread: Some users unable to log into domain.
- Index(es):
Relevant Pages
|
