Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
I'd be pretty surprised if you can get ADSI to query Domino via LDAP, as ADSI likes to use Windows auth by default and depends on the LDAP directory to support the LDAP V3 subschemaSubentry rootDSE attribute to express its abstract schema in order for ADSI to map LDAP data types to COM datatypes. It might work, but I'd be more surprised if it did than didn't. A lower level LDAP tool like ADFind might make more progress, though. Having done a lot of Domino programming back in the day, my suggestion would be to write a LotusScript program that goes against the NAB and gets the addresses that way. It would probably be less effort in the long run. If I was asked to do the exact same thing, that is definitely how I'd do it. If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious to hear about it. :) Joe K. - Original Message - From: Douglas W Stelley To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 3:13 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT I really don't see that much in the enterprise version of MIIS that'll justify the cost. We have some tools/program files that query LDAP for valid email addresses (GFI for one). I'd just like to be able to pull all email addresses out of Lotus/Domino so I can populate AD correctly. Of course I could do it manually. And Domino does support and use LDAP, but I don't have enough experience with Domino to build a script. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Laura A. Robinson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 12:51 PM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 7:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Out of curiosity, when setting a different primary e-mail address to an address that already exists as a secondary, does ADUC do anything more than change the prefix on the old primary address from 'SMTP' to 'smtp' and vice-versa for the new primary? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday 25 January 2007 19:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir@mail.activedir.org Sent: Thursday, January 25, 2007 6:00 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else
Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
That's basically the same thing I was trying to get at. I'm aware that you can call the Domino object model from COM. I wrote so much LotusScript back in the day that I always tended to think of them as being synonymous. :) My overall point was that I didn't think you'd have much success with using ADSI and LDAP to query the Domino directory, but I'd love to see someone try it and prove me wrong. I do like your idea of using COM to glue the two things together, either through script or some other thing that can do COM like PowerShell, VB6 or .NET (or C++ if you like that sort of thing). Joe K. - Original Message - From: Dave Wade [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 6:30 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT If you want to query Notes and AD in the same script you don't need to use LotusScript you can use VBSCRIPT. There is a a set of objects that allow access to NOTES provided you have the notes client installed. They are documented in the Notes help file. Basically they are the same as the interfaces LotusScript uses. I seem to recall that LotusScript is virtually the same as VB Script/VBA but tweaked enough so Lotus/IBM does not have to pay MS license for VBA/Vbscript. I used to have some examples to do that and if you need them I could probably fish them out... Dave. From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Fri 26/01/2007 22:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT I'd be pretty surprised if you can get ADSI to query Domino via LDAP, as ADSI likes to use Windows auth by default and depends on the LDAP directory to support the LDAP V3 subschemaSubentry rootDSE attribute to express its abstract schema in order for ADSI to map LDAP data types to COM datatypes. It might work, but I'd be more surprised if it did than didn't. A lower level LDAP tool like ADFind might make more progress, though. Having done a lot of Domino programming back in the day, my suggestion would be to write a LotusScript program that goes against the NAB and gets the addresses that way. It would probably be less effort in the long run. If I was asked to do the exact same thing, that is definitely how I'd do it. If you do get ADSI/LDAP via VBScript to work against Domino, I'd be curious to hear about it. :) Joe K. - Original Message - From: Douglas W Stelley To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 3:13 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT I really don't see that much in the enterprise version of MIIS that'll justify the cost. We have some tools/program files that query LDAP for valid email addresses (GFI for one). I'd just like to be able to pull all email addresses out of Lotus/Domino so I can populate AD correctly. Of course I could do it manually. And Domino does support and use LDAP, but I don't have enough experience with Domino to build a script. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Laura A. Robinson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 12:51 PM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org ToActiveDir@mail.activedir.org cc SubjectRE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian
Re: [ActiveDir] How to find non-primary SMTP addresses?
In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir@mail.activedir.org Sent: Thursday, January 25, 2007 6:00 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else to view all values of those attributes. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Freitag, 26. Januar 2007 00:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? How does one go about getting the non-primary SMTP addresses for every Exchange user? I can't seem to find a way via csvde, but maybe I'm doing something wrong. Thanks again. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
Cool, thanks Lee. It works. :) Joe - Original Message - From: Lee Flight [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 5:13 AM Subject: Re: [ActiveDir] Who Am I request Using ldp.exe; rootDSE query for supportedExtension will you the OID: 4 supportedExtension: 1.3.6.1.4.1.1466.20037 = ( LDAP_SERVER_START_TLS_OID ); 1.3.6.1.4.1.1466.101.119.1 = ( LDAP_TTL_REFRESH_OID ); 1.2.840.113556.1.4.1781 = ( LDAP_SERVER_FAST_BIND_OID ); 1.3.6.1.4.1.4203.1.11.3 = ( LDAP_SERVER_WHO_AM_I_OID ); Then it's (post bind to be useful) Browse - Extended Op and paste in the OID (1.3.6.1.4.1.4203.1.11.3) with no Data value. Lee Flight On Mon, 22 Jan 2007, Joe Kaplan wrote: It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to try it. :) Joe R.: When will this be added to Adfind (or is it already)? Joe K. - Original Message - From: Dmitri Gavrilov [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 22, 2007 9:07 AM Subject: RE: [ActiveDir] Who Am I request ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx Lee Flight __ Lee Flight ([EMAIL PROTECTED]) Tel: +44 (0)116 252 2257 IT Services, Computer Centre, University of Leicester Leicester LE1 7RH, United Kingdom List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Search over SSL hangs
If this can happen with any LDAP directory and not just AD, then it sounds like the issue is with the Oracle SSL stack. Does the search hang permanently or just take a long time to execute? Sometimes an SSL operation is slowed down a lot due to client certificate authentication requested by the server or CRL checking. Does Oracle give you any logs? What SSL stack do they use? Can this issue be reproduced with any other SSL stacks (Windows using ldp.exe for example)? Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 4:28 AM Subject: [ActiveDir] Search over SSL hangs List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in advance. Mauricio. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Search over SSL hangs
I know nothing about Oracle (never seen it, never touched it), so I can't help at all there. However, I'd suggest going back to the vendor to help you troubleshoot this. The fact that the issue seems to be restricted to their LDAP/SSL stack suggests that they should be able to help troubleshoot the problem. Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:43 AM Subject: Re: [ActiveDir] Search over SSL hangs Joe, List, yes! It does sound like it is something with Oracle SSL engine. I let the process (search) running for more than 3 hours (so I think it is not a problem of slow communication/authentication) and it never returned. When it was issued a CTRL+C to abort the procedure (which was running from a sqlplus), the stack error it returned pointed to a Oracle package (SYS.DBMS_LDAP_API_FFI) in its last level (upper level). The code in Pl/Sql follows (SECURITYSOX is our schema user and LDAP is our user package): ## SQL 1 declare 2 X number; 3 begin 4 X := -1; 5 X := LDAP.VALIDA_USUARIO_LDAP(2,'ldapuser','ldappass'); 6 dbms_output.put_line(X); 7* end; SQL / declare * ERROR at line 1: ORA-01013: user requested cancel of current operation ORA-06512: at SYS.DBMS_LDAP_API_FFI, line 134 ORA-06512: at SYS.DBMS_LDAP, line 253 ORA-06512: at SECURITYSOX.LDAP, line 221 ORA-06512: at SECURITYSOX.LDAP, line 581 ORA-06512: at SECURITYSOX.LDAP, line 181 ORA-06512: at line 5 ## Nothing appears in oracle's alert.log. No traces are generated in bdump, cdump or udump directories like it had nothing to do with/for oracle. The certificates used were provided by our customer and were tested by them and as we can init the session, open the ssl support for that session and even authenticate a ldap user/pass, the certificates are out of the possible causes of this issue. And even more because, as mentioned, we can perform a search over SSL using JXplorer and it is almost immediate, no hangs (for the little they could be), no delays, nothing, just direct to the result! I am trying to contact out customer's LDAP admin in order to get additional info from the server logs. As soon as I can get this, I will update the thread. Thanks you all for your help! Em Ter, 2007-01-23 às 10:51 -0600, Joe Kaplan escreveu: If this can happen with any LDAP directory and not just AD, then it sounds like the issue is with the Oracle SSL stack. Does the search hang permanently or just take a long time to execute? Sometimes an SSL operation is slowed down a lot due to client certificate authentication requested by the server or CRL checking. Does Oracle give you any logs? What SSL stack do they use? Can this issue be reproduced with any other SSL stacks (Windows using ldp.exe for example)? Joe K. - Original Message - From: Mauricio de Andrade Ramos [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 4:28 AM Subject: [ActiveDir] Search over SSL hangs List, surfing google, realized that it is something that happens with a great frequency and not just with this specific directory we are using (Active Directory). Have you ever experienced performing a search to a directory, through SSL, and the search gets hang? It won't happen using a ldap browser client (like JXplorer) but from a PL/Sql procedure from OracleThe curious is that when this very same search is performed through a non-SSL connection (from the database), it won't hang, just through SSL! Took a look in lots of messages, forums, Oracle forums and this issue is reported in enviroments with other configurations (other directories, database, OS...) but a solution or workaround or even the pointing of where is the problem is never explained! Additional info: 2 different certificates were used. Both given by our customer and are a valid ones (tested by them and us, we can connect/authenticate/search through JXplorer and connect/authenticate through Oracle). Can you give us a light? Thanks you all in advance. Mauricio. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Who Am I request
I think that's fine. Remember that AD has a global catalog, so you can search across the whole forest quite easily. I'm not actually certain that you can do a simple bind with a user from a different domain, but maybe you can. My multi-domain LDAP knowledge is a little weak since I don't actually have to deal with one on a day to day basis. I do know that you simple bind is only supposed to support the full DN (as per LDAP spec), the UPN or the NT name for simple bind. The unqualified user name is only supposed to work with a Windows secure (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but not others, so you should not use it as it is not documented to work correctly. There is also a Windows RPC method called DsCrackNames that will translate names between different format if you have a logon name and want something you can use in a DN such as the full DN, GUID or SID. I doubt that helps if you are trying to use use OpenLDAP though. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 3:12 PM Subject: Re: [ActiveDir] Who Am I request Let's say I did a simple bind with user TestUser, but the user record is actually located at CN=TestUserCN,OU=Users1,DC=company,DC=com and it can (as far as I know) only be recognized by having sAMAccountName TestUser. I could probably find the user by searching under DC=company,DC=com with a filter (sAMAccountName=TestUser), but I think it would impose a substantial load on the Active Directory server, because not all users are under OU=Users,DC=company,DC=cz, some are located in other subtrees. Do you think it would be OK to do that? Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ
Re: [ActiveDir] Who Am I request
Thanks for clearing that up. I appreciate it. Joe K. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 5:52 PM Subject: RE: [ActiveDir] Who Am I request You can do an x-domain simple bind within the forest. You can not do it x-forest. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] DirectoryServices vb.net is broken.
It doesn't do the change tracking, except with some special case stuff in terms of how the new security descriptor stuff works. However, ADSI itself might track that for you. Basically, CommitChanges calls SetInfo, so if the underlying IADs is clever enough to not send an LDAP request if there are no mods, then the result is likely no network traffic. Try it with ethereal and see. :) If I were to guess, my guess would be that if there are no modification operations queued up in the property cache, then no LDAP modification operations would be sent. It is an interesting question and one that I never really thought much about before, so don't be disappointed when you don't find it discussed in ch 3 or 6. :) Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 02, 2007 10:30 AM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. Thanks for the explanation Joe. I am currently on chapter three of your book. Can't read it fast enough. Do you know if 'deUser.commitchanges' is smart enough not to send an update request to AD if the collection is not dirty? Thanks Y List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Cross-Forest Kerberos Delegation
That is what I was thinking of. I couldn't find where I read that and went from memory. Thanks for the clarification. Joe K. - Original Message - From: steve patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 6:07 PM Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access AppServer with a proper token for UserA In this scenario - constrained delegation will work ok. Perhaps Joe was thinking of the docs which state you have to have the IIS Server and the AppServer in the same forest and domain? steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] DirectoryServices vb.net is broken.
They aren't equivalent. Try using the .Value property instead:
user.Properties(description).Value =
Description is a funny property in AD in that the schema says that it allows
multiple values, but the DS itself will only allow it to contain a single
value for backward compatibility with previous DS APIs. That might be part
of the problem here.
In any event, it is generally always good practice to use the .Value
property to set a single value. There is more info on this in ch 6 of our
book (www.directoryprogramming.net).
Joe K.
- Original Message -
From: AD [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, December 28, 2006 10:13 AM
Subject: [ActiveDir] DirectoryServices vb.net is broken.
I have a user with no description attribute.
Anyone know why this works?
User.Invoke(put, New Object() {description, txtBxNewDescription.Text})
User.commitChanges
but this doesn't
User.Properties(Description).Add(txtBxNewDescription.Text)
User.commitChanges
I get the following error message.
ComError {A constraint violation occurred. (Exception from HRESULT:
0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException
Thanks
Yves St-Cyr
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] DirectoryServices vb.net is broken.
I'm saying that those two are not equivalent functions under the hood. Add
typically does a PutEx with the append flag, while Put just does a put,
which is essentially an LDAP update operation. I think you would have the
same problem if you invoked PutEx and used the Append flag.
.Value uses PutEx, but with the ADSI replace flag, which boils down to an
LDAP update operation.
Aren't all of the layers fun? :)
You can dig into the details a little more by using Reflector to reverse
compile System.DirectoryServices into your language of choice. That is how
Ryan and I learned most of what we know. Figuring out how ADSI calls LDAP
is pretty hard unless you have access to the Microsoft source code.
Sorry if the example in 3.13 was at all misleading or inconsistent, but I'll
stand by the more detailed stuff on attribute modification in Ch 6. Thanks
for buying it and I hope it helps more than hurts. There is an inevitable
amount of hair loss that must occur with any new LDAP programming project,
but hopefully it won't require prescription drugs or surgery to replace.
Joe K.
- Original Message -
From: AD [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, December 28, 2006 12:06 PM
Subject: RE: [ActiveDir] DirectoryServices vb.net is broken.
It worked. Thanks a million. Hopefully my hair won't take to long to grow
back.
I bought your book last week from amazon. I currently reading chapter 3.
Actually took your example code. See 3.13.vb. Isn't that funny?
I thought DirectoryServices was a wrapper to ADSI? Why do you say they are
not equivalent?
Y
They aren't equivalent. Try using the .Value property instead:
user.Properties(description).Value =
Description is a funny property in AD in that the schema says that it allows
multiple values, but the DS itself will only allow it to contain a single
value for backward compatibility with previous DS APIs. That might be part
of the problem here.
In any event, it is generally always good practice to use the .Value
property to set a single value. There is more info on this in ch 6 of our
book (www.directoryprogramming.net).
Joe K.
- Original Message -
From: AD [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, December 28, 2006 10:13 AM
Subject: [ActiveDir] DirectoryServices vb.net is broken.
I have a user with no description attribute.
Anyone know why this works?
User.Invoke(put, New Object() {description, txtBxNewDescription.Text})
User.commitChanges
but this doesn't
User.Properties(Description).Add(txtBxNewDescription.Text)
User.commitChanges
I get the following error message.
ComError {A constraint violation occurred. (Exception from HRESULT:
0x8007202F)} System.DirectoryServices.DirectoryServicesCOMException
Thanks
Yves St-Cyr
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] DirectoryServices vb.net is broken.
