Re: Oh.... I'm just wondering who's seen this stumper...

Hopefully the encryption is configurable so you can get the actual LDAP
traffic. I don't think the mystery will be revealed until we see the raw
LDAP ops. I'm actually all for encrypting the traffic as a normal thing,
but not while troubleshooting.

And I agree with Al; modifying pwdLastSet is really fishy. You can only set
that to 0 or -1. 0 forces password change at next logon and -1 basically
causes AD to set the value to "now", making it look like the user's password
was just changed.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Joe_SMS" <jw_nagy@xxxxxxxxxxx> wrote in message
news:1154470040.690098.99720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
It is SASL bind GSS-API Encrypted payload packets. The pricks. :) I
put in a request today for turning it off in the test domain for one
user, one test, one time. Just haven't heard the answer yet. Strange,
they have now backed off and say that they can actually modify ALL of
the attributes one at a time, but..... theres always a but....

.... they said that during a full sync after a new user is created when
it has update multiple attributes is when it fails. They think it has
something to do with the fact that they delete the attributes before
they update them, don't ask me why cause I don't know why anyone would
want to delete a NULL. Somehow, they think that when they had 'write
all properties', that gave them the right to delete a NULL valued
attribute. Thats their theory. They actuall took ldifde and did a
changetype modiy _ and when it failed with the operation error, they
said, SEE !!!

....I tried to tell them its not that you can't, its that you can't
with ldifde. I sent them vb code to pull my employeetype attribute,
display the value, then delete it, then display NULL, then do an
ads_property_clear on that. I can't wait for this to come down to what
it actually is..... The directory will probably force them to unencrypt
so that I can get the trace.

.....I'm thinkin' the full sync thing is doing something for which they
have no clue, thus, can't tell us. But write all properties did appear
to work which would explain that, what it doesn't explain is why the
only attributes listed in the failure audit were known attributes that
we had given them permission to write to. What if they were setting
the password at the same time without permissions ? I dumped the
meta-data from a new created user. The full sync came 4 minutes after
creation, added all those gal attributes, but then touched all 4
password attriubutes plus pwdlastset and
supplementalcredentials.....all within 2 seconds.. I mean, of the
enitre meta-dump of all attributes with values (60?) the ones the sync
updated were either at 4:22:16 or 4:22:17. Awful quick to be doing it
separately.

Thanks Joe





.

Relevant Pages

  • Re: General questions about LDAP, GC and access permissions
    ... don't bother with sync. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... to not try to get the user's group membership via LDAP if Windows ...
    (microsoft.public.windows.server.active_directory)
  • Re: Solairs 9 SUNONE + Win2K3 AD
    ... >> if there was anyway I can coloborate with our NT group using AD my LDAP ... You could use a generic LDAP and have AD sync passwords there ... > called MetaDirectory that has a former feature of Directory Server - NT ... > configure your DS has a replica of your AD (can't see why someone would ...
    (comp.unix.admin)
  • Re: Solairs 9 SUNONE + Win2K3 AD
    ... >> if there was anyway I can coloborate with our NT group using AD my LDAP ... You could use a generic LDAP and have AD sync passwords there ... > called MetaDirectory that has a former feature of Directory Server - NT ... > configure your DS has a replica of your AD (can't see why someone would ...
    (comp.sys.sun.admin)
  • Re: Securing iPAQ h3950 using Windows Mobile 2003
    ... Is there a way to limit the sync only to a specific computer and to ... but you need to add third party software. ... set a policy for passwords, file encryption, network traffic, etc. ... smart card - I know if works for the DoD CAC smart card. ...
    (Security-Basics)
  • Re: ADAM full sync needed every 30 days??????
    ... Event Source: ADAM LDAP ... so the /sync works OK after you have performed a full sync? ... same ADAM instance. ... lock since it is the 'bind' account used for the sync's. ...
    (microsoft.public.windows.server.active_directory)