The difficulty with building a tool like this is that it is a huge leap to
go from a low level editing tool like ADSI Edit to a high level, task-based
UI like ADUC. The problem is that it is nearly impossible to infer the
semantic meaning of attributes in the directory in a generic way such
That is the type of thing that would be pretty reasonable to build by
writing a provider for MSH (Monad) that exposes an LDAP store like AD or
ADAM as a drive. I think a few people have taken a swing at this already,
but I'm not sure if anything is shipping yet.
Having this integrated into
I've been checked out of the group here for a few weeks and just poked back
in. I think Dmitri summed things up quite well. I'll just add that ADSI
and S.DS don't do anything interesting here. The net result is the same
base LDAP query you'd do in any other language.
DLGs from multiple
Exactly right.
This actually brings up an interesting dilemma for web applications, as if
you were just using Windows auth in IIS, the only DLGs you would get would
be for the groups in the server's domain.
If you are trying to build groups via LDAP, do you really want all of the
groups
enumeration stuff
uses the locator service (DsGetDcName, etc.).
Joe Kaplan
- Original Message -
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, May 31, 2006 6:06 PM
Subject: RE: [ActiveDir] tokenGroups field
Does this rate as cooler?
((objectCategory
My understanding is that the DS enforces a limit of 64 char for
sAMAccountName for groups, but 20 for users. I know we have thousands of
groups with sAMAccountName longer than 20. They still work and the DS
doesn't balk. :)
These are all created programmatically through tools though and
The schema defines rangeUpper for sAMAccountName at 64. Where are you
getting a field size of 20?
All I can say is that they do seem to work fine in our environment and the
DS does not reject them, although I am pretty sure the DS rejects requests
to create users with sAMAccountName 20
Sure enough, rangeUpper is 256. I'm not sure where I got that 64 thing, but
I'm guessing it was from memory and that was not up to the task again.
Anyone else? Is it safe or not for groups to have a sAMAccountName 20
characters but = 64? I'm going to assume that users definitely need to be
Speaking of SamAccountName...If they are using LDAP bind for authentication,
then it depends on what type of bind they are doing. For LDAP simple bind
(hopefully combined with SSL or it is not secure!), AD supports:
distinguishedName
userPrincipalName
NT account name (domain\user with user
I with you on discouraging using DN as a binding user name for AD. However,
this is very common practice in other directories and DN is the only
attribute that the LDAP spec defines as needing to be supported for simple
bind. A lot of apps that support multiple directories will insist you do
to the directory via .net (there
are many examples in the language dialect you're development staff are
planning to use; Joe Kaplan is a good person to search for as he does this
frequently and I believe has even taken the time to write a book about it.
Accessing it from a 'DMZ' depending on what
questions on the ADSI microsoft
newsgroup.
One again, I bet everything your guys need to know is in my book too. :)
Joe Kaplan
- Original Message -
From: HBooGz
To: ActiveDir@mail.activedir.org
Sent: Thursday, June 08, 2006 11:01 AM
Subject: Re: [ActiveDir] LDAP Directory Server Path
ADAM pwdLastSetAre you sure you want to do this? My experience with setting
pwdLastSet to 0 in AD is that doing that will break the ability to do an
LDAP bind for the user, so they can't do an LDAP change password operation.
This would be a problem for ADAM users if the same behavior applies
This is an interesting question. I'm going to posit a guess that the
assistant field comes from a standard schema definition and is included in
AD as a result of that.
The DN field has many advantages, in that it is rename/move-safe, etc. One
other interesting point about this attribute is
Of Joe Kaplan
Sent: Friday, July 14, 2006 11:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADAM pwdLastSet
ADAM pwdLastSetAre you sure you want to do this? My experience with
setting pwdLastSet to 0 in AD is that doing that will break the ability
to do an LDAP bind for the user, so
I'll be really interested to know if the underlying protocol for talking to
Exchange remotely is any different than webdav in the next release. I admit
to not having looked at the Power Shell stuff for Exchange yet, so I have no
idea. I kind of hate programming Exchange, so I tend to avoid
The plot thickens. I'd assume that PS and ASP.NET are using the same
network layer to do the actual heavy lifting, so the question is then, what
is that based on? :)
Joe K.