I'm not sure if it is a bug or not. Generally, I always use .Value to set a value and only use Add if I'm explicitly trying to add an additional value to a multi-valued attribute that already has values. Same basic approach for Remove. That helps keep me out of trouble. :) It is interesting, because there have been MANY problems with the various techniques used to modify the property cache in S.DS over the years. I think the current design is the least problematic. The issue really stems from the way S.DS tries to represent the property cache as a stateful collection of collections on the DirectoryEntry, but ADSI does this in a non-stateful way using Put and PutEx to modify. The other issue has to do with the fact that each ADSI provider does stuff slighly differently under the hood when it talks to the actual API doing the work (LDAP for LDAP, Net* for WinNT, ABO for IIS provider, etc.). The alternative is to just switch over to using System.DirectoryServices.Protocols. That basically talks directly to LDAP via wldap32.dll (like the www.joeware.net tools do, but going through .NET first). However, you tend to have to write more code to do the same thing and learn a lot more about LDAP that you might want to, so it is a two-edged sword. The most difficult things are learning how to use the advanced LDAP controls to do things like paged searches and security descriptor read/modify operations. ADSI tries to make that stuff easy for you. Note also that there is nothing really new and exciting in DS programming in .NET 3.0. The next wave of stuff for DS will be in the next .NET rev that ships with the next Visual Studio. .NET 3.0 is actually the .NET 2.0 runtime with additional assemblies that support WCF, WPF, WWF and CardSpace. Many of the assemblies are unchanged and actually run straight from the .NET 2.0 install directory. The good news is that our book is not out of date for at least another year. :) The next version is supposed to have strongly typed support for users and groups, kind of like S.DS.ActiveDirectory adds strongly typed support for concepts like Forests, Domains, Trusts, Schema, Replication etc. There are a few minor tweaks to ADSI in Windows Vista (remember that ADSI comes with Windows, so it is on a different release cycle than S.DS, which comes with .NET and usually cycles with Visual Studio but sometimes cycles with Windows). However, these are pretty low key. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 1:40 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. One last comment Joe, Do you think that is a bug with DSS? That now means depending of the attribute, you have to use different method? Kinda makes it complicated don't you think?. Now I have to hard code attribute names in my program. if attribute=description do this else do it this way. That sucks Microsoft. Y From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Thu 28/12/2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DirectoryServices vb.net is broken. I'm saying that those two are not equivalent functions under the hood. Add typically does a PutEx with the append flag, while Put just does a put, which is essentially an LDAP update operation. I think you would have the same problem if you invoked PutEx and used the Append flag. .Value uses PutEx, but with the ADSI replace flag, which boils down to an LDAP update operation. Aren't all of the layers fun? :) You can dig into the details a little more by using Reflector to reverse compile System.DirectoryServices into your language of choice. That is how Ryan and I learned most of what we know. Figuring out how ADSI calls LDAP is pretty hard unless you have access to the Microsoft source code. Sorry if the example in 3.13 was at all misleading or inconsistent, but I'll stand by the more detailed stuff on attribute modification in Ch 6. Thanks for buying it and I hope it helps more than hurts. There is an inevitable amount of hair loss that must occur with any new LDAP programming project, but hopefully it won't require prescription drugs or surgery to replace. Joe K. - Original Message - From: AD [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 28, 2006 12:06 PM Subject: RE: [ActiveDir] DirectoryServices vb.net is broken. It worked. Thanks a million. Hopefully my hair won't take to long to grow back. I bought your book last week from amazon. I currently reading chapter 3. Actually took your example code. See 3.13.vb. Isn't that funny? I thought DirectoryServices was a wrapper to ADSI? Why do you say they are not equivalent? Y They aren't equivalent. Try using the .Value property instead: user.Properties(description).Value = Description is a funny property in AD in that the schema says
Re: [ActiveDir] Mapping Groups within AD
I'm of the opinion that Ryan and I have written a very good book on LDAP programming in .NET. You can find more info here, including free code samples and a free sample chapter in PDF, at www.directoryprogramming.net. Ryan wrote a bunch of pretty useful stuff for expanding group membership in ch 11 and has followed up with a few additions on his blog showing other techniques. I can't help with the Visio stuff, but if you can find some samples that show how to plug data into the model to produce diagrams, it shouldn't be too hard to put it all together. Best of luck, Joe K. - Original Message - From: Cothern, Jeffrey D Mr CTR USSOCOM HQ [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, December 23, 2006 12:12 PM Subject: [ActiveDir] Mapping Groups within AD Does anyone know a good location to find visual studio coders that have worked with both AD and Visio. I found some resources at Microsoft Generating Active Directory Diagrams with Visio 2003 and Visual Studio .NET 2003 http://msdn2.microsoft.com/en-us/library/aa662190(office.11).aspx The problem being they show you how to search for users in a certain OU that match a job title and department. Doesn't quite get what I want. I need to create a nice Visio drawing that show the respective groups and groups that group is a member of and any groups that are a member of that group. I would really hate to do the 400 or so groups by hand specially when it needs updated down the road because of changes. i.e. DL-FinanceCompany ALL || GL-Finance | GL-Finance Managers I have looked at NetDOC AD http://www.dataassist.de/en/index.php?id=84 and while it might do some of it, it doesn't recursively look up the line to see what the groups might be members of. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Delegate Password Resets
This is definitely something I've written a few times. I actually don't have a stand alone ASP.NET page that does this, as I tend to write ASP.NET apps that are a bit more architected and have stuff implemented in different layers to help facilite reuse and testability, so the actual LDAP code would be in a different DLL and the page would be a very thin facade. However, the comple code samples from our book would make a nice foundation for building a page to do this. We also cover the reasons why ADSI SetPassword and ChangePassword can be so tricky to deal with in our book in ch 10 (which is a free download from www.directoryprogramming.net). We also have a pure LDAP approach in our book that successfully avoids most of these problems, but it requires .NET 2.0 (hopefully not a big issue for most people these days). I agree that buying a program to do this seems a little crazy to me, but I'm also a good developer, so a lot of things that seem easy to me might not be easy to other people. Joe K. - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, December 22, 2006 11:34 AM Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Cross-Forest Kerberos Delegation
My understanding is that you can get the actual protocol transition logon to work, but you cannot use delegation (which is what you really need) because PT is tied to constrained delegation and it only works in a single domain, not even in multiple domains in a forest. Your understanding is basically correct. This is a documented limitation and not something I've played with personally, so I'm not sure if there is more to it than that. I honestly don't know if this can be made to work with unconstrained delegation/kerb auth in IIS, as I've never tried that either. However, giving out unconstrained delegation privileges is a bit icky. This may be one of those situations where it is easier to just pass the plaintext credentials around between the tiers using basic auth/SSL and such. Joe - Original Message - From: Ken Schaefer To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 5:29 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Steve, Can you elaborate on this? I'm familiar with what S4U2self is for, but not sure how to tell whether I would need it or not. Are you saying below that protocol transition can be used cross-forest? I thought protocol transition was tied to constrained delegation (in a user/computer account's properties, on the delegation tab there is an option that says any protocol, but that's only available in the section for constrained delegation. If that's the case, then how can protocol transition work cross-forest? Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 December 2006 12:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer [EMAIL PROTECTED] Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a walk in the park :-) I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client --- ISA Server 2006 --- Web Server --- App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos delegation. Now, ISA Server can use protocol transition, so that Client --- ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is no, or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Child domain for external SharePoint users
This is also a good application for federation (ADFS). It gives you the flexibility of provisioning your dealer accounts in ADAM instead of AD (which can give you a lot more flexibility in terms of how to allocate hardware) and can give you the ability to allow the dealers to log on with their own accounts if they can create a federation server on their end to provide access to their own domain resources. This may or may not be possible/desireable, but in many cases it is because you don't have to provision and manage their identities. Unfortunately, this is much more complex to implement though. From a security perspective, though, Brian is right. If you just want to do this with AD and trusts, you should do a separate forest and do a forest trust. Otherwise, you aren't buying much in terms of real security. You might as well just put the accounts in a separate OU. Joe K. On 11/30/06, Group, Russ [EMAIL PROTECTED] wrote: Hi all We are in the process of creating a SharePoint site that external users (dealers) can access to obtain shipping information. I have the SharePoint server in my LAN with a reverse proxy appliance in the DMZ that the dealers will use to access the SharePoint server. The discussion came up about using a child domain for these dealers to authenticate to the SharePoint server. Is this an accepted practice (create a child domain for the external users)? How safe is this compared to creating a separate OU for the dealer in the parent domain? Thank you Russ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Scaling up with AD or ADAM?
I personally don't have any experience with ADAM at big scale, but I've heard of some really large deployments. Eric might be able to share some stories. I wouldn't be concerned about the underlying technology, as it is all based on the AD core and is quite solid and mature. I have no experience on IBM TAM, but I'd hope it can integrate with normal LDAP stores. As such, I think it should work. There probably won't be any support in the product for ADAM/AD features like fast concurrent binding that might help improve your auth performance, but that might not be a huge deal. I don't think ADFS uses that either. :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 10:24 PM Subject: Re: [ActiveDir] Scaling up with AD or ADAM? Thanks, Joe. I'll look up Eric's blog for metrics and such ASAP. :-) I was thinking ADAM was the likely choice - just wasn't sure how much production experience folks had with it (it's still new-ish), or quite how to size it. Re federation - that looks like a subsequent phase, and ADFS definitely came to mind. This customer has some IBM TAM kicking around, so that's another choice. Later, in either case. Migrating users from the live directory to the archival is no big deal -- the reason we're engaged is to put our provisioning and password management technology in. BTW - anyone here integrated TAM (Tivoli Access Manager -- IBM's WebSSO) with ADAM? Any pointers or horror stories we should know about? Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Joe Kaplan wrote: That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise and also to directly use the identities of your business partners without having to maintain them in your own store. The identity lifecycle management costs of 2M+ users is not insignificant and users would generally rather not have to get a new account in your system to use it if they can avoid it. Just a thought... :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 2:54 PM Subject: [ActiveDir] Scaling up with AD or ADAM? Hi guys, We're helping a customer design a large new directory, to use with an Extranet environment. We see this thing scaling up to about 2 million active users, and up to about 10 million archival users (who no longer log in, but for various business reasons need to be kept around). The active users are likely to log in every few days, and will be distributed around the globe. Logins will be LDAP binds from web apps -- no file/print/etc. in scope. Has anyone built an AD environment to this scale? We're
Re: [ActiveDir] Scaling up with AD or ADAM?
That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise and also to directly use the identities of your business partners without having to maintain them in your own store. The identity lifecycle management costs of 2M+ users is not insignificant and users would generally rather not have to get a new account in your system to use it if they can avoid it. Just a thought... :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 2:54 PM Subject: [ActiveDir] Scaling up with AD or ADAM? Hi guys, We're helping a customer design a large new directory, to use with an Extranet environment. We see this thing scaling up to about 2 million active users, and up to about 10 million archival users (who no longer log in, but for various business reasons need to be kept around). The active users are likely to log in every few days, and will be distributed around the globe. Logins will be LDAP binds from web apps -- no file/print/etc. in scope. Has anyone built an AD environment to this scale? We're thinking separate directories BTW - a live one for the 2M users, and an archive one for the 10M historical records. Would you recommend ADAM? With how many DCs if so? (the web apps would likely be hosted at a single site). Perhaps full-fledged AD? How many DCs? Thanks! -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Lee Flight wrote: Hi I think the problem is with But the user installing the ADAM instance is already member of administrators. The ADAM answer file reader does not seem to check that; if it sees the Administrator parameter in the answer file it assumes that the user running the install is not an ADAM administrator and as this is a unique instance installing the LDIFs will not be possible due to lack of permissions to modify the local schema. It might be possible to circumvent this using an explicit SourceUsername and SourcePassword in the answer file, but I think your workaround is more secure. Lee Flight On Thu, 23 Nov 2006 [EMAIL PROTECTED] wrote: Hi I am trying to install ADAM unattended to be used for publishing Oracle DB's. I would like to grant administrators from the local computer as ADAM administrator and I would like to import some of the accompanying LDF files. ; Specifies the Administrators within the AD\AM instance. Administrator=MYCOMPUTER\Administrators ; The following line specifies the .ldf files to import into the ADAM schema. ImportLDIFFiles=MS-InetOrgPerson.ldf MS-User.ldf However the installs fails when I specify both options. The error message is that the user have to be administrator to import .ldf files. But the user installing the ADAM instance is already
Re: [ActiveDir] VB2005 copy dir using AD credentials
I'm not sure why on earth you would ask that question here, but I suppose I'm only encouraging you by answering. Basically, the file system remote stuff doesn't let you easily supply alternate credentials. You need to impersonate the alternate user and perform the operation that. It isn't like with ADSI/S.DS where you can just supply alternate credentials and it just works. There is a nice sample in the .NET SDK docs for WindowsImpersonationContext that shows how to call the LogonUser API to obtain a logon token with a user's credentials and then impersonate that token to perform an operation. I hope that helps. Joe K. - Original Message - From: Steven Wood To: ActiveDir@mail.activedir.org Sent: Friday, November 17, 2006 11:03 AM Subject: [ActiveDir] VB2005 copy dir using AD credentials Hi All, I'm writing a VB2005 program, the problem I have is that the program will copy a directory to a network location but I need to supply AD credentials as the user running the program doesn't have permission to the network location. Does anyone have any ideas of how I can do this or point me in the direction of a blog/site with examples etc? Many thanks Steven My.Computer.FileSystem.CopyDirectory(C:\ SpeedyScan\ScanningTemp\, copyPath) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] orgfinder
SharePoint is typically set to impersonate the logged on user, so you would normally be binding to AD as the browser user, not the network service (machine) account. It is possible that they disable impersonation, but that is unlikely. If you are impersonating and are using IWA auth, you need to get Kerberos delegation working. This may be hard in SharePoint as some versions actually disable Kerberos auth in the metabase during install. If the web part actually uses the trusted subsystem design and relies on the identity of the worker process to make the changes, then you would need to either change the app pool identity to a privileged user or allow the machine account to have those privileges. However, this scenario seems unlikely to me. You need to find out for sure before you can find out how to proceed though. Joe K. - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Wednesday, October 18, 2006 10:27 AM Subject: [ActiveDir] orgfinder Hi, I was working on a webpart for SharePoint to allow users keep up to date their info in AD, I just found out that there is already a free one. www.orgfinder.com They have an asp application and a webpart. The application is working fine but the webpart is not working. The app pool identity for the asp application is a user that I have created, as I said this is working great. But the SharePoint is using a different app pool with identity network services and of course does not have rights to update AD info. What would be the best way to fix this? changing the identity in the SharePoint app pool requires several step because it will brake connection to the content and configuration DB. Is there other way? does anyone knows if it is possible to use another app pool for just one webpart...I doubt it but I though I would be worthy to ask. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] WinNT ADSI provider
One thing to keep in mind is that ADSI is not good for authentication in general as it has scalability issues. If the application must support many simultaneous users, it will likely blow up. I've seen this happen many times. If one must use LDAP auth, it is better to do it directly against the LDAP API, as you can manage the connection that way and won't run out of wildcard ports. Unfortunately, VB6 doesn't have a good LDAP API wrapper that I know of (except ADSI, which is the problem in this case). I think the WinNT provider is a bad idea, as it is notorious for having problems when using OpenDSObject with credentials in general. I wouldn't do it. FWIW, System.DirectoryServices in .NET is just an ADSI wrapper and has the exact same problem. If they can't use integrated auth (or Basic/SSL for that matter) and you must do forms auth in code, calling the LogonUser API is the best way to go. This may be possible in VB6 (haven't tried; cake in C++ or .NET) and will work fine as long as the web server is a domain member. I dislike vendor apps that require logon security but don't provide a nice pluggable model to insert different mechanisms into the pipeline. It is such a common thing to have to do, and not having this nicely abstracted so they can be flexible in their clients' environments is silly. Soapbox off. :) Joe K. - Original Message - From: Isenhour, Joseph [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 17, 2006 6:40 PM Subject: RE: [ActiveDir] WinNT ADSI provider Oh ya, duh. Good point. Do you think that one is better than the other? I agree they are both bad options. The app runs on IIS so using integrated auth would be s easy; however, it requires more code changes on their end and they are trying to get this done for regulatory compliance reasons. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 17, 2006 4:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider You don't have to do an LDAP query first You can bind in LDAP with domain\user, UPN, or DN and just ask for a well known object, say the domain head or config head, etc. I still think either one is a poor authentication mechanism though. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider Not having to do an LDAP query prior to connecting to the user. So they will not have to store a lookup account and baseDN type info. I think that adding the LDAP features is pretty simple, but I don't want to make them do it if it's not necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, October 17, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinNT ADSI provider What simplicity will this offer? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, October 17, 2006 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinNT ADSI provider I have a customer who wants to write their authentication DLL using the WinNT ADSI provider instead of LDAP provider for simplicity. Does anyone know if there will be any supportability issues with this option going forward? Is Longhorn going to support it? BTW, the app is written in vb6 so System.DirectoryServices is out. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Attribute for Name Component of userPrincipalName?
