***Calling Add...
ldap_add_s(ld,
"CN=bgps_svc,OU=ApplicationUsers,O=Bioinformatics,OU=GNF,DC=BIOGPS", [2]
attrs)
Error: Add: Unwilling To Perform. <53>
Server error: 000020E7: SvcErr: DSID-03152AA9, problem 5003
(WILL_NOT_PERFORM), data 8471
Error 0x20E7 The modification was not permitted for security reasons.
I have been looking on the internet for an answer with no luck, can any one
help?
Thanks a lot.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:6D58172C-D809-4E2E...@microsoft.com...
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:F8DAF4FF-37E6-4743...@microsoft.com...
And yes, I am using ldp. The way I format the value is by getting the SID
for the user with an utility script, then I copy and paste the value into ldp.
if you are using a string SID (S-1-5-21-xxx-yyy-zzz) in ldp.exe the you need
to specify it as
\SID:S-1-5-21-xxx-yyy-zzz
for the Value of objectSID.
Or you can use an ldf file
dn: CN=bgps_svc,OU=ApplicationUsers,O=Bioinformatics,OU=GNF,DC=BIOGPS
changetype: add
objectClass: userProxy
objectSID: S-1-5-21-xxx-yyy-zzz
and import with
ldifde -i -f file.ldf -s ADAMserver:ADAMport
etc.
Lee Flight
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:BEDE6D81-1242-4C6B...@microsoft.com...
Camilo
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld,
'CN=bgps_svc,OU=ApplicationUsers,O=Bioinformatics,OU=GNF,DC=BIOGPS',
<unavailable>); // v.3
Error <52>: ldap_simple_bind_s() failed: Unavailable
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, vece
Error 0x8009030C The logon attempt failed
I set the LDAP_OPT_ENCRYPT to 1 before hand, but it seems to force it back
to 0 right before it attempts to authenticate the user.
The LDAP_OPT_ENCRYPT is a feature that only works with SSPI authentication
(Negotiate, Digest), not simple bind. The documentation that you are
referring to is misleading in this regard and doesn't bother to mention the
first part either. That is kind of disappointing.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:4F308A70-DD31-4CB0...@microsoft.com...
0 = ldap_get_option(ld, 0x95, 1)
0 = ldap_get_option(ld, 0x96, 0)
0 = ldap_set_option(ld, 0x96, 1)
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity:
User='CN=bgps_svc,OU=ApplicationUsers,O=Bioinformatics,OU=GNF,DC=BIOGPS';
Pwd= <unavailable>; domain = ''.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, vece
Error 0x8009030C The logon attempt failed
Also, the EnableSecureProxyBind needs to be DISABLED unless you have
configured ADAM with an SSL certificate and are binding to the directory in
LDP with SSL.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:E68B024A-AEE2-4538...@microsoft.com...
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:92CE164E-1A13-4CD2...@microsoft.com...
A few other things to verify:
- You are definitely doing an LDAP simple bind
- The ADAM server is a member of the domain that the user you created the
bindProxy for is also a member of
- The username you are using in your bind operation is the full
distinguished name of the bindProxy object, not the user in AD
Typically, you should also be able to use ldp to do pass through auth with
LDAP secure bind for the same user in AD, so you might verify that that
works. Try doing a secure bind to ADAM using the AD username (domain\user)
and password for the AD user in question.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:C748C7C5-5404-4123...@microsoft.com...
"Joe Kaplan" wrote:
> I don't think my book would help you that much. It is really designed for
> ..NET programmers building applications that use AD and ADAM via LDAP. I
For now while you are trying to get this bindProxy stuff sorted out, I'd
stick with testing with ldp.exe. In general, it is the most useful tool for
programmers building apps against AD and ADAM. I think of it like query
analyzer from SQL Server 2000; extremely useful for testing out your query
syntax.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:DC590BE9-FD8D-475D...@microsoft.com...
New and modifiable applications
For applications that are currently in development, and for applications
that can be updated, it is recommended that you write your applications to
authenticate directly against Active Directory, using Windows security
principals. This type of design provides the highest degree of security,
because passwords flow directly from the client to Active Directory, rather
than through ADAM. ADAM can then be used simply as an application-specific
data store. Proxy objects in ADAM can hold application data that is specific
to each Windows security principal, and an attribute on the ADAM proxy object
can be used to uniquely link each proxy object to a particular Windows
security principal. A unique identifier on a Windows security principal, such
as a security ID (SID) or a globally unique identifier (GUID), can be used
for this linking. If your application is unable to authenticate against
Active Directory, and you need to synchronize directory contents between ADAM
and Active Directory, you can use a synchronization service, such as
Microsoft Identity Integration Server (MIIS). However, this option introduces
a delay between the originating update and the synchronization of the update.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:AEB7DE4C-C31C-4CE5...@microsoft.com...