- Original Message -
From: Brian Desmond [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sunday,
Federation is the way of the future in these scenarios. I'm spending about
50% of my time at work these days helping to build out our federation
infrastructure and imagine that we'll be using it extensively. We are
already doing some type of federation thing with over 30 vendor-hosted apps
| marcusoh.blogspot.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Monday, July 24, 2006 9:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Managing Third-Party Users
There are a bunch of products in this space. The two primary
We actually use a script at work after having tried a few products and
having terrible performance problems. If you are interested, I'll ping one
of the exchange guys and see if he can provide a little direction.
Once you actually get it working from a plumbing standpoint, the script
itself
;-)
Remember at the most we're only hosting 75 users/devices on that server
with a max of 75 gigs (remember no snickering from the Enterprise folks)
of Store.
(and reading his message.. see why I went with Policypatrol?
Joe Kaplan wrote:
We actually use a script at work after having tried a few
SunONE)? Have a client who
encountered this little issue.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday, August 03, 2006 8:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir
There's actually other stuff you can do with MOM. I'm not sure exactly how
our MOM AD guy does it, but he has MOM set up to alert him when the local
cert on the DC is getting close to expiration. If you are curious, I'll ask
him.
This tool is more useful for getting a snapshot of the whole
FWIW, Bryan and I have been discussing this offline and it looks like he's
use ASP.NET 2.0, not ASP. In .NET 2.0, replication operations are exposed
one the DomainController class in the
System.DirectoryServices.ActiveDirectory namespace. No need for goofy
shelling out to repadmin. The .NET
The characters are used in a DN to implement platform-specific DN
syntaxes. Microsoft uses it for implementing the GUID and SID DN
syntaxes, which look like this:
GUID=f2c76527-dbb5-4826-94e4-488743d82b69
SID=S-1-427139602-4143570898-3002774972-1124764024-1874728375-2129772970
These can be
MS Schema GUIDS different from my Forest to MSDNobjectGUID and schemaIDGUID
are not the same thing. objectGUID will always be randomly generated when
an object is created and will differ between different forests for schema.
schemaIDGUID can and usually is (at least for schema from MS) set
I'm pretty sure that's part of the RFC spec. A space at the beginning or
end of a query value will be ignored. Your space in this example would be
both. Did you try escaping it to see if that works?
Joe Kaplan
- Original Message -
From: Jef Kazimer
To: ActiveDir@mail.activedir.org
That's a much more thorough explanation than mine. :) I was too lazy to
even dust off the RFC URL.
Joe K.
- Original Message -
From: joe
To: ActiveDir@mail.activedir.org
Sent: Friday, August 18, 2006 7:40 AM
Subject: RE: [ActiveDir] Single Space in LDAP query dropped: Why?
Yeah
Me too. I was that lazy. :)
Joe Kaplan
- Original Message -
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, August 18, 2006 5:46 PM
Subject: RE: [ActiveDir] Single Space in LDAP query dropped: Why?
I have it bookmarked. :)
LDAP V3 - http://www.faqs.org
That's a good explanation. I don't see how you can lock them out
programmatically though. The mechanism just isn't designed to do that.
You'd have to force bad auth attempts on them constantly.