There is an API that converts UPN to DN (DsCrackNames, also wrapped by IADsNameTranslate in ADSI). I'm not sure if that helps or not. Like Laura said, you do need to look something up though. Joe K. - Original Message - From: Laura A. Robinson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, October 12, 2006 5:30 PM Subject: RE: [ActiveDir] Attribute for Name Component of userPrincipalName? There's a problem with this idea- the UPN (or, more specifically, the portion before the @) does not necessarily match the CN component of a DN, so there would be no reliability in your approach. Why are you unable to retrieve DNs? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Thursday, October 12, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Attribute for Name Component of userPrincipalName? Does anyone know of an object class that defines an attribute like userPrincipalName but just the name component and not the realm? For example, if an object had a userPrincipalName of '[EMAIL PROTECTED]' the desired attribute would be guaranteed to be 'Managers'. I'm caching group objectSids in a temporary in-memory DIT. The entries need unique DNs but I don't know the real DNs. All I have is the userPrincipalName so I was thinking I could just derive a DN from the userPrincipalName like: [EMAIL PROTECTED] - FOO=Managers,DC=example,DC=com Right now it doesn't really matter if this is truely conformant or not, I'm just thinking about forward compatibility. Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Reading Security Descriptors
Reading Security DescriptorsHi Felderi, First, thanks for buying our book! I'm not sure if you knew, but we have a website for the book, www.directoryprogramming.net, where Ryan and I host a support forum for questions just like this. However, I'm happy to try to answer your question here. Did you check out sample 8.4? The whole point of that sample was to provide a method for converting back and forth between schemaIDGUID for property sets and their friendly names (it can also translate control access rights). I think that is exactly what you are looking for. Joe K. - Original Message - From: Santiago, Felderi (F.) To: ActiveDir@mail.activedir.org Sent: Thursday, October 12, 2006 5:30 PM Subject: [ActiveDir] Reading Security Descriptors Hello, I am trying to list all the ACEs for a particular object in Active Directory. To help me do this (since I am a bit of a newbie to Directory programing), I am reading the book The .NET Developer's Guide to Directory Service Programming. I took the program on page 302 and ran it against the object I want to print the ACEs for (I have attached the program). Running the program gives me a result of: =ACE= Identity: Domain\Computer$ AccessControlType: Allow ActiveDirectoryRights: WriteProperty InheritanceType: None ObjectType: bh967953-0dd6-11e0-a285-00aa003049e2 InheritedObjectType: null ObjectFlags: ObjectAceTypePresent This is great, but I would like to get the specific property this ACE was set for. For example, if I give an object a Allow Write to displayName with ADUC or ADSI, I would like to get a print out of the specific property so that I can write a program to set these ACE on specific properties moving forward. I was looking at the PropertyAccessRule ACE wrapper class and that looks like it has what I need, however, I can't seem to find a way to tie this in with the program listed on Page 302 of the book (mainly how I can tie this with the list of AccessRules I get back from the Security Descriptor) Any suggestions as to what I could do to list the specific property the ACE is being applied to? Just to be clear, I want to list the specific property of the ACE is so I can very easily apply them to other objects in the future. Once I list the PropertyAccessRule, I can then use the PropertySetAccessRule to apply the AcessRule to future objects. Any help would be greatly appreciated. Thanks, Felderi Santiago SecurityDescriptors.cs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Attribute for Name Component of userPrincipalName?
UPN is arbitrary, so you can't assume the alias part will be the same as sAMAccountName (although we do that in our org by convention). There is no such attribute representing what you want. Joe K. - Original Message - From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Thursday, October 12, 2006 7:31 PM Subject: Re: [ActiveDir] Attribute for Name Component of userPrincipalName? The entries would be under a domain container and therefore they are unique. The organisation might look like the following: DC=example,DC=com CN=Supplemental,DC=example,DC=com FOO=Managers,CN=Supplemental,DC=example,DC=com objectClass=group objectSid=binarysid [EMAIL PROTECTED] where FOO is some attribute that means The name component of the UPN. Is there such an attribute? Is 'uid' guaranteed to be the name component a user's UPN? For now I'm using sAMAccountName (e.g. sAMAccountName=Managers,CN=Supplemental,DC=example,DC=com) but this is not optimal since sAMAccountName may not match the name component of the UPN and it is yearning to be deprecated. If you want to look up the real DNs, you can obviously do so with the full UPN. Just do a GC query of [EMAIL PROTECTED] The whole point is to provide a cache of group sids so any querying would defeat the purpose. Mike PS: Any confusion over this post is no doubt attributed to the fact that I'm not actually using a real LDAP store for anything described here. I have written an LDAP C API wrapper that can operate on data structures in memory. Meaning I have written a very simple LDAP server. -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: WSS and AD. WebPart user information
The actual code for programming AD in .NET is pretty similar to ADSI (since it uses ADSI under the hood). There is a more powerful, strongly typed search interface called the DirectorySearcher that is actually much more powerful an easier to use than ADO for searching. All in all, it really isn't that hard. The difficult part is the security aspects of connecting to the directory. There really aren't any shortcuts here, and most of the same issues would exist in an ASP page (you actually have fewer choices in ASP, but the same basic problems). Once you decide if you want trusted subsystem or delegated model for authentication, the rest falls into place. The other issue is that you'll likely spend more time on the HTML/UI aspects of the control than you will on the LDAP parts. That's the way it always seems to work out. :) Joe K. On 10/11/06, Ramon Linan [EMAIL PROTECTED] wrote: Frustrating!, :) sounds very hard to do for a .net newbie like me. I have work with Zope and Plone before and everything is much easier... Unluckily, we cant use Plone or other CMS I am more familiar with, and I need to create this tool, webpart or whatever so the users can update their contact info. I have done a few scripts in asp to display information from AD even to change information in AD, my problem is how to do that inside SharePoint, unless I can create an external page to do this and have a link in the SharePoint site... Anyway, thanks for the info, I will get your book to see if figure things out. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: WSS and AD. WebPart user information. How to configure IIS so my asp script can change user's attr in AD
See, I told you the security was the hard part. :) This is no different in .NET. Like I said, the first thing to decide is whether you want to use trusted subsystem or delegation as your security architecture. That will determine the settings to use and any additional configuration. Remember that in ASP, impersonation is ALWAYS on (you can't disable it like you can in .NET), so your code will not execute with the permissions of the process account, only the authenticated user. The authenticated user will either be the anonymous IIS user (if you have anonymous checked) or the browser user if you are using IWA or Basic. By default, the anonymous user is a local machine account, so you can't use that to access AD. You'd need to change that to a service account. That would give you a trusted subsystem. Another way to create a trusted subsystem is to just pass in plaintext credentials to ADSI (using OpenDSObject and the equivalent in ADO). This allows you to avoid dealing with the from the Windows security perspective. If you want to use the authenticated user's credentials and use IWA, you must get Kerberos delegation working like Tomasz said. This is fun. :) Joe K. - Original Message - From: Tomasz Onyszko [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, October 11, 2006 4:19 PM Subject: Re: [ActiveDir] OT: WSS and AD. WebPart user information. How to configure IIS so my asp script can change user's attr in AD Ramon Linan wrote: I decided to go with asp, I exclude a path from SharePoint and use asp, that will make things easier at first. Now the problem that I am having is, how do I configure IIS so the authenticated users can see/modify some of their attributes in AD? If I use the default AD IUSR for that server (IUSR_servername, in the directory security under anonymous access, that user cant change things in AD, but I cant use an administrator account neither for security reason...so how should I configure IIS so it lets query and change user's attributes in AD? You have two options: 1. Configure IIS application pool with account which will have rights to modify attributes in AD 2. Use Kerberos delegation to impersonate user and make changes in security context of user who is logged on to web page http://support.microsoft.com/kb/810572/ ad.1. The problem is that You have to put some control mechanisms in place on web page to protect users from changing other users details etc. as in this model Your application pool account is capable of making changes to objects and attributes. This is controlled via ACLs on directory object ad.2 in this case You are using user's context to access DS and to make changes to attributes which user has right to access. With Windows 2003 You can use constrained Kerberos delgation. When You wil use delegation just remember that sensitive accounts (like Ent. Admins, domain admins) should not be allowed to be delgated (this is option for AD account). -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: WSS and AD. WebPart user information
Ryan and I wrote a whole book that is essentially all about how you might write such a thing (www.directoryprogramming.net), but we don't have any pre-baked web parts in the samples. All the code is lower level than that. We also have such a thing that we use internally (actually a server control, not a full web part) that uses Ajax and a popup query form to implement an AD picker. Unfortunately, I can't share it outside the company. The key to something like this is deciding how you want the security model to work. You can basically either use the trusted subsystem design (use a service account to query AD) or use the delegated model (flow the authenticated user's security context through to AD). Since SharePoint uses impersonation by default, the delegated model is what you'll get unless you change something to implement the trusted subsystem model. Delegation is hard to get working, as it requires implementing Kerberos delegation, one of the black arts of Windows AD configuration stuff. SharePoint tends to fight delegation as well, as versions before SP2 actually disable Kerberos authentication in the IIS metabase when it is installed. You have to undo that or get protocol transition working. It can be icky. :) Joe K. - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 2:30 PM Subject: [ActiveDir] OT: WSS and AD. WebPart user information Hi everyone, Does anyone knows of a web part for Windows SharePoint services 2 or 3 to grab information from AD users? I want to create a web part that will allow the user to update their contact information and update AD at the same time. Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: TechED 2007 New Orleans Cancelled ???
It is a shame. The city really needs the business. I've been back 3 times now since the storm and things have definitely gotten better, but it still has a long way to go. Most of the US has kind of forgotten about it by now, so I'm guessing that many TechEd visitors would be shocked at how messed up things still are down there, even almost 2 years later (which is when TechEd would have been). Of course, most people won't be down in the 9th ward or Chalmette during TechEd, so you wouldn't see the worst of it, but it is still pretty stunning. The NO airport definitely has a very sleepy feel compared to years past, and it was never like going through O'Hare in the first place. Joe K. On 10/9/06, Brian Puhl [EMAIL PROTECTED] wrote: I checked with some folks internally, and they confirmed that yes, this is unfortunately true. There are numerous discussions going on, and the recommendation is that you should watch http://microsoft.com/teched over the next week or two for updates and information. Brian Puhl Microsoft IT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Using an LDIF to set ACLs
I'd love to see something like that as a constructed read/write attribute if it could ever be made to happen. You could also blow apart the fields in the SD into separate attributes to make the semantics more clear. Joe - Original Message - From: Dmitri Gavrilov To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 6:40 PM Subject: RE: [ActiveDir] Using an LDIF to set ACLs Yeah, Joe's correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF. At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIF'able. Alas. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Discovering LDAPS availability
There isn't really a way to do it without attempting to connect. Also, remember that SSL has to be negotiated between the client and server. The server may be perfectly capable of doing SSL, but if the client doesn't trust the server's certificate or attempts to contact the server with a name that does not match the name of the server in the certificate, the client may choose to reject the attempt to connect via SSL, whereas another client might not have the same objections. You have to try it. Also, the DC doesn't publish anything that you can query, say via RootDSE, to state whether it supports LDAPS or not (at least nothing that I've every heard of...). Joe K. - Original Message - From: David Loder [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, October 05, 2006 2:56 PM Subject: [ActiveDir] Discovering LDAPS availability Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Do try to push your vendors in the direction of standards-based federation when federation is the solution. It is really the best way to go for that particular class of problems. The real problem for ADFS in the federation space is that it only supports WS-Federation and doesn't support SAML2. A lot of vendors that are interested in federation have already gone down the SAML 2 path, as it has a headstart and a good standards story. It is also non-Microsoft, which makes it instantly interesting to a lot of people, like it or not. One of the things I'm faced with in my own federation deployment is that in order to cover some of the vendors we'll likely need to federate with, I'll need to integrate a completely different product just to support SAML 2.0 protocol. That sucks. I can understand why MS went in the direction they did, but I'd still like to see a SAML 2 compatibility mode or some middleware I could stack on ADFS that would allow me to reuse most of my current investment. We actually considered using a different product that supports both WS-Fed and SAML 2 (Oracle, RSA and Ping all have this for example). The problem is getting the really tight integration with both .NET claims apps and Windows token apps on the inbound scenario side. That's where the ADFS feature set really kicks butt and sort of forces us to use it anyway. Thus, two products. Sigh. Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 11:22 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password Tony, I have a workshop next week with a vendor to discuss an extranet solution. Unfortunately, LDAP auth is not going to be possible, since there will be no communication across the firewall. I am steering them toward an ADFS solution, which I think will fit the bill better. The issue will be, that it will require a 3rd party middleware to make work, which I am not sure they will be thrilled about. Thanks for the thoughts on this. Glad to know I'm not the only one struggling with bad apps! ;) Jef List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFS and WebSphere (was ADAM bind Redirection with a NULL password)
I'll start a new thread, since we are off on ADFS now. I have no experience with WebSphere yet in the federation space, so it sounds like you are ahead of me. With our federation work, the primary target for federation is with ASPs that host applications in their own facilities. For these guys, our plans have just been to say that we'll integrate with them at the protocol level and that they need to get a standards-based federation solution going, leaving it up to them how they do this. Since we are a big company and they are trying to sell us a service, this approach seems reasonable. We have been offering to help a few of the smaller vendors we work with do their ADFS stuff because we actually have some expertise in house now and some of these guys we want to give a jumpstart to, but otherwise we haven't helped our partners much with product selection, especially the non-MS shops. Thanks for reminding me about the Quest and Netegrity bits. That might be useful. :) Joe - Original Message - From: Jef Kazimer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 29, 2006 7:09 AM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password Joe, I have a large Websphere community, which suffers from the single NC for LDAP binds scenario. Have you had any experience with WS and ADFS? The WS guys seem very tight lipped on knowing how to setup WS to work with it. I have been looking at Quests and Netegrity for their ADFS modules for JAVA systems which I think might fit the bill. OUr entire unix platform group is integrated into AD with Quest's VAS product, and surprisingly, they LOVE AD. :) Thanks for the insight, Jef List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM with Domain
ADAM integrates with the domain in a few ways. When an ADAM server is a domain member, then ADAM can be used to authenticate domain users via LDAP authentication (using secure bind or simple bind with bind proxies). ADAM will also get its password policy from the machine password policy applied by the DC if it is a domain member. The other important consideration with ADAM as a domain member (in my view) is that if you will have replicating ADAM instances, it is a bit ugly to get the RPC security working for replication if you aren't using domain member servers. You end up having to do a hackish thing of having shadowed accounts with the same name and password on each machine to get it to work, and that is a management hassle. The actual ADAM LDAP directory doesn't have anything to do with the AD LDAP directory. The only way to get AD objects into ADAM (or vice versa) is with some sort of a sync process. They do not replicate or share any directory data. You can definitely use the full range of X500 naming styles with ADAM instead of just the DNS-based root naming convention that AD requires (DC=domain,DC=com and such), so you can likely accomplish your goal. HTH, Joe K. - Original Message - From: Matt Brown [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 29, 2006 11:25 AM Subject: [ActiveDir] ADAM with Domain How does ADAM integrate with a domain? Will they be completely separate directories or can they somehow be joined together? I'm wanting to use an X.500 name for the ADAM instance. Thanks in advanced for the help provided, -- Matt Brown IT System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
It is a good article with good analysis. I do think it would be a useful feature to have a bit to flip for simple bind to be forced to fail with blank password, even though this would go against the RFC spec. I also think it is interesting that since ADAM is actually doing some sort of secure authentication to AD, this bind attempt does actually up the bad pwd count and can result in user lockout. Another scenario that is interesting with blank passwords is that potentially an ADAM or AD user could have an actual blank password. It then becomes very difficult to tell them apart from a bind attempt. I remember Dmitri discussing this on the newsgroups a ways back, although as I recall, he seemed to believe this was an inevitable consequence of the spec. Besides the DCR, I think all you can do is validate on the application side (but you already knew that). Joe K. - Original Message - From: Jef Kazimer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 7:53 PM Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List
Re: [ActiveDir] ADAM bind Redirection with a NULL password
I agree, the documentation is misleading. They should say that anonymous searches aren't allowed. Joe K. - Original Message - From: Jef Kazimer [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:24 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password Joe, I forgot to mention on the article (Which I updated): - I forgot to mention, I had thought to myself Did I somehow enable anonymous binds and forget?, since part of the design was to not-allow anonymous. I did check the config entry as outlined in the ADAM FAQ: ADAM does not accept anonymous bind requests by default. To enable anonymous LDAP operations in ADAM, you must set the seventh character of the dsHeuristics value to 2. This indeed was set to NOT allow anonymous binds, which based on the wording I would assume mean that anonymous binds would be rejected. In actuality, an anonymous bind is a SUCCESS, but you can't enumerate the directory structure from that point on. Perhaps the wording should be changed to reflect this? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Yep, that's definitely true, although domain membership is also required to do bind proxy auth as well. In a lot of these scenarios, the firewall is configured so that only LDAP ports are open to ADAM from the application, but the ADAM server has the necessary firewall ports open for domain membership. In some cases, ADAM can actually go inside the DMZ, with just the app server in the DMZ. There are lots of options. :) There are so many useful scenarios for Microsoft app servers that essentially require Internet facing web servers to be domain members (SharePoint, etc.) that I'm guessing people are used to opening domain membership ports through the DMZ firewall anyway. I'm embarassed to admit that we have numerous holes in our firewalls allowing third parties to hit our DCs directly via LDAP for auth (SSL LDAP, yes, but still LDAP). Sure, the firewall rules only allow traffic from specific IP addresses, but it is still way icky. One of the reasons I'm so interested in ADFS is to help stomp out these monstrosities as soon as possible, but it will take a long time before all the vendors support federation, all the scenarios are covered and we actually have the IT budgeting priorities in place to make the necessary changes on our end. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 10:57 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password Yes, I can see that Windows SASL binds might not be universally available ;-) Thinking about it, another problem with the SASL binds is that presumably the ADAM instance must be running on a server that is a member of the authenticating AD domain (or at least one that has a trust back to the authenticating domain). This would limit it's usefulness in extranet scenarios because of the ports that would have to be opened between ADAM and AD (assuming they are on opposite sides of a firewall). Tony -- Original Message -- From: Joe Kaplan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 22:12:34 -0500 The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where
Re: [ActiveDir] Struggling to find AD authentication code
Thanks for the plug on the book. Ch 12 is all about programmatic authentication. We cover the DirectoryEntry approach suggested by Darren as well as the LogonUser approach suggested by Brian. The code samples (in C# and VB.NET) are available for free from www.directoryprogramming.net. Note that there are good and bad points to all of these approaches that are worth understanding before picking one over the other. Joe K. On 9/26/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: You actually shouldn't have to use Interop or PInvoke like that to authenticate to AD using VB.Net. I do it all the time in WinForms using the DirectoryEntry class, which allows you to pass creds to your AD connection. You just need to front those creds with a simple form and away you go. Just check out the VS docs on DirectoryEntry. Also, if you plan to do a lot of .Net programming against AD, I would highly suggest this book: http://www.amazon.com/Developers-Directory-Programming-Microsoft-Development/dp/0321350170/sr=8-1/qid=1159285094/ref=pd_bbs_1/102-7103604-3390566?ie=UTF8s=books Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood Sent: Tuesday, September 26, 2006 7:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Struggling to find AD authentication code Thanks for that. Great blog by the way. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: 26 September 2006 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Struggling to find AD authentication code Look at the example for calling the LogonUser() API on my website – scroll down a bit www.briandesmond.com. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood Sent: Tuesday, September 26, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Struggling to find AD authentication code Hi, Can anyone point me in the direction of some VB.Net examples of authenticating users against AD using a Windows form and not asp.net? All the examples I can find are forms based authentication for asp.net. I've loaded the template 'Login Form' included with VB 2005 unfortunately there appears to be no sample code of AD authentication that I can see. Any help very much appreciated. Regards Steven --- This email is from Oldham Sixth Form College, but expresses the views of the sender and not necessarily the views of the college. The email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee, nor may it be copied in any way. If received in error, please notify [EMAIL PROTECTED] quoting the name of the sender. This message has been scanned for viruses by F-Secure Anti-Virus. Please note that we cannot accept any responsibility for any transmitted viruses. It is, therefore, your responsibility to scan attachments (if any). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]SUBDOMAIN AND LDAP
I think the bottom line of my argument boils down to simple bind without SSL is evil, but simple bind with SSL is acceptable. Secure bind is generally acceptable, with or without SSL. As such, I'd love to see an AD and ADAM option that would allow the DS to reject simple bind operations on non-SSL ports. I think this would go a long way towards helping enforce my mantra and would likely only have a negative impact on non-MS apps using simple bind. The vast majority of code from the MS world uses secure bind by default and actually requires the developer to go out of their way to get a simple bind. For example, the basic vbscript: Set obj = GetObject(LDAP://DC=domain,DC=com) results in a secure bind with GSS-SPNEGO (hopefully negotiating to Kerberos :)). The same goes in .NET: DirectoryEntry entry = new DirectoryEntry(LDAP://DC=domain,DC=com) To get a simple bind, you must use OpenDSObject in script and pass in the appropriate flags to NOT have Secure bind set, or set the appropriate AuthenticationTypes. In general, ADSI does the right thing. Another thing that would be helpful would be an unencrypted simple bind audit event that could be configured, so that you could find the IP address of any client issuing these operations and track them down. I think one of the reasons why simple bind is used by many vendors is that it is the only common denominator between other directories and a lot of LDAP protocol libraries don't support Microsoft auth mechanisms. However, the good news is that just about every LDAP library does have some sort of support for SSL. Now, if it was only easy to force all DCs and ADAM instances to have valid server certs, we'd be in business. :) Regarding the evolution of authentication protocols with some of the stuff in WS-*, I have to say that I like the vision. WS-Trust is the plumbing under not only ADFS, but also CardSpace and the security framework for Windows Communication Foundation (WCF). The vision is pretty appealing, because the notion of how a user can be authenticated (via a security token service) is more abstract and based on open and fairly simple web protocols (HTTP, XML, PKI). The notion of a security token is now more abstract and flexible than a Windows token too, in that a token describing an authenticated user now just contains claims, not just SIDs. Claims can be anything (including their group SIDs), so this makes it easier to provide all the information an app needs to authorize a user without having to resort to post authentication lookups to go back and get their first name or their email address. It also allows you to address privacy concerns, in that each app can be configured to just get the info it needs and none that it doesn't. Users can be given the right to control what information is provided about them (which is very explicit in CardSpace, but is more of a corporate policy thing with ADFS). All in all, I'm digging the vision. I do think it has a long way to go before it can become ubiquitous, but I do think it is a better model than what we have now and the implementation is really simple and open enough that everyone can play. Some would argue, probably rightly, that MS and IBM have the keys to the kingdom and the stack is pretty complex with all the layers of XML protocols. However, Kim Cameron has successfully demonstrated CardSpace login to his blog running on the LAMP stack, so I'm convinced that it is pretty doable. When will we see the Security Token Service and WS-Trust displace the KDC and SSPI in Windows? I think that will be a while. :) And I love ADFS. It rocks. Bring on the Active Requester Profile (and a better GUI)! Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 24, 2006 10:10 AM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP Yeah I understand, lots of vendors use LDAP for auth, but it doesn't make it good/right. Just like lots of vendors requiring admin access or always passing NULL for LPSECURITY_ATTRIBUTES when working with securable objects. ADAM is another story, if you need to use ADAM principals you are stuck with using LDAP for the auth. I still don't like it though. :) Of course you are correct on the using SSL can help beef up the security but that seems to be done in the minority of the cases. Far too many times that I have looked at LDAP traces I see passwords and IDs just flowing across the wire like there was no tomorrow. The thing is most of the users I expect have no clue that they are being exposed in such a way because they trust that the Administrators and vendors actually know what they are doing. Course this is the case with many web based apps as well, but folks have started to learn to mistrust these automatically as time goes by. The little key on the browser helps a little but it tells you nothing about the backend and how insecure it
Re: [ActiveDir]SUBDOMAIN AND LDAP
That's very cool, Eric. I had no idea that setting existed in ADAM. Any
change of sneaking that into the AD stack?
I agree that it only solves half the problem, but at least by preventing
this from working at all, it keeps people from setting up apps that will do
unsecure simple binds thousands of times per day for years. There is only
so much you can do.
I also agree that SSL just isn't that easy and can't be, just because of the
way it works. That doesn't stop me from wishing it was. :) One thing I
like about ADFS is that you have to use SSL to play, so you can't even get
yourself in trouble.
I'll definitely file a bug on the audit thing. I think that would be nice,
even with ADAM in the mode to reject insecure simple binds, because you
could find out which clients are attempting it.
Joe K.
- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday, September 24, 2006 11:48 AM
Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP
I'd love to see an AD and ADAM option that would allow the DS to
reject simple bind operations on non-SSL ports
We agree. That's why we built it in to the product. :) Well, in to ADAM
that is.
See object CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,CN={GUID}. Check out the attribute
msds-other-settings, value named RequireSecureSimpleBind=0. Change that
0 to a 1, then you have enabled the protection.
I would point out, this does not prevent a client from *presenting* a
password via simple bind w/o connection security, only from the
operation succeeding. So you could still present a password (thereby
showing it to an attacker), it's just that it won't work. This is
training with the stick, not the carrot.
It's akin to saying, I can protect your SSN from working when you scream
it to me in a room full of people (ie, require you write it on a piece
of paper and pass it over), but I can't stop you from screaming, only
punish you when you make this bad choice.
Another thing that would be helpful would be an unencrypted simple
bind
audit event that could be configured, so that you could find the IP
address of any client issuing these operations and track them down.
This is a good idea. Can you file a bug for this? I have thought of
doing this before but never thought anyone would appreciate things like
this. :)
Now, if it was only easy to force all DCs and ADAM
instances to have valid server certs, we'd be in business. :)
I think it goes w/o saying, but this is impossible. The definition of
valid is in the eye of the beholder. For example, to some a
self-signed cert, trusted by no one, is invalid for the DS. However, to
the person that explicitly trusted that cert on their LDAP clients, it's
perfectly fine. That's just one example, the same could be said for
nearly every wonky cert config you think of, especially when you
consider ADAM in the mix.
~Eric
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFS and certs (was: SUBDOMAIN AND LDAP)
I agree that there is a certain amount of pain with certs and ADFS, although I don't think it is really that hard, especially if you go the commercial route. The thing I like about it is that since it requires you to get this working to use it, it is secure by default. You have little ability to hoist yourself by your own petards, so to speak. :) There are really two parts to the ADFS cert story, the SSL/HTTP part and the token signing cert part. The SSL/HTTP part is a little more straightforward and is the kind of thing that lots of organizations do successfully already on their public websites now. You really only tend to get yourself in trouble if you want to self issue certs and do things like issue from your own root or publish your CRL in a non-public place. The token signing cert part of ADFS is much more black magic and needs more guidance. Even with certs that work perfectly fine for SSL, we had trouble using them for token signing due to the additional CRL checking that ADFS does and had to disable that in policy. I think similar things happened to you guys with one of your partner's token signing certs in your own internal implementation. CRL is an important idea whose implementation is basically broken in the general case, as there is no reasonable way to always get the CRL programmatically. Windows could do a lot better with tool support for troubleshooting this and better error messages though (kind of like Kerberos delegation; too hard as it stands!). I'm sure my experiences are influenced by the fact that I already know a fair amount about certs and SSL, having spent a full year of my life implementing an automated certificate provisioning system for end user signing and encryption certs that ties into our overall identity management process. I can totally see how there is a bunch of mumbo jumbo to overcome for those not really familiar with PKI. At least in this case, though, the mumbo jumbo (PKI) is pretty much the same on Linux or Sun as it is on Windows. It doesn't really hurt the adoption of protocol itself across platforms. I also think the ADFS step by step guide leads people down a dark path, in that all the demos are set up with selfssl and self-issued certs, which are ok for demos, but not cool for production (IMO). The path to get from the demo set up in step by step to your actual scenario is not always easy to do. I think our internal proof of concept was more successful because we tried to build our POC the way we thought we'd actually use the product internally, rather than using the Adatum/Trey Research scenarios. As with most new things that take some thought to implement, the skills and experiences needed to crank out good implemenations quickly will lag the product for a while. I'm sure the first year or two (or maybe more!) of AD installs were slow and a little crappy too. I still like the product though. :) I think the places where it is sound, it is very sound. It has a good base to build on. Joe K. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 24, 2006 1:25 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP Yes, we should file a bug for AD. I'll take this offline with you. On the SSL front, it's interesting that you see this as a strength of ADFS. I would argue the opposite. Cert infrastructures are non-trivial to configure or maintain, I always saw it as a downside to ADFS that it requires one to get a PhD is certology and make this work not only for you but across organizations, assuming you use it in this way. Of course, the real solution to all of this is making a cert infrastructure as easy to run as, say, the key infrastructure that makes Kerberos just work for you. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, September 24, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP That's very cool, Eric. I had no idea that setting existed in ADAM. Any change of sneaking that into the AD stack? I agree that it only solves half the problem, but at least by preventing this from working at all, it keeps people from setting up apps that will do unsecure simple binds thousands of times per day for years. There is only so much you can do. I also agree that SSL just isn't that easy and can't be, just because of the way it works. That doesn't stop me from wishing it was. :) One thing I like about ADFS is that you have to use SSL to play, so you can't even get yourself in trouble. I'll definitely file a bug on the audit thing. I think that would be nice, even with ADAM in the mode to reject insecure simple binds, because you could find out which clients are attempting it. Joe K. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday
Re: [ActiveDir] ADFS and certs
Yeah, the real step by step guide isn't so bad per say. What it tries to do is give you a simple path to having an easy demo set up of ADFS going so you can kick the tires. For that, it is ok. Where it doesn't cross the gap very well is in providing guidance on how to apply the lessons learned to real scenarios. Because ADFS relies on certificates for both SSL/HTTP and the signing of security tokens, you need certificates to use it. In order to get through the step by step guide successfully, they chose to use the self-issued model, as it is really the only simple way to get SSL certs without spending money or setting up a CA. However, it does leave you with self-signed certs, which is not where you want to end up. I think that either the step by step guide needs to provide more guidance and explanation of the steps and how to apply them, or the other documentation for ADFS needs to fill this gap. As it stands now, there is still no good guidance on how to procure your certificates and what the various trade-offs are for the possible ways to go about this. People who already know PKI will be able to fill in the details, but many people will be left scratching their heads. Perhaps Tomasz and I should blog about this more for now. :) Joe K. - Original Message - From: Tomasz Onyszko [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 24, 2006 3:16 PM Subject: Re: [ActiveDir] ADFS and certs Rick Kingslan wrote: Joe, Tomasz - Yep, you're right that it may tend to show a bad precedent for people to follow. I haven't taken a look at these particular labs (and having just come back from a long hiatus, I didn't see the referenced lab) but is the guidance there as to what Best or Preferred Practices SHOULD BE? You can check this lab here: http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654displaylang=en No You will not find there any guidance on best practices there and maybe this is not the best place, but I'm not aware of any other ADFS related doc which deals in details with best practices and description of usage for certificates in ADFS deployment. If not - I find that the bigger problem than the fact that self-certs are being used at all. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]SUBDOMAIN AND LDAP
You might have them try to work with the GC. You should be able to authenticate and find users from any domain via the GC. I think Joe Richards might also suggest that the vendor learn what they are doing and either integrate with AD the right way or don't claim they can. I'll bet they need to talk to a specific domain controller too. I won't put words in Joe's mouth though. :) Joe - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Friday, September 22, 2006 3:41 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP The application designer is telling me it can only be configured for one source of authentication, so if the use the domain level authentication will that allow to authenticate users in the subdomain? I.e. domain.com child.domain.com If I point the application to use domain.com as authentication source will that also authenticate users from the child domain? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, September 22, 2006 4:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP sub-domain query base: dc=subdomain,dc=domain,dc=com domain query base: dc=domain,dc=com When the search is initiated, it will start looking at the query base and, if so configured, everything below it (subtree search). In your case, that won't likely happen depending on how you configured it. If you instead change your query base to dc=domain,dc=com (assuming you have a contiguous namespace) then you may get different results. Testing. You can use ldp, adfind, or any other ldap client if your app doesn't have that functionality built in. Since you're security conscious, be mindful of the cert and the ports you're using during your testing :) Permissions? That depends on your configuration and your versions. Windows 2000 is pretty much open for searches while 2003 requires authenticated users by default. Al On 9/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Hi, I have an application that uses LDAP to authenticate (authenticates against AD). In my AD I have a domain and subdomain or child domain. I assume that both domain and subdomain uses the same LDAP, right? Also, if the application is using a user from the subdomain to query the LDAP, what kind of access will that user have to have to authenticate users at the main domain level. Basically, the application is authenticating fine the users from the subdomain but cant fine the users from the main domain... Thanks for any advice. Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir]SUBDOMAIN AND LDAP
Although a do tend to agree that LDAP does not define a good authentication protocol at all, it is definitely the case that LDAP is used as an authentication mechanism all over the place. I also don't thing there is really anything wrong with using it for that per say, as long as it is used correctly. Specifically, it is the LDAP bind operation that is typically used for authentication. The only real problem with using LDAP bind to authenticate a user is that the only binding mechanism defined directly by the LDAP V3 spec is the simple bind. Simple bind is not secure by itself because it passes the user's plaintext credentials over the wire. That is ultra bad, as any snooper can easily recover the user's password. However, when LDAP simple bind is combined with channel level encryption such as SSL, it really isn't that bad. :) Sure, I'd rather use Kerberos, but that isn't always an option. I've heard a few security experts suggest that you are actually safer using HTTP basic authentication with SSL over using NTLM auth over HTTP with no SSL. NTLM is actually that easy to hack. And NTLM actually IS an authentication protocol (albeit a dated, deprecated protocol that we still can't seem to get rid of in Windows over 6 years after it fell out of favor over Kerberos). When using ADAM as an identity store, the primary means you have available to you to authenticate your ADAM users is LDAP simple bind (although digest auth is available if the client knows how to speak it; most don't). If you want to use the fast concurrent bind feature of ADAM or AD, simple bind is the only supported authentication mechanism. The real key is to ensure that simple bind is always combined with SSL (or some other transport layer security like IPSEC). I'd actually love to see an option in AD and ADAM that would only allow simple bind on a secure channel. I think that would be a good product feature, although it would probably have to be off by default. I don't expect to see lots of third party apps moving away from LDAP bind as an authentication mechanism until something else more universal rises up to replace it. I'm hoping that's WS-Federation/WS-Trust, but somehow I doubt we'll see that very soon. :) Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 22, 2006 8:07 PM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP The first thing I would say and I am shocked Al didn't say is LDAP IS NOT AN AUTHENTICATION PROTOCOL For the the managers and vendors let me repeat ;o) LDAP IS NOT AN AUTHENTICATION PROTOCOL LDAP has to authenticate as a part of giving secure access to data but that doesn't make it an authentication protocol. A file server has to authenticate you in some way shape or form for you to safely access files too; I don't see people stumbling over themselves to use that as an authentication protocol. The only reason this comes in from the *NIX world like this is because Kerberos can be a serious pain in the ass there. Tough, use a real authentication protocol. If the vendor is using it to authenticate and that is all they are doing my comment to them is get off your ass and use a real auth protocol and with Windows the proper auth protocol is Kerberos. Most Windows folks don't even have a clue to the technical depth and complexity of Kerberos because Microsoft did such a bang up job of burying the details for most things Windows. So if someone doesn't use it, that is their issue, not Microsoft's. Following up of course with the things JoeK said which I fully concur with. If using LDAP to authenticate though, where in the tree you poke doesn't matter, as long as the user is a member of that forest, if you specify their ID and their password, it will authenticate them by passing the traffic to whatever DC is required. However, the app should be smart enough to ask the proper DC out of the box. And when you specify the ID, specify either UPN or Domain\UserID, do not use DN. Why? Because DN's change and if you allow the apps to say, you have to stick with a certain DN then you have lost a bunch of flexibility of AD. Finally, if they don't do basic things like this right, I wonder what your chances are that they do harder things like attribute ranging and paging right. AD is an extremely robust directory service and have tons of failover and location services built into it. It has been out for 6 years in production now, much longer in beta phases, etc and if apps still don't know what they are doing with it I would greatly question the programmers and the vendor. It is outright stupid to make your robust directory lower itself to the standards of a poorly written app. If the app requires and of the following: 1. Fixed DNs 2. All users under a single base 3. someone to change the ranging values 4. someone to change the paging values 5. a fixed hostname 6.
Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
The only clean way to authenticate external users to SharePoint is with a solution like ADFS and federated identity. SharePoint doesn't use LDAP internally for auth and you can't really make it. Federation does give you the ability to have your external users use their own organization's accounts to access your resources (SharePoint in this case). ADFS is non-trivial to set up, but it is the way that these things will be done in the future. Joe K. On 9/19/06, Ramon Linan [EMAIL PROTECTED] wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Active Directory Cookbooks...
I hope you aren't frustrated by the book being written in C# rather than VB.NET. That rule was imposed by my coauthor and the publisher. All of the code samples are re-written in VB.NET and posted on the website, so hopefully that works for you. For the most part, the actual VB and C# code aren't very different (sometimes you just put a ; at the end of the line :)), so hopefully you'll be able to follow along with the gist of the C# in the book. Someday I'd like to seriously tackle the .NET/scripting angle of DS programming by tackling all this stuff from the PowerShell perspective. I think there's a huge audience for that in the future. It will be interesting to see how that works out as well, since the scripting world is usually covered by other people (Joe, Robbie, Laura, etc.), but most of them haven't done .NET yet. The theme of my talk at DEC was suggesting that all of the DS programmers will eventually end up in the .NET world, as that's where all of Microsoft's programming model investment is going. Joe Richards will almost certainly be the last to go (unless he discovers how cool PowerShell really is and becomes addicted). Joe K. - Original Message - From: Richard Kline [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, September 16, 2006 8:03 AM Subject: RE: [ActiveDir] Active Directory Cookbooks... Please ignore this post: I just read Joe's other note about http://directoryprogramming.net/default.aspx Sorry! So much to read so little time... Thanks! -Original Message- From: Richard Kline Sent: Saturday, September 16, 2006 9:00 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Active Directory Cookbooks... Altering the subject a mite: I've not yet purchased these books and so am not completely familiar with the content... Does anyone have a recommendation for AD programming using .NET? VB is my personal poison of choice. VBS would probably suffice for my anticipated needs but I do wish to get more fully familiar with the .NET workings Thank you. Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 15, 2006 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... If you mean you purchased Active Directory Second Edition... Ebay it and just start reading the Third Edition, I made considerable changes through it and not just for new stuff. The security and schema chapters and most all of the scripts got massive work done to them to correct issues, etc. Now if you mean you bought the AD Cookbook Second Edition, I would actually recommend reading Active Directory Third Edition first, then reading the cookbook as it will make more sense. Alternately, don't read the cookbook and just treat it as a cookbook where when you need to do something, you look up the recipe. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 14, 2006 11:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Cookbooks... I have just purchased the 2nd one and will be on to the 3rd one as soon as I have finished that... Cheers, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 03:14 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Active Directory Cookbooks... | --- ---| Actually I did the Active Directory Third Edition. The Active Directory Cookbook is in the Second Edition now and that was done by Laura Hunter. My book you can find in my signature, the Cookbook you can find at
Re: [ActiveDir] Active Directory Cookbooks...
Someday you need to take a spin through System.DirectoryServices.Protocols (.NET 2.0) in C# and see if you like it. It is a direct interop layer over wldap32, exposing the entire feature surface. It does impose an OO model on top of the API, but it is done in a very LDAP-centric way, using the connection as the core object and the metaphor of sending and receiving messages against that connection. Everything translates directly to what is actually going on. It is kind of the opposite of ADSI, in which the directory objects are the primary metaphor and all of the implementation details are buried in the abstraction. I can totally see why you wouldn't want to release a tool based on it, as you take hard dependencies on .NET 2.0 to use it, but one advantage is that you get free optimized X64 support with the same binaries. :) For your own stuff that never sees the light of day, it might be something you enjoy. I totally hear you with PowerShell. My take on it is that the actual core of PowerShell is revolutionary and an extremely powerful and well-designed thing. It is also exceptionally harder to learn, so I think that is its greatest weakness. The actual providers that plug into the core are going to be hit and miss most likely. The Exchange stuff is certainly implemented as an extension and is not part of the core, so any suckiness in the Exchange programming model for PowerShell has to fall on the Exchange team and not reflect on PowerShell as a whole. The Exchange team seems to have a glorious history of providing us with terrible APIs (CDOEXM, WebDav, etc.), so I'm not at all surprised to hear that their PowerShell implementation will miss the mark. My solution to this is to always try to avoid having to program Exchange. I didn't even mention it in my book. :) Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, September 16, 2006 11:33 AM Subject: RE: [ActiveDir] Active Directory Cookbooks... LOL. I really actually like LDAP and Win32 API type coding. I do understand though the draw for some folks for .NET. Just not for me, especially as I play more and more in the FreeBSD space. ;) ASP.NET I expect will be the first thing I go into when/if I make a step in that direction. Something that is completely server side controlled. I was into MONAD when it was first announced and very early in the design/development/beta but they kept cutting back what they initially said they were going to do with it and I ended up losing interest. I have fear in how fat things are going to get with it. Certainly I am not thrilled with the stuff being done in Exchange with it that I have seen/heard about. For example, if I want a list of mailbox sizes of all mailboxes in an org you need to pull back to the client running the script EVERYTHING about EVERY mailbox. That may work in a small org but is not optimal in a large size distributed environment. When I pointed that out I was simply told that is the MONAD way... That isn't really encouraging for someone who normally works on environments greater than 100k seats. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Saturday, September 16, 2006 10:06 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory Cookbooks... I hope you aren't frustrated by the book being written in C# rather than VB.NET. That rule was imposed by my coauthor and the publisher. All of the code samples are re-written in VB.NET and posted on the website, so hopefully that works for you. For the most part, the actual VB and C# code aren't very different (sometimes you just put a ; at the end of the line :)), so hopefully you'll be able to follow along with the gist of the C# in the book. Someday I'd like to seriously tackle the .NET/scripting angle of DS programming by tackling all this stuff from the PowerShell perspective. I think there's a huge audience for that in the future. It will be interesting to see how that works out as well, since the scripting world is usually covered by other people (Joe, Robbie, Laura, etc.), but most of them haven't done .NET yet. The theme of my talk at DEC was suggesting that all of the DS programmers will eventually end up in the .NET world, as that's where all of Microsoft's programming model investment is going. Joe Richards will almost certainly be the last to go (unless he discovers how cool PowerShell really is and becomes addicted). Joe K. - Original Message - From: Richard Kline [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, September 16, 2006 8:03 AM Subject: RE: [ActiveDir] Active Directory Cookbooks... Please ignore this post: I just read Joe's other note about http://directoryprogramming.net/default.aspx Sorry! So much
Re: [ActiveDir] ADSI programming
Well, you don't need a .NET implementation of Python (which is what IronPython is) to use Python with ADSI. Python already has COM support. If one was interested in Python running on the CLR, then that would be the thing to check out, but I'm guessing the guy just wants to write some ADSI scripts, so the normal resources are appropriate (scripting center, AD 3rd edition, AD cookbook 2nd edition, etc.). If he was actually interested in programming LDAP in .NET, I'd also recommend my book (www.directoryprogramming,net), but his scripting background suggests that he isn't going there (to me). There is no mention of Python (or any language other than VB.NET, C++ or C# for that matter) in it. :) Joe K. - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 2:08 PM Subject: Re: [ActiveDir] ADSI programming I wonder whether ironpython http://www.ironpython.com/ is worth looking into in that case. I am no programmer but I have a hunch it might be to your liking. Cheers M@ On 9/15/06, Ramon Linan [EMAIL PROTECTED] wrote: Hi, I want to start programming in AD. I have experience programming with Python, PHP and VBA. Any suggestion on which language is more convienient to program with ADSI. I was going to use Python because I can be use in windows, MAC or Linux/unix Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] RPC Over HTTPS Problem....