If you can't disable the AD account, what if you expired it? That would
prevent login too,
It actually depends on the policy defined for the SSL stack. In Windows,
this is typically configured globally for all SSL, although I'm not sure
where. It definiitely used to be the case that Windows that CRLs were never
checked, but I have seen some other SSL stuff with HTTP actually
I like this advice as well. In terms of some of the nuts and bolts of how
one might do this, as a software guy, I'm a huge proponent of source code
control/configuration management systems and simple, text-based file formats
for the stuff you stick in your source repository. As such, I
Well, you don't need a .NET implementation of Python (which is what
IronPython is) to use Python with ADSI. Python already has COM support. If
one was interested in Python running on the CLR, then that would be the
thing to check out, but I'm guessing the guy just wants to write some ADSI
In addition to what everyone else has said, if there is an issue with SSL in
Windows, you almost always get an error from schannel in the System event
log on the machine that rejected the connection that explains exactly what
the problem is (if you can figure out what it is telling you).
For
I hope you aren't frustrated by the book being written in C# rather than
VB.NET. That rule was imposed by my coauthor and the publisher. All of the
code samples are re-written in VB.NET and posted on the website, so
hopefully that works for you.
For the most part, the actual VB and C# code
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Saturday, September 16, 2006 10:06 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Active Directory Cookbooks...
I hope you aren't frustrated by the book being written in C# rather than
VB.NET. That rule was imposed
The only clean way to authenticate external users to SharePoint is
with a solution like ADFS and federated identity. SharePoint doesn't
use LDAP internally for auth and you can't really make it.
Federation does give you the ability to have your external users use
their own organization's
You might have them try to work with the GC. You should be able to
authenticate and find users from any domain via the GC.
I think Joe Richards might also suggest that the vendor learn what they are
doing and either integrate with AD the right way or don't claim they can.
I'll bet they need
Although a do tend to agree that LDAP does not define a good authentication
protocol at all, it is definitely the case that LDAP is used as an
authentication mechanism all over the place. I also don't thing there is
really anything wrong with using it for that per say, as long as it is used
I think the bottom line of my argument boils down to simple bind without
SSL is evil, but simple bind with SSL is acceptable. Secure bind is
generally acceptable, with or without SSL.
As such, I'd love to see an AD and ADAM option that would allow the DS to
reject simple bind operations on
That's very cool, Eric. I had no idea that setting existed in ADAM. Any
change of sneaking that into the AD stack?
I agree that it only solves half the problem, but at least by preventing
this from working at all, it keeps people from setting up apps that will do
unsecure simple binds
:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Sunday, September 24, 2006 10:49 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP
That's very cool, Eric. I had no idea that setting existed in ADAM.
Any
change of sneaking that into the AD stack?
I agree that it only
Yeah, the real step by step guide isn't so bad per say. What it tries to do
is give you a simple path to having an easy demo set up of ADFS going so you
can kick the tires. For that, it is ok. Where it doesn't cross the gap
very well is in providing guidance on how to apply the lessons
Thanks for the plug on the book. Ch 12 is all about programmatic
authentication. We cover the DirectoryEntry approach suggested by
Darren as well as the LogonUser approach suggested by Brian. The code
samples (in C# and VB.NET) are available for free from
www.directoryprogramming.net.
Note
It is a good article with good analysis. I do think it would be a useful
feature to have a bit to flip for simple bind to be forced to fail with
blank password, even though this would go against the RFC spec. I also
think it is interesting that since ADAM is actually doing some sort of
The problem is that this happens a lot. There are simply tons of
applications out there that don't use Windows SASL binds. It would be nice
if it wasn't this way, but that's the reality of LDAP auth, especially with
vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of
I agree, the documentation is misleading. They should say that anonymous
searches aren't allowed.
Joe K.
- Original Message -
From: Jef Kazimer [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 9:24 PM
Subject: Re: [ActiveDir] ADAM bind
to the
authenticating domain). This would limit it's usefulness in extranet
scenarios because of the ports that would have to be opened between ADAM
and AD (assuming they are on opposite sides of a firewall).
Tony
-- Original Message --
From: Joe Kaplan
Do try to push your vendors in the direction of standards-based federation
when federation is the solution. It is really the best way to go for that
particular class of problems.
The real problem for ADFS in the federation space is that it only supports
WS-Federation and doesn't support
I'll start a new thread, since we are off on ADFS now. I have no experience
with WebSphere yet in the federation space, so it sounds like you are ahead
of me.
With our federation work, the primary target for federation is with ASPs
that host applications in their own facilities. For these
ADAM integrates with the domain in a few ways.
When an ADAM server is a domain member, then ADAM can be used to
authenticate domain users via LDAP authentication (using secure bind or
simple bind with bind proxies).
ADAM will also get its password policy from the machine password policy
There isn't really a way to do it without attempting to connect. Also,
remember that SSL has to be negotiated between the client and server. The
server may be perfectly capable of doing SSL, but if the client doesn't
trust the server's certificate or attempts to contact the server with a name
I'd love to see something like that as a constructed read/write attribute if
it could ever be made to happen. You could also blow apart the fields in
the SD into separate attributes to make the semantics more clear.
Joe
- Original Message -
From: Dmitri Gavrilov
To:
It is a shame. The city really needs the business. I've been back 3
times now since the storm and things have definitely gotten better,
but it still has a long way to go.
Most of the US has kind of forgotten about it by now, so I'm guessing
that many TechEd visitors would be shocked at how
Ryan and I wrote a whole book that is essentially all about how you might
write such a thing (www.directoryprogramming.net), but we don't have any
pre-baked web parts in the samples. All the code is lower level than that.
We also have such a thing that we use internally (actually a server
The actual code for programming AD in .NET is pretty similar to ADSI
(since it uses ADSI under the hood). There is a more powerful,
strongly typed search interface called the DirectorySearcher that is
actually much more powerful an easier to use than ADO for searching.
All in all, it really
See, I told you the security was the hard part. :) This is no different in
.NET.
Like I said, the first thing to decide is whether you want to use trusted
subsystem or delegation as your security architecture. That will determine
the settings to use and any additional configuration.
There is an API that converts UPN to DN (DsCrackNames, also wrapped by
IADsNameTranslate in ADSI). I'm not sure if that helps or not. Like Laura
said, you do need to look something up though.
Joe K.
- Original Message -
From: Laura A. Robinson [EMAIL PROTECTED]
To:
Reading Security DescriptorsHi Felderi,
First, thanks for buying our book! I'm not sure if you knew, but we have a
website for the book, www.directoryprogramming.net, where Ryan and I host a
support forum for questions just like this. However, I'm happy to try to
answer your question here.
UPN is arbitrary, so you can't assume the alias part will be the same as
sAMAccountName (although we do that in our org by convention). There is no
such attribute representing what you want.
Joe K.
- Original Message -
From: Michael B Allen [EMAIL PROTECTED]
To:
One thing to keep in mind is that ADSI is not good for authentication in
general as it has scalability issues. If the application must support many
simultaneous users, it will likely blow up. I've seen this happen many
times. If one must use LDAP auth, it is better to do it directly against
SharePoint is typically set to impersonate the logged on user, so you would
normally be binding to AD as the browser user, not the network service
(machine) account. It is possible that they disable impersonation, but that
is unlikely.
If you are impersonating and are using IWA auth, you
I'm not sure why on earth you would ask that question here, but I suppose
I'm only encouraging you by answering.
Basically, the file system remote stuff doesn't let you easily supply
alternate credentials. You need to impersonate the alternate user and
perform the operation that. It isn't
That's a classic scenario for ADAM. I wouldn't use AD for that as you just
need bind auth for users of a web app. AD actually gives you a ton of stuff
you don't need and some additional complexity. ADAM scales the same as AD,
so there is no advantage from a scale point of view to use AD.
is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on it, is prohibited and may be unlawful.