In addition to what everyone else has said, if there is an issue with SSL in Windows, you almost always get an error from schannel in the System event log on the machine that rejected the connection that explains exactly what the problem is (if you can figure out what it is telling you). For example, if the problem is really an issue with the cert name not matching the URL host name, schannel will give you an error 0x80090322, which translates to the target principal name is incorrect. The details of the error will contain the certificate, which looks like a bunch of binary crap (it is), but probably contains readable strings containing the cert name. You can usually deduce from there. Another thing that is often helpful with SSL issues, especially if HTTPS is involved, is just to point IE at the same site. If IE gives you a warning, the warning details will tell you exactly what the problem is in a friendlier way. Warning in IE typically translates to failure when SSL is done programmatically, as most code errs on the side of caution and simply fails if everything isn't ok. Also, the APIs that allow you to ignore the warnings are often not exposed anyway. For example, ADSI and .NET S.DS don't allow you to ignore SSL/LDAP problems, but LDAP API and System.DirectoryServices.Protocols (.NET 2.0) do. The LDAP error in this case is just server not operational, which isn't too helpful. Sometimes the IE trick doesn't work because IE and the code having the problem are executing in different security contexts/user profiles, so they have different configurations for certificate stores and private keys, but that should not be the issue with client code running in Outlook. Ironically, I know that error code by heart (at least for this week) because I had that exact problem with an LDAP app earlier this week. Apparently, someone had created a hosts file entry on one of two servers in a load balanced cluster that had the wrong IP address for one of our DCs. Nevermind that DNS resolved the name just fine, suggesting that the host file was not needed (beyond being a really bad idea in general). Luckily, I've had so much fun with SSL on Windows over the years that I know most of the rules by heart now. What took me an hour to troubleshoot had a medium sized team stymied for a few weeks. :) It is in this spirit that I try to provide as much detail here as I can. Some other common SSL problems are cert expired, cert not yet valid and cert cannot be trusted. Another can of worms is introduced if CRLs are checked (which we just discussed a little while ago). A huge can of worms opens up when client certificates are involved. Joe K. - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:18 PM Subject: RE: [ActiveDir] RPC Over HTTPS Problem In addition to what Robert is saying, take a look at http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/0849cb53-f1f9-419b-bb74-82bc010e247f.mspx?mfr=true There are many things that can be responsible for this failure, and you need to selectively eliminate each. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Robert Rutherford Sent: Fri 9/15/2006 5:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RPC Over HTTPS Problem Hi Ravi, The certifcate does needs to match the name of the site... i.e. mail.comp.com . If it doesn't then it wont work. There are numerous reasons why it fails but that is the first. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 01:36 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RPC Over HTTPS Problem Hi Bob, Can you please explain how it should be. because i think i have something wrong here related to certificate. Thanks Ravi Dogra On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote: The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Re: [ActiveDir] Handling different schemas - managing maintaining updates
I like this advice as well. In terms of some of the nuts and bolts of how one might do this, as a software guy, I'm a huge proponent of source code control/configuration management systems and simple, text-based file formats for the stuff you stick in your source repository. As such, I believe LDIF files are the one true way to maintain your custom schema stuff. The ADSchemaAnalyzer (usually associated with ADAM) is probably a useful tool for doing a lot of the compare and extract work here. Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 8:37 AM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :) - I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved
It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and
Re: [ActiveDir] UAC Question
That's a good explanation. I don't see how you can lock them out programmatically though. The mechanism just isn't designed to do that. You'd have to force bad auth attempts on them constantly. If you can't disable the AD account, what if you expired it? That would prevent login too, right? You could just set the expiration date back to an unexpired value when you need to. Just a thought... Joe K. - Original Message - From: David Aragon To: ActiveDir@mail.activedir.org Sent: Monday, August 21, 2006 3:14 PM Subject: RE: [ActiveDir] UAC Question I think I need to expand the picture here to provide more clarity. At the top of our tree we have openLDAP which we refer to as the Enterprise and which is the authoritative source for all credentials. That feeds several sub-systems, including Active Directory, email, SMB, etc. We have internally developed connectors to provide each sub-system the appropriate user information including passwords (when required by that sub-system). This has afforded us a working single-sign on for multiple platforms (Windows, MAC, Linux). Users can go to any computer, any platform, and their credentials are valid (though there might be local restrictions). Users go to a single point to change their password and that change is then appropriately encrypted and transmitted to each sub-system in a form that is best for that sub-system. This all works quite well, however, because of this we can not change the user's password in AD without causing a break between the Enterprise and AD user objects. Forcing a change in the password of a user object at the Enterprise level would cut the user off from their email, personal network shares, etc. A couple of years ago the telephony group paid a LOT of money for this software (let me repeat here that I was not involved until recently). A few months after the purchase, the company was bought by a larger company who apparently didn't bother keeping any of the original developers, programmers, etc. though they continue to support the software. We have been told on numerous occasions, however, that because we have an unconventional setup, we are virtually on our own and no one wants to cough up another big chunk of money to replace the software. The software requires a voice mailbox be tied to an active Directory user account, but once created, the only check that is made is if the AD user account is enabled or disabled. I recently complained that we were leaving a possible security hole by not doing something with these accounts and, as typically happens, I was tasked with coming up with an appropriate solution. At the time, it seemed the easiest path to follow would be to set the account lockout which would prevent the user from logging into the vast majority of systems, but still allow them the ability to get their email (from off campus), vm (from off campus or on campus), etc. This is still the path I'm pursuing. David Aragon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, August 21, 2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UAC Question Adding a dummy workstation will hinder the user to logon interactively - this could be all you want to achieve. But it won't hinder network logons - this may be undesired. Another thought - if the users aren't really using their AD account, couldn't you just change the PW to some complex dummy pwd? This would ensure that the user wouldn't be able to use the account for any AD authentication - until they come back from their sabbatical and the helpdesk resets the pwd for them. Also, I'd check with the application vendor, if you can't configure it to use an attribute other than the disabled flag to see if the account should be voicemail enabled or not. This would give you much more granular control over the matter - you could disable the AD account (which it seems is really what you want to do) while still leaving the voicemail intact. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, August 21, 2006 6:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] UAC Question Why are the last two groups treated differently than the others? You may want to consider a different approach, such as changing to the workstations that they can logon to or expiring the account. On 8/21/06, David Aragon [EMAIL PROTECTED] wrote: Al, Thank you for your response, I will try to elaborate, but first, let me start by saying that I was not invited to participate in this application's selection, testing, or acceptance. One day it just showed up. That said ... The software we use for VOIP uses its own db for storing messages. It was supposed to be AD aware. It's not. It is (barely) LDAP aware. I've found that when a user checks their voice mail (after they enter in their pass code) the
Re: [ActiveDir] Single Space in LDAP query dropped: Why?
I'm pretty sure that's part of the RFC spec. A space at the beginning or end of a query value will be ignored. Your space in this example would be both. Did you try escaping it to see if that works? Joe Kaplan - Original Message - From: Jef Kazimer To: ActiveDir@mail.activedir.org Sent: Friday, August 18, 2006 12:15 AM Subject: [ActiveDir] Single Space in LDAP query dropped: Why? I had posted this today, and I was curious if anyone knew why an LDAP filter drops the query when searching for a single space value? Though I was using Joe's ADfind, I did have the same results in ADSIedit, and thought someone better than I, may know why. It's not really a problem, just a curiousity. Thanks, Jef http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!642.entry LDAP queries are spaced out... I was looking at a metaverse object in MIIS today noticed some admin had set the mail attribute to a single SPACE ( ) character. The Metaverse is stored in a SQL server, so naturally the query structure is different than any constraints of LDAP. I wanted to discover how many other user objects had the same issue, so I decided to pull out ADfind and issue this command: ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail= )) -C 0 found ok, so I thought it was my lack of quoting and tried: ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail=' ')) -C 0 found Since it's command line I was sure that the quoting would encapsulate it correctly, so I figure it is being stripped out by the LDAP query (I made this same Query ins ADSIedit and LDP with no luck) so perhaps there is an escape character for such a thing. I have done many queries with filters like description=The Man, and the space was interpreted correctly. Yet it seems, a single space, by itself is not passed to the query correctly. So I check out the uber friendly RFCs and find escape characters for types such as * and NUL, but really no mention of a single space as anything special. I checked the LDAP V3 RFC as well for any real mention of when and when a single space is dropped from the query, finding nothing related. Fortunately, using the escaped sequence in the query (mail=\20) to represent a space worked just fine and returned the object I was looking for. ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail=\20)) -C 48 found So LDAP filters can container spaces as the value being queried for, but cannot be a single space without using an escape sequence to represent the value. I suppose it's kind of silly, but I had never really looked for such an occurrence before, so it was an interesting learning experience. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Single Space in LDAP query dropped: Why?
That's a much more thorough explanation than mine. :) I was too lazy to even dust off the RFC URL. Joe K. - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, August 18, 2006 7:40 AM Subject: RE: [ActiveDir] Single Space in LDAP query dropped: Why? Yeah this is a fun one. It isn't if there is just a space, it is if there is a leading space. A leading space must be escaped otherwise (and any other leading space) will be trimmed. There are also various oddities around trailing spaces depending on the attribute type where there are times it and actually all whitespace should be trimmed (IMO) but isn't. I have brought this up to MSFT in the past and the responses seemed a little inconsistent but they currently seem to feel everything is as it should be. There were some changes I have seen from 2K to K3. I want to say the Boolean types are some of the more frustrating pieces. You consider that you can only have either TRUE or FALSE, the software should be smart enough to trim the spaces but possibly that would be inconsistent with other directory implementations but then, that happens for quite a few things so why not there too? The actual LDAP client side API does the cleanup, if you look at the trace you will see the filter has been cleaned up so the server never even sees the actual query that was submitted. If there is nothing but a space, the local client will kick back the filter and indicate a filter error. If there was something more than the space it will be submitted without the space. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, August 18, 2006 1:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Single Space in LDAP query dropped: Why? I had posted this today, and I was curious if anyone knew why an LDAP filter drops the query when searching for a single space value? Though I was using Joe's ADfind, I did have the same results in ADSIedit, and thought someone better than I, may know why. It's not really a problem, just a curiousity. Thanks, Jef http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!642.entry LDAP queries are spaced out... I was looking at a metaverse object in MIIS today noticed some admin had set the mail attribute to a single SPACE ( ) character. The Metaverse is stored in a SQL server, so naturally the query structure is different than any constraints of LDAP. I wanted to discover how many other user objects had the same issue, so I decided to pull out ADfind and issue this command: ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail= )) -C 0 found ok, so I thought it was my lack of quoting and tried: ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail=' ')) -C 0 found Since it's command line I was sure that the quoting would encapsulate it correctly, so I figure it is being stripped out by the LDAP query (I made this same Query ins ADSIedit and LDP with no luck) so perhaps there is an escape character for such a thing. I have done many queries with filters like description=The Man, and the space was interpreted correctly. Yet it seems, a single space, by itself is not passed to the query correctly. So I check out the uber friendly RFCs and find escape characters for types such as * and NUL, but really no mention of a single space as anything special. I checked the LDAP V3 RFC as well for any real mention of when and when a single space is dropped from the query, finding nothing related. Fortunately, using the escaped sequence in the query (mail=\20) to represent a space worked just fine and returned the object I was looking for. ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail=\20)) -C 48 found So LDAP filters can container spaces as the value being queried for, but cannot be a single space without using an escape sequence to represent the value. I suppose it's kind of silly, but I had never really looked for such an occurrence before, so it was an interesting learning experience. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Single Space in LDAP query dropped: Why?
Me too. I was that lazy. :) Joe Kaplan - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 18, 2006 5:46 PM Subject: RE: [ActiveDir] Single Space in LDAP query dropped: Why? I have it bookmarked. :) LDAP V3 - http://www.faqs.org/rfcs/rfc2251.html LDAP Attribute Syntax - http://www.faqs.org/rfcs/rfc2252.html LDAP DN representation - http://www.faqs.org/rfcs/rfc2253.html LDAP Search Filters - http://www.faqs.org/rfcs/rfc2254.html LDAP URL Format - http://www.faqs.org/rfcs/rfc2255.html LDAP V3 X500 User Schema - http://www.faqs.org/rfcs/rfc2256.html List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] use of in DN and CN
The characters are used in a DN to implement platform-specific DN syntaxes. Microsoft uses it for implementing the GUID and SID DN syntaxes, which look like this: GUID=f2c76527-dbb5-4826-94e4-488743d82b69 SID=S-1-427139602-4143570898-3002774972-1124764024-1874728375-2129772970 These can be used interchangeably in LDAP with the normal DN, as they are just different versions of the same thing. It may be possible to escape these characters by using the hex value, but I think you would be best off if you didn't include them at all. You will just be opening yourself up to a world of programming misery when you have to deal with the objects you have created. Run away! :) Joe K. - Original Message - From: Fowler, Otto (GE Indust, GE Fanuc) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 15, 2006 1:15 PM Subject: [ActiveDir] use of in DN and CN Is the use of and restricted/illegal in AD? Even escaped there are attribute errors with ldifde. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN
MS Schema GUIDS different from my Forest to MSDNobjectGUID and schemaIDGUID are not the same thing. objectGUID will always be randomly generated when an object is created and will differ between different forests for schema. schemaIDGUID can and usually is (at least for schema from MS) set when the object is created, so those tend to be the same between all installations*. Did you look at the schemaIDGUID attribute to compare there? Joe K. * If schemaIDGUID isn't specified at create time, AD and ADAM will happily create a random one for you. It is generally considered to be a best practice to specify the schemaIDGUID though so that it can be published as a static value. Letting the directory create it for you is generally considered hackish. - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 15, 2006 4:26 PM Subject: [ActiveDir] MS Schema GUIDS different from my Forest to MSDN Answer to my question below: I'm missing an ACE for ms-DS-Az-Admin-Manager. but what's interesting is that I'm using the Schema GUID from MSDN and for some reason that different from what I have in production (verified using ADFind to dump all the Classes ObjectGUID in the Schema). I asked someone who implemented the Schema here why and they said they ran across the same issue and it was told it wasn't a big deal...I disagree, since if that was the case my code would be working and this note wouldn't exist. Anyone seen this before? -Brandon _ From: Bernier, Brandon (.) Sent: Tuesday, August 15, 2006 1:24 PM To: 'ActiveDir@mail.activedir.org' Subject:ADSIEdit unable to enumerate list of objects that a group can create OK..I'm probably doing something silly here but I need more insight on how ADSIEdit enumerates what object types you can create.. The scenario is I have 1 OU and in that OU I have a Group that I've ACL'd to create/delete ms-DS-Az-Admin-Manager objects and mod some attributes on it in that OU . So I bind up as a User in this Group using ADSIEdit and try to create a instance of this object, well that list is empty..so I can't create jack. What am I missing? I'll write a quick little VBScript to test that out, but in the meantime what gives? Thanks! -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Replication from ASP
FWIW, Bryan and I have been discussing this offline and it looks like he's use ASP.NET 2.0, not ASP. In .NET 2.0, replication operations are exposed one the DomainController class in the System.DirectoryServices.ActiveDirectory namespace. No need for goofy shelling out to repadmin. The .NET wrappers consume the replication RPC APIs directly. Joe K. - Original Message - From: Lucas, Bryan To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:12 PM Subject: [ActiveDir] Replication from ASP Does anyone know how I force replication through ASP 2.0? My DC's are all local (no WANs) and 2003 SP1. I have a web page that does account creation and then points the user to a portal which attempts to authenticate against AD. The portal software (Peoplesoft) can only attempt against a single DC, so if that user didn't create his account there it doesn't work right away. Bryan Lucas Server Administrator Texas Christian University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Potentially useful tool and sample posted on my blog
Haven't tried it--I don't have any other LDAP servers around that support SSL to play with. :) I know for sure that the part about enumerating the domain controllers won't work. You'd need to supply the list of server names a different way. However, the actually bind/SSL stuff should work fine. I think my code assumes LDAP V3, but that's a pretty good assumption in most cases (and easy to change in the code too). Feel free to pass it along. The source is easy to modify. Joe On 8/3/06, Brian Desmond [EMAIL PROTECTED] wrote: Have you tested against other LDAP systems (like SunONE)? Have a client who encountered this little issue. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday, August 03, 2006 8:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Potentially useful tool and sample posted on my blog Hi all, My blog (http://www.joekaplan.net/) has a new article (http://www.joekaplan.net/Example1ForSDSPSSLCertificates.aspx) posted that may be of potential interest to some of you. I mention this here for three reasons: 1) I just started blogging, and some of you who are blog fans may find that interesting in and of itself. I'm mainly writing about the stuff I'm good at, namely .NET directory services programming, Windows security and (now) ADFS. 2.) The article in question is part of a series that explains the differences of the two LDAP stacks in .NET (the ADSI one and the new LDAP API-based one) and shows examples of stuff that actually requires the lower level protocol, since they have a lot of overlap in functionality and it isn't always easy to know when you need the big guns! This topic is marginally relevant to scripters too since they are basically limited to what ADSI gives them, unless they are wrapping joeware tools. :) 3.) The article actually provides a working sample of something that might help some of you get real work done and isn't easy to do otherwise. For those not at all interested in the first 2 points, here's the skinny. The tool is a simple command line app that allows you to enumerate the domain controllers in a domain (specified on the command line) and make an SSL LDAP connection to each one. It then grabs the server's certificate and prepares a list of their expiration dates. When it is done, it dumps out the certificates in order of expiration. This sort of thing is most helpful to those of you who use SSL LDAP and have third-party (non MS CA) certificates that require manual renewal and such (such as our organization). This may help prevent prevent unpleasant application outages due to forgetting to renew a certificate in a timely fashion (not that such a thing has ever happened in our organization...cough...). The tool is also multithreaded, so that it attempts to connect to many domain controllers simultaneously, making it vastly faster than something that processed the list serially. It is not a particularly a robust tool with nice error messages and hand-holding. It is not joeware quality, and is more of a scripting sample that demonstrates a technique. However, it may still be useful as is. It does require .NET 2.0 (as that was what this was about in the first place). You can run it on any machine you want. I'm pretty sure it doesn't even need to be domain joined. Source and binary in the download. Let me know what you think. Joe K. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Potentially useful tool and sample posted on my blog
There's actually other stuff you can do with MOM. I'm not sure exactly how our MOM AD guy does it, but he has MOM set up to alert him when the local cert on the DC is getting close to expiration. If you are curious, I'll ask him. This tool is more useful for getting a snapshot of the whole domain quickly from one place. Both are useful. It is also nice for us because we don't run MOM in the dev forest, but the certs still expire there too and wreak havoc on the dev and staging apps. I'd love to see what you do with it in any case. Joe K. - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 11:02 PM Subject: RE: [ActiveDir] Potentially useful tool and sample posted on my blog I might improve it a bit to work with other sources and run on a timer with email or perhaps integrate with MOM. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Sure, I saw the message and remembered that we were still using a disclaimer script for this, so I thought I'd offer some help, but a word of caution about the fact that the script can get tricky. With only that many users, many of those problems might never show up. We have a few more users than that (ok, 4 orders of magnitude!), so we see a lot of weird stuff that is hard to even imagine when you are testing the code. :) The product is probably a better choice, especially if it is cheap. We really did try to buy a product to do this as we wanted more features and fewer problems (or someone else to blame them on), but only the script had reasonable performance. Everything else brought our gateways to their knees and had to be disabled. I was shocked by this actually. :) Joe K. - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:24 PM Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box This is an SBS box. we may have performance problems.. but it's certainly not caused by a SMTP sink event on that Exchange server ;-) Remember at the most we're only hosting 75 users/devices on that server with a max of 75 gigs (remember no snickering from the Enterprise folks) of Store. (and reading his message.. see why I went with Policypatrol? Joe Kaplan wrote: We actually use a script at work after having tried a few products and having terrible performance problems. If you are interested, I'll ping one of the exchange guys and see if he can provide a little direction. Once you actually get it working from a plumbing standpoint, the script itself is actually a bit trickier to implement than the trivial sample MS shows. You have to decide if you are going to put HTML into HTML body parts, text into text body parts, both into messages that have both, and what to do about signed messages, as the disclaimer will change the data and invalidate the digital signature. You also need to be careful you don't screw up the encoding of messages in non-ASCII or ISO-8859-1 character sets. You can also decide if you want to add the disclaimer to messages that already contain it (sometimes mail routing may cause a message to hit the sink more than once) or not, and if you care about that, how do you decide if the disclaimer is in there? :) Ours still has some issues with a few of these points, but some of the problems were too tough to deal with for the people who were trying to solve them, so they just slid. Joe K. - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 3:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Managing Third-Party Users
Laura, I'm with you on voting for some sort of SAML protocol support. I'm pretty sure that there will be a boom in WS-Federation usage in the field now that ADFS is out, simply due to the fact that AD has significant market share, ADFS is really cheap compared to most offerings, and it is pretty easy to get up and running with no code. Still, there will be plenty of SAML protocol implementations out there, and being able to interop with them would be nice. At this point, we are looking at implementing a whole other separate product just to get this as we are sure we'll need it for some scenarios. I'd even be happy with some sort of middleware or add-on module or something, but I'd really like to manage just one trust policy and deploy one infrastructure. Joe - Original Message - From: Laura A. Robinson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, July 25, 2006 2:48 PM Subject: RE: [ActiveDir] Managing Third-Party Users ADFS, at this time, is able to consume SAML 1.1 tokens. It does not, however, fully support either the SAML 1.1 or 2.0 specifications. ADFS does not currently construct SAML 1.1 or 2.0 tokens, does not support the rest of the SAML specifications and does not support consumption of SAML 2.0 tokens. Having said that, I have been having many discussions with the ADFS product group on this one for some time and would welcome any input from this list's participants regarding their thoughts on the subject of whether or not SAML support is important in ADFS. If you would prefer to e-mail me your thoughts off-list, please feel free to do so. This is going to wreck my stealth-mode perusal of this list, but you can send your thoughts to [EMAIL PROTECTED] and I will collect the feedback and pass it on to Don Schmidt, with whom I've had a running dialog on this subject for some months now. With all that said, any opinions I express are mine and mine alone, do not reflect the opinions of my employer, etc., yada, yada, yada. :-) Thanks, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Managing Third-Party Users As far as I know, it's partners accessing our resources. Regarding ADFS, I thought it supported SAML 1.1? :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Monday, July 24, 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Managing Third-Party Users There are a bunch of products in this space. The two primary protocols to be concerned about are SAML and WS-Federation. ADFS is WS-Federation only. Some other products are SAML only and some support both. A lot of what you want to do depends on your scenarios. Do you just want to let your users access partner applications or do you plan to let your partners access your applications? Maybe you need to do both? Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, July 24, 2006 3:50 PM Subject: RE: [ActiveDir] Managing Third-Party Users Thanks for your take on it, Joe. I'm finding the same thing when it comes to the ideology. It's not baked in very well yet... so trying to make a judgment on strategy is a bit difficult. :) I think I'll start looking down what Microsoft offers... problem is I'm not even sure what the competitors are ... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Saturday, July 22, 2006 3:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Managing Third-Party Users Federation is the way of the future in these scenarios. I'm spending about 50% of my time at work these days helping to build out our federation infrastructure and imagine that we'll be using it extensively. We are already doing some type of federation thing with over 30 vendor-hosted apps internally (benefits, travel, surveys, etc.). However, none of these implemenations are currently using any of the standard federation protocols (SAML, WS-Fed) and suffer from expensive implementations, no reusability between implementations and dubious security. We are also looking at hosting some services internally for clients and partners and using federation as a way to allow them to authenticate with their own credentials. The big challenges right now are that with both SAML and WS-Fed as the dominate protocols out there (and WS-Fed much further behind in terms of adoption rates, but gaining due to the popularity of AD and the low cost of ADFS compared to many solutions), it is hard to say you only want to do ADFS/WS-Fed. Our approach is to try to support both for the outbound scenario, where our users are accessing a partner resource, although we are still trying
Re: [ActiveDir] Managing Third-Party Users
Federation is the way of the future in these scenarios. I'm spending about 50% of my time at work these days helping to build out our federation infrastructure and imagine that we'll be using it extensively. We are already doing some type of federation thing with over 30 vendor-hosted apps internally (benefits, travel, surveys, etc.). However, none of these implemenations are currently using any of the standard federation protocols (SAML, WS-Fed) and suffer from expensive implementations, no reusability between implementations and dubious security. We are also looking at hosting some services internally for clients and partners and using federation as a way to allow them to authenticate with their own credentials. The big challenges right now are that with both SAML and WS-Fed as the dominate protocols out there (and WS-Fed much further behind in terms of adoption rates, but gaining due to the popularity of AD and the low cost of ADFS compared to many solutions), it is hard to say you only want to do ADFS/WS-Fed. Our approach is to try to support both for the outbound scenario, where our users are accessing a partner resource, although we are still trying to pick a SAML 2 product yet. We'll probably be more picky about WS-Fed for the opposite scenario as our guys like to use Windows token-based websites (like SharePoint) for custom dev and only ADFS has a really flexible solution for supporting this. The big challenges are that right now, things are still pretty early adopter, so it is hard to find a lot of partners that are ready to go with their infrastructure. There isn't much expertise out there with these products yet either, so people are stumbling quite a bit. In our inbound scenario, we are looking at needing to set up an alternate account store to host the accounts of partners who aren't federation-capable yet, so that's a drag. I'm not sure the team building that app has realized yet that the cost and complexity of the identity and access management work for that account store will likely outstrip the cost of dev and maintenance on the app itself by an order of magnitude. They aren't IAM people, so they are just realizing that users of the store will need features like password change, password reset and password expiration notifications. BTW, we are using ADAM for the account store and setting it up as a separate federation account partner. Another thing worth noting is that we already have a well-established process for provisioning accounts for external users and contractors in the corp forest and we'll continue to use that in scenarios where it is appropriate. However, we'll try to do as little as possible of that sort of thing when simple access to a few web apps is all that's needed. All in all though, I'm pretty excited about the technology, especially ADFS. It combines my three favorite tech things, IAM, web programming and .NET, so what's not to love? :) Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 12:05 PM Subject: [ActiveDir] Managing Third-Party Users My trusted directory resource, I don't remember if this came up on a previous post. but don't recall seeing the topic. As things become more and more integrated w/ some form of ldap authentication against a common directory, the necessity for managing outside vendors, contractors, etc is becoming a larger and larger task. If you're in a situation where the vendor has a large population of users that require access . with incredible churn, this becomes a big issue. I'm curious what, if anything, anyone else is doing to use some sort of federated system so that user management is left at the hands of the third-party companies. I'm curious also if anyone is aware of any consulting groups that have done this sort of thing w/ an agnostic approach that can fit most environments. I'd love to get an idea of where the industry is heading with this sort of thing. I'm sure the topic probably came up at DEC which I didn't have the luxury of attending. Thanks all! marcus c. oh | cox communications, inc. | 404.847.6117 | marcusoh.blogspot.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Command line for exchange
I'll be really interested to know if the underlying protocol for talking to Exchange remotely is any different than webdav in the next release. I admit to not having looked at the Power Shell stuff for Exchange yet, so I have no idea. I kind of hate programming Exchange, so I tend to avoid it. If there is a different protocol, then there might be hope that non-Power Shell programmers will have a way in as well. There may also be an underlying provider that provides access to features than the default wrappers in PS. There is a chance that would be managed code though, so I'm sure that would be a big frown for you. :) I do think we'll see more and more of that kind of thing though (APIs written in managed code with no straight C bindings). As far as PS itself is concerned, I'm pretty excited about it. It is a very cool shell with a lot of interesting features. It is also pretty intensely geeky, so I think the learning curve is going to be pretty steep for a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, July 16, 2006 8:44 AM Subject: RE: [ActiveDir] OT: Command line for exchange Yeah that doc is supposed to be about what they are doing with MONAD for Exchange. I, for one, based on some EHLO blog posts am concerned about its functionality and how it will work in large environments. I will try to download and read that doc to see if it has any meat in it but most Exchange docs tend to shy away from implementation details and you have to actually get the tools out and do things with it and watch closely what it does. My main concern so far based on what the Exchange team indicated was that this command line stuff is going to be just as fat as the GUI stuff in terms of traffic which will actually be felt in a worse way because with the GUI you tend to pick and choose what you want and command line you are usually trying to hit mass quantities. It sounds like if you say wanted one little piece of info for every mailbox, say mailbox last logon date or something you would have to pull back ALL info for the mailbox and then just display the little bit of info you want. That will be fine in small LAN environments with small numbers of users (say thousands or less) but in a large environments with tens or hundreds of thousands of users or millions of users or working across slow WAN links that is going to be lacking considerably. If you you thought WMI slow... Just wait! I hope it doesn't turn out that way but I don't have a lot of faith in MSFT's large scale management strategies and tools for the most part. Especially in the Exchange realm. I haven't seen a larger company yet (read company 100k users) that could actually use the MSFT Exchange management tools to do the needed work and even smaller companies tend to run pretty inefficiently using the tools. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Command line for exchange
The plot thickens. I'd assume that PS and ASP.NET are using the same network layer to do the actual heavy lifting, so the question is then, what is that based on? :) Joe K. - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, July 16, 2006 3:12 PM Subject: RE: [ActiveDir] OT: Command line for exchange I've heard there's ASP.Net webservices that expose a lot of this stuff. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM pwdLastSet
ADAM pwdLastSetAre you sure you want to do this? My experience with setting pwdLastSet to 0 in AD is that doing that will break the ability to do an LDAP bind for the user, so they can't do an LDAP change password operation. This would be a problem for ADAM users if the same behavior applies as LDAP is the only way to do a change password operation. In AD, when you are set to 0, the only way to change the password at next login is through a Windows login. I'd be interested to know if this really gets you the results you want. I may go test this... :) That said, I'm not sure what you did wrong from a delegation standpoint, but I always recommend using the allowedAttributesEffective constructed attribute to find out what attributes the currently bound user actually has rights to modify. This is an essential troubleshooting step. Also, the ACL editor in ADAM SP1 LDP is really nice and may help you see what you did wrong. Joe K. - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:30 AM Subject: [ActiveDir] ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us Insufficient Access Rights. MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADSIEdit, Exchange and Assistants
This is an interesting question. I'm going to posit a guess that the assistant field comes from a standard schema definition and is included in AD as a result of that. The DN field has many advantages, in that it is rename/move-safe, etc. One other interesting point about this attribute is that it is not linked, which means that you can't look at the backlink to see who supports who and such. The majority of DN attributes in AD are linked, but this one is not. I'm guessing the GAL doesn't use it because the GAL logic was either two slow/too lazy to do the appropriate attribute scope query to resolve the DN into a friendly name before publishing (no one wants to actually see the DN in the GAL!). This may also just be a throwback from previous versions of AD which didn't support ASQ, making this operation a little less elegant. In any event, it would definitely make the GAL building logic slower as an additional query would be required. You could always automate this yourself by populating the assistant field through some sort of provisioning process and then writing the free text attributes based on data from the referenced object. You could then implement some sort of change polling/sync process that would look for changes to objects for the attributes you use for the free text value and then set the value in the referencing object whenever the source value changes. That would be slick. :) Unfortunately, this is less easy to do than it might be due to the lack of the backlink. Joe K. - Original Message - From: AdamT [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:12 AM Subject: Re: [ActiveDir] ADSIEdit, Exchange and Assistants Just looking further in to this, it seems telephoneAssistant and secretary are the fields that appear in outlook - both of which are free text input. It begs the question of what the DN field of 'assistant' actually does. Surely if it is expecting a distinguished name, it must be used for something, somewhere? Anyone know what? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM pwdLastSet
This is sort of a hard problem. If our investigations regarding the behavior of pwdLastSet are true in ADAM, then you don't really have a reasonable way of forcing a password change or expiring it outside of the defined policy. I still haven't had a chance to test it today. :) What you might consider is doing something application level, where you implement some sort of self service password reset feature. For example, you might do an administrative reset of the password and then send the user an email with a link that allows them to a website that allows them to log in and essentially do a password reset behind the scenes using a privileged service account. The link might contain a signed, encrypted query string that contains the user UPN and a timestamp that can be used for expiring the request. If you've got a 2nd viable login method such as a certificate or securID token or (far worse) verification questions, that would be less subject to theft than a simple URL. Since you'll almost certainly be using a web-based tool for password change operations anyway, this might be reasonable. I'm curious what other people think about this. I haven't even thought about this aspect of ADAM identity life cycle really. Joe K. - Original Message - From: Bernier, Brandon (.) [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 12:09 PM Subject: RE: [ActiveDir] ADAM pwdLastSet I don't want to do this. One of the directories we are moving in is coming from iPlanet and you can do whatever you want there. That team has asked us to look into ramifications using pwdLastSet and from testing and your input, it's a bad idea. Basically we just need to expire someones password, but need them to be able to bind back in and change their password. I also wanted to test using msDS-UserPasswordExpired but that cannot be changed either. Any other ideas to delegate expiring a Users password in this case? Thanks for the help! -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, July 14, 2006 11:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADAM pwdLastSet ADAM pwdLastSetAre you sure you want to do this? My experience with setting pwdLastSet to 0 in AD is that doing that will break the ability to do an LDAP bind for the user, so they can't do an LDAP change password operation. This would be a problem for ADAM users if the same behavior applies as LDAP is the only way to do a change password operation. In AD, when you are set to 0, the only way to change the password at next login is through a Windows login. I'd be interested to know if this really gets you the results you want. I may go test this... :) That said, I'm not sure what you did wrong from a delegation standpoint, but I always recommend using the allowedAttributesEffective constructed attribute to find out what attributes the currently bound user actually has rights to modify. This is an essential troubleshooting step. Also, the ACL editor in ADAM SP1 LDP is really nice and may help you see what you did wrong. Joe K. - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Friday, July 14, 2006 9:30 AM Subject: [ActiveDir] ADAM pwdLastSet We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria. So we add an ACE to the parent OU where the ADAM Users live for WPRP on pwdLastSet for Adam Users. However it keeps giving us Insufficient Access Rights. MSDN says the value is set by the system and we know that, but it will allow ADAM Administrators to change this value to 0. So what am I missing here? btw- this is ADAM RTM. -Brandon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Directory Server Path