On Thu, 23 Nov 2006, Joe
This is also a good application for federation (ADFS). It gives you
the flexibility of provisioning your dealer accounts in ADAM instead
of AD (which can give you a lot more flexibility in terms of how to
allocate hardware) and can give you the ability to allow the dealers
to log on with their
My understanding is that you can get the actual protocol transition logon to
work, but you cannot use delegation (which is what you really need) because
PT is tied to constrained delegation and it only works in a single domain,
not even in multiple domains in a forest. Your understanding is
This is definitely something I've written a few times. I actually don't
have a stand alone ASP.NET page that does this, as I tend to write ASP.NET
apps that are a bit more architected and have stuff implemented in
different layers to help facilite reuse and testability, so the actual LDAP
I'm of the opinion that Ryan and I have written a very good book on LDAP
programming in .NET. You can find more info here, including free code
samples and a free sample chapter in PDF, at www.directoryprogramming.net.
Ryan wrote a bunch of pretty useful stuff for expanding group membership in
They aren't equivalent. Try using the .Value property instead:
user.Properties(description).Value =
Description is a funny property in AD in that the schema says that it allows
multiple values, but the DS itself will only allow it to contain a single
value for backward compatibility
I'm saying that those two are not equivalent functions under the hood. Add
typically does a PutEx with the append flag, while Put just does a put,
which is essentially an LDAP update operation. I think you would have the
same problem if you invoked PutEx and used the Append flag.
.Value
Microsoft.
Y
From: [EMAIL PROTECTED] on behalf of Joe Kaplan
Sent: Thu 28/12/2006 1:46 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DirectoryServices vb.net is broken.
I'm saying that those two are not equivalent functions under the hood. Add
That is what I was thinking of. I couldn't find where I read that and went
from memory. Thanks for the clarification.
Joe K.
- Original Message -
From: steve patrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, December 29, 2006 6:07 PM
Subject: Re: [ActiveDir]
It doesn't do the change tracking, except with some special case stuff in
terms of how the new security descriptor stuff works. However, ADSI itself
might track that for you. Basically, CommitChanges calls SetInfo, so if the
underlying IADs is clever enough to not send an LDAP request if
- Extended Op
and paste in the OID (1.3.6.1.4.1.4203.1.11.3) with no Data value.
Lee Flight
On Mon, 22 Jan 2007, Joe Kaplan wrote:
It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to
try it. :)
Joe R.: When will this be added to Adfind (or is it already)?
Joe K
If this can happen with any LDAP directory and not just AD, then it sounds
like the issue is with the Oracle SSL stack.
Does the search hang permanently or just take a long time to execute?
Sometimes an SSL operation is slowed down a lot due to client certificate
authentication requested by
If you did a bind to the directory with that user object, then you should be
able to do a search to find the user object you used for the bind. This
might only be complicated if you authenticated with a foreign domain user,
but I doubt you are doing that.
The exact nature of the search would
direct to the result!
I am trying to contact out customer's LDAP admin in order to get
additional info from the server logs. As soon as I can get this, I will
update the thread.
Thanks you all for your help!
Em Ter, 2007-01-23 às 10:51 -0600, Joe Kaplan escreveu:
If this can happen with any LDAP
(sAMAccountName=TestUser), but I think it would impose a
substantial
load on the Active Directory server, because not all users are
under OU=Users,DC=company,DC=cz, some are located in other subtrees. Do
you
think it would be OK to do that?
Thanks,
Alexandr
Dne úterý 23 leden 2007 19:02 Joe Kaplan
Thanks for clearing that up. I appreciate it.
Joe K.
- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 23, 2007 5:52 PM
Subject: RE: [ActiveDir] Who Am I request
You can do an x-domain simple bind within the forest.
In addition to what Ulf said, there also isn't any practical way to query
for users that have secondary addresses vs. only having a primary and there
isn't any practical way to just get the secondary addresses out of the
proxyAddresses attribute. You essentially need to get all the data and
Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses
Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007
83 matches
Mail list logo