It is hard to provide any additional information that would be useful without some specifics about the actual problems they are facing/what isn't working/what code they are trying. From a firewall perspective, at a bare minimum you need LDAP ports open to your DC, depending on whether you want LDAP or GC and SSL or not. You'll want DNS. You'll probably want Kerberos and RPC to support secure bind. I'd also recommend staying away from Win2K/IIS 5 as a web server if you can avoid it as IIS6 is way better, but that might not be an option. I also answer a lot of dev-oriented questions on the ADSI microsoft newsgroup. One again, I bet everything your guys need to know is in my book too. :) Joe Kaplan - Original Message - From: HBooGz To: ActiveDir@mail.activedir.org Sent: Thursday, June 08, 2006 11:01 AM Subject: Re: [ActiveDir] LDAP Directory Server Path Thanks Joe and Al. In all honesty, I'm far from a programmer and i wouldn't go so far as to say I'm an Active Directory expert like most on this list. I'm going to pass your information to my developers who are working on a web app in .Net with the hopes of authenticating users against our AD. I've read some articles that indicate to create a username ( w/ domain admin rights ) and put that into the code to use for the authentication. Although I'm not a developer i just don't feel good about this approach. Before i mentioned DMZ. My environment is relatively small and the web applications are sitting on a Windows 2000 server in a single hop DMZ environment. any more information that could help me or the developers, who are at a stand-still, would be appreciated. Thanks, On 6/7/06, Joe Kaplan [EMAIL PROTECTED] wrote: Just to elaborate a little on what Al said, when using an ADSI-based model like S.DS, the adspath contains the provider, optional server info and a distinguished name of an object to search. When you don't specify a server part in the path (a serverless bind), LDAP infers a domain from the current security context and then uses the locator to find a DC in that domain. You have to be careful with serverless binds though, especially in web apps, as the security context may be local machine instead of domain, so it may not be possible to infer a domain. In some cases, it may be necessary to supply a domain name or even the DNS name of a specific DC. Using your previous example, you may need to specify the harry.org part of the path. A lot of it depends on the environment. I also recommend using a tool like ldp.exe or adfind to help with LDAP programming. These tools are very useful for executing ad hoc LDAP ops and modeling queries. In general, you want to be careful with using ADSI or S.DS for authentication in an app. It doesn't scale well for this type of thing. If you must use LDAP-based auth (which is generally best avoided; use Windows auth instead), using something like the ActiveDirectoryMembershipProvider or calling System.DirectoryServices.Protocols directly will get you better scalability (if that's important). We actually did write a whole book about this stuff and it doesn't suck, so won't hesitate to recommend it for these types of questions. www.directoryprogramming.net. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Wednesday, June 07, 2006 3:09 PM Subject: Re: [ActiveDir] LDAP Directory Server Path Totally different questions. The ldap path is what is needed to connect to the directory via .net (there are many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does this frequently and I believe has even taken the time to write a book about it. Accessing it from a 'DMZ' depending on what that means to you is a different animal altogether and has a lot more to do with architecture, routing, physical connections, and name resolution. Architecture is a huge part of that equation. There's nowhere near enough information in your posts, nor would I think it appropriate that you share that amount of information with outsiders, to even begin to answer that question in a usable manner. To see/use that syntax, minus the protocol portion, have a look at tools like LDP.EXE. Also search the Microsoft site for things like .net examples and ldap syntax and .net examples. You'll see what I mean. Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- HBooGz:\ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Directory Server Path
Just to elaborate a little on what Al said, when using an ADSI-based model like S.DS, the adspath contains the provider, optional server info and a distinguished name of an object to search. When you don't specify a server part in the path (a serverless bind), LDAP infers a domain from the current security context and then uses the locator to find a DC in that domain. You have to be careful with serverless binds though, especially in web apps, as the security context may be local machine instead of domain, so it may not be possible to infer a domain. In some cases, it may be necessary to supply a domain name or even the DNS name of a specific DC. Using your previous example, you may need to specify the harry.org part of the path. A lot of it depends on the environment. I also recommend using a tool like ldp.exe or adfind to help with LDAP programming. These tools are very useful for executing ad hoc LDAP ops and modeling queries. In general, you want to be careful with using ADSI or S.DS for authentication in an app. It doesn't scale well for this type of thing. If you must use LDAP-based auth (which is generally best avoided; use Windows auth instead), using something like the ActiveDirectoryMembershipProvider or calling System.DirectoryServices.Protocols directly will get you better scalability (if that's important). We actually did write a whole book about this stuff and it doesn't suck, so won't hesitate to recommend it for these types of questions. www.directoryprogramming.net. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Wednesday, June 07, 2006 3:09 PM Subject: Re: [ActiveDir] LDAP Directory Server Path Totally different questions. The ldap path is what is needed to connect to the directory via .net (there are many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does this frequently and I believe has even taken the time to write a book about it. Accessing it from a 'DMZ' depending on what that means to you is a different animal altogether and has a lot more to do with architecture, routing, physical connections, and name resolution. Architecture is a huge part of that equation. There's nowhere near enough information in your posts, nor would I think it appropriate that you share that amount of information with outsiders, to even begin to answer that question in a usable manner. To see/use that syntax, minus the protocol portion, have a look at tools like LDP.EXE. Also search the Microsoft site for things like .net examples and ldap syntax and .net examples. You'll see what I mean. Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Speaking of SamAccountName...
Speaking of SamAccountName...If they are using LDAP bind for authentication, then it depends on what type of bind they are doing. For LDAP simple bind (hopefully combined with SSL or it is not secure!), AD supports: distinguishedName userPrincipalName NT account name (domain\user with user being the sAMAcountName and domain being the NetBIOS domain name) For secure bind using SASL with SPNEGO (Windows auth LDAP bind), AD supports: userPrincipalName NT account name (domain\user with user being the sAMAcountName and domain being the NetBIOS domain name) sAMAccountName For that reason, I generally recommend that people use UPN or NT name as a bind user name because it works with both. DN is also unwieldy and reveals a lot of the structure of the directory that apps don't necessarily need to know. HTH, Joe K. - Original Message - From: RM To: ActiveDir@mail.activedir.org Sent: Tuesday, June 06, 2006 12:12 AM Subject: [ActiveDir] Speaking of SamAccountName... Guys, I have a dumb question.. A 3rd party app that uses LDAP for authentication... What attribute should be utilized for username? SamAccountName is the pre-Windows 2000 name. DistinguishedName is the long form OU/CN gobbledygook. So what is the name of the attribute for the actual user logon name? Thx, RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Speaking of SamAccountName...
I with you on discouraging using DN as a binding user name for AD. However, this is very common practice in other directories and DN is the only attribute that the LDAP spec defines as needing to be supported for simple bind. A lot of apps that support multiple directories will insist you do it this way. That isn't to say that this will apply to the app the OP is using, but I thought this was worth sharing. :) Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Tuesday, June 06, 2006 8:53 PM Subject: Re: [ActiveDir] Speaking of SamAccountName... Just to throw in $0.02 (USD): DN would be a bad idea with Active Directory outside of the information it gives away. Active Directory is desinged to allow for the movement and changing of accounts. Using the DN would break that as far as the user is concerned. Since you can have multiple UPN's and at least one samaccount name, you should choose between them. One thought might help: if your cn and samaccountname match, it's easier to choose. If your upn lhs matches the cn which matches the samaccountname, then it might be even easier to prevent identity crises. FWIW. And hey, that's good information to have Joe. cheers :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
The schema defines rangeUpper for sAMAccountName at 64. Where are you getting a field size of 20? All I can say is that they do seem to work fine in our environment and the DS does not reject them, although I am pretty sure the DS rejects requests to create users with sAMAccountName 20 char. I am unaware of any APIs that aren't working as a result of what we are doing, but it is certainly possible that there are some. What should I check? I'm almost curious enough to go back and dig into this a bit more, as I remember testing this years ago and coming to the conclusion that we could do this safely, but I don't remember everything I did. :) Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 9:55 AM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? I wonder if they do work? or if some of them don't because only the first 20 chars are being looked at/returned by the api's that consume them? Interesting. That variable is a 20 char variable so I don't see why a loophole of 64 is allowed? Any thoughts? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Sure enough, rangeUpper is 256. I'm not sure where I got that 64 thing, but I'm guessing it was from memory and that was not up to the task again. Anyone else? Is it safe or not for groups to have a sAMAccountName 20 characters but = 64? I'm going to assume that users definitely need to be = 20. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 5:46 PM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Interesting. The online version I see says rangeupper is 256. Not sure how important that is, but... http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_samaccountname.asp Given the purpose of samaccountname I have a hard time believing something doesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, well, to be usable it's limited to 20 chars and since Microsoft has that number published everywhere, we'll just assume it's 20 chars all the time... or something like that. Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
My understanding is that the DS enforces a limit of 64 char for sAMAccountName for groups, but 20 for users. I know we have thousands of groups with sAMAccountName longer than 20. They still work and the DS doesn't balk. :) These are all created programmatically through tools though and are not created or modified with ADUC. There might be some behavior difference there. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Sunday, June 04, 2006 11:58 AM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? That's on the target? Or that's in the source? On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi Al I have one of this group with way more than 20char samaccountname AKL.AST.Assistance Management.Assistant GM- Assistance Services Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] tokenGroups field
I was going to say the same thing. Also, if you are using .NET 2.0, the new S.DS.ActiveDirectory namespace has tons of cool ways to enumerate domains in a forest, DCs in a domain (and by site), etc. The domain enumeration code uses very similar LDAP searches under the hood. The DC enumeration stuff uses the locator service (DsGetDcName, etc.). Joe Kaplan - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 31, 2006 6:06 PM Subject: RE: [ActiveDir] tokenGroups field Does this rate as cooler? ((objectCategory=)(systemFlags:1.2.840.113556.1.4.803:=2)) In adfind, you would do something like adfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags F:\DEV\cpp\MemberOfadfind -config -rb cn=partitions -bit -f (objectcategory=crossRef)(systemflags:AND:=2) -flagdc ncname systemflags AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Transformed Filter: (objectcategory=crossRef)(systemflags:1.2.840.113556.1.4.803:=2) Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: cn=partitions,CN=Configuration,DC=joe,DC=com dn:CN=JOE,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] dn:CN=CHILD1,CN=Partitions,CN=Configuration,DC=joe,DC=com nCName: DC=child1,DC=joe,DC=com systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)] 2 Objects returned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull
Re: [ActiveDir] tokenGroups field
Exactly right. This actually brings up an interesting dilemma for web applications, as if you were just using Windows auth in IIS, the only DLGs you would get would be for the groups in the server's domain. If you are trying to build groups via LDAP, do you really want all of the groups from ALL of the domains, or just the current one? It is sort of a philosophical question. :) From a web application's perspective, you may also choose to include non-security groups in your list, in which case you can't use tokenGroups at all, but need to do some sort of recursive memberOf thing. The SSO vendor we work with does this (which is way slow compared to tokenGroups, but has the benefit of being more cross-platform). Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, May 30, 2006 6:40 PM Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] tokenGroups field
I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting here. The net result is the same base LDAP query you'd do in any other language. DLGs from multiple domains are not easy to get and there seems to be no really easy way to do it. The UGs and GGs from the user's home domain should always be there with tokenGroups though. We kind of glossed this over in our book, although our tokenGroups samples are pretty good otherwise. Ryan showed three different methods for converting the SIDs back into friendly names, which could help a lot of people. Joe K. - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 26, 2006 8:32 PM Subject: RE: [ActiveDir] tokenGroups field Something could be happening under the covers for you by NET or ADSI. JoeK could probably help there. However hitting a GC in each domain should do it. The main thing it is going to get you if it wasn't clear in the response to Deji is the domain local groups in the foreign domains. Obviously the user couldn't be in GGs in other domains and UGs would be handled by hitting the default DC for the user assuming you aren't in mixed mode. You may want to use adfind to look at the results from each of the domains. With the new -resolvesids switch the tokenGroups attribute gets a nice resolved output which is nice joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
That is the type of thing that would be pretty reasonable to build by writing a provider for MSH (Monad) that exposes an LDAP store like AD or ADAM as a drive. I think a few people have taken a swing at this already, but I'm not sure if anything is shipping yet. Having this integrated into MSH is going to enable a huge number of scenarios. Joe K. - Original Message - From: Matheesha Weerasinghe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, May 03, 2006 12:26 PM Subject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? personally, I'd like a command line tool thats interactive like ntdsutil or nslookup. I'd be able to use this to browse the ADAM instance from a command line. Have a prompt which allows me to navigate the hierachy. Execute commands such as create/delete objecttype etc... M@ On 4/28/06, Stewart, Fitz [EMAIL PROTECTED] wrote: Heck, just give a user the ability to create and otherwise manage objects – users, groups, the basics. Name, etc. Nothing fancy, just not the command-line-ishness of ADSIEDIT. -fitz 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 10:01 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Since it is LDAP I did look at some friendlier admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want. In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :) J Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Date: Fri, 28 Apr 2006 09:44:55 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org That's a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI experience? J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, April 28, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef
Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
The difficulty with building a tool like this is that it is a huge leap to go from a low level editing tool like ADSI Edit to a high level, task-based UI like ADUC. The problem is that it is nearly impossible to infer the semantic meaning of attributes in the directory in a generic way such that you can have objects with arbitrary schema. It is already hard enough just to come up with reasonable text and graphical views of all the random binary data that a directory can store. For example, your directory might store GUIDs, X509Certificates and JPEGs, but the schema only knows it is binary data. Unless you have a hard-coded list somewhere, it is hard to do anything with it besides showing you the raw bytes (which is almost never interesting to most people). As such, you kind of need to either come up with a UI that just provides some compelling task-based features for a very narrow schema that ships with the product and/or provide a really well-conceived extensibility mechanism that allows easy declarative construction of useful UI features with minimal coding (or you'll scare away the non-coders). Doing something like that successfully it a pretty huge undertaking, not matter what presentation framework you choose (web, CLI, Windows, etc.). Personally, I think the answer for this type of tool lies with the whole managed code/Monad-based MMC thing that is coming. It will significantly lower the bar to getting custom extensions into the UI and hopefully create a new eco-system of useful tools that vary from universally needed to extremely domain-specific. That said, there are probably some tools that we really need for ADAM that would be hard for most of us besides Joe to write. I'm not entirely sure what the sweet spot is though. Joe K. - Original Message - From: Jef Kazimer To: ActiveDir@mail.activedir.org Sent: Friday, April 28, 2006 4:26 PM Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? Ok So are you thinking winForm Gui? Web? MMC? Console? I know you like command linebut ad I hear there are some great tools already in existence. :) ADSIedit is great for MOST things, but I would fear giving it to a helpdesk guy, or an application admin who has no idea what LDAP really is. They just want an Identty store. Soo Something that abstracts the user from LDAP (OUs, DNs, etcscary stuff!) but shows them as a simple TreeView of the directory Management templates that glean data from the defined Schema and are customizeable. Since ADAM can have a very custom Schema, the tool would need to be flexible to accommodate that. IE select the Dog object, and be able to modify the Neutered boolean attribute. These templates should be customizable in a simple fashion that does not require extensive development knowledge :) Build in basic routines for common functions like password reset, etc. I guess a more customizeable ADUC for ADAM :) Maybe the name should be theWelch since Jerry said ME!? From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? Date: Fri, 28 Apr 2006 16:38:16 -0400 I am not quite sure what question that response was intended to answer Was that, you would like a good ADAM management tool? If so, describe that tool. If Murray isn't happy, we can take it offlist. I can do this through personal email or spin up a forum on my website for it. I am very interested in hearing what people think is needed. I was told the perfect name for the tool over a year ago, I just haven't written the tool to go with the name yet. At some point I will have to do something with it. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch Sent: Friday, April 28, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? ME ! Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) IP Phone (VOIP): Jerry_Welch ( www.voipstunt.com ) VOIP to Landline: callto:+1-703-827-0919 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers? I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL
