ADAM Error: Add: Unwilling To Perform. <53>
orozcoc
***Calling Add...
ldap_add_s(ld,
"CN=bgps_svc,OU=ApplicationUsers,O=Bioinformatics,OU=GNF,DC=BIOGPS", [2]
attrs)
Error: Add: Unwilling To Perform. <53>
Server error: 000020E7: SvcErr: DSID-03152AA9, problem 5003
(WILL_NOT_PERFORM), data 8471
Error 0x20E7 The modification was not permitted for security reasons.
I have been looking on the internet for an answer with no luck, can any one
help?
Thanks a lot.
Joe Kaplan
SID of the user you are trying to proxy? That is a required attribute on
bindProxy objects.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:6D58172C-D809-4E2E...@microsoft.com...
orozcoc
Joe Kaplan
do this? How did you format the value?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:F8DAF4FF-37E6-4743...@microsoft.com...
orozcoc
And yes, I am using ldp. The way I format the value is by getting the SID
for the user with an utility script, then I copy and paste the value into ldp.
orozcoc
ApplicationUsers, I see that in the allowedAttributes there is no reference
to objectSID while in the allowedChildClasses the userProxy is present, could
this be a problem?
Lee Flight
if you are using a string SID (S-1-5-21-xxx-yyy-zzz) in ldp.exe the you need
to specify it as
\SID:S-1-5-21-xxx-yyy-zzz
for the Value of objectSID.
Or you can use an ldf file
dn: CN=bgps_svc,OU=ApplicationUsers,O=Bioinformatics,OU=GNF,DC=BIOGPS
changetype: add
objectClass: userProxy
objectSID: S-1-5-21-xxx-yyy-zzz
and import with
ldifde -i -f file.ldf -s ADAMserver:ADAMport
etc.
Lee Flight
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:BEDE6D81-1242-4C6B...@microsoft.com...
orozcoc
aware of the formatting needed in ldp, the article doesn't specify that.
Camilo
orozcoc
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld,
'CN=bgps_svc,OU=ApplicationUsers,O=Bioinformatics,OU=GNF,DC=BIOGPS',
<unavailable>); // v.3
Error <52>: ldap_simple_bind_s() failed: Unavailable
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, vece
Error 0x8009030C The logon attempt failed
I set the LDAP_OPT_ENCRYPT to 1 before hand, but it seems to force it back
to 0 right before it attempts to authenticate the user.
Joe Kaplan
that by changing the the RequireSecureProxyBind value to 0 on the
msds-OtherSettings object on the CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,CN={GUID} object.
The LDAP_OPT_ENCRYPT is a feature that only works with SSPI authentication
(Negotiate, Digest), not simple bind. The documentation that you are
referring to is misleading in this regard and doesn't bother to mention the
first part either. That is kind of disappointing.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:4F308A70-DD31-4CB0...@microsoft.com...
orozcoc
error, on this output I am pasting here you can see my attempt to change the
values as the article says:
0 = ldap_get_option(ld, 0x95, 1)
0 = ldap_get_option(ld, 0x96, 0)
0 = ldap_set_option(ld, 0x96, 1)
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity:
User='CN=bgps_svc,OU=ApplicationUsers,O=Bioinformatics,OU=GNF,DC=BIOGPS';
Pwd= <unavailable>; domain = ''.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090441, comment:
AcceptSecurityContext error, data 52e, vece
Error 0x8009030C The logon attempt failed
Joe Kaplan
not secure/SASL bind (ldap_bind_s).
Also, the EnableSecureProxyBind needs to be DISABLED unless you have
configured ADAM with an SSL certificate and are binding to the directory in
LDP with SSL.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:E68B024A-AEE2-4538...@microsoft.com...
orozcoc
Joe Kaplan
RequireSecureProxyBind=0, then SSL is not required. That's why I was trying
to tell you to change it to 0.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:92CE164E-1A13-4CD2...@microsoft.com...
orozcoc
all of these methods explained and implemented as examples in your book about
active directory?
Joe Kaplan
.NET programmers building applications that use AD and ADAM via LDAP. I
don't think we cover these details of ADAM though.
A few other things to verify:
- You are definitely doing an LDAP simple bind
- The ADAM server is a member of the domain that the user you created the
bindProxy for is also a member of
- The username you are using in your bind operation is the full
distinguished name of the bindProxy object, not the user in AD
Typically, you should also be able to use ldp to do pass through auth with
LDAP secure bind for the same user in AD, so you might verify that that
works. Try doing a secure bind to ADAM using the AD username (domain\user)
and password for the AD user in question.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:C748C7C5-5404-4123...@microsoft.com...
orozcoc
"Joe Kaplan" wrote:
> I don't think my book would help you that much. It is really designed for
> ..NET programmers building applications that use AD and ADAM via LDAP. I
Joe Kaplan
doesn't contain enough details about bindProxy authentication to help you
out of this particular jam, but it does have enough details about other
stuff (including how to make sure you are doing a simple bind vs. secure
bind) that I think it will be worth having.
For now while you are trying to get this bindProxy stuff sorted out, I'd
stick with testing with ldp.exe. In general, it is the most useful tool for
programmers building apps against AD and ADAM. I think of it like query
analyzer from SQL Server 2000; extremely useful for testing out your query
syntax.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:DC590BE9-FD8D-475D...@microsoft.com...
orozcoc
New and modifiable applications
For applications that are currently in development, and for applications
that can be updated, it is recommended that you write your applications to
authenticate directly against Active Directory, using Windows security
principals. This type of design provides the highest degree of security,
because passwords flow directly from the client to Active Directory, rather
than through ADAM. ADAM can then be used simply as an application-specific
data store. Proxy objects in ADAM can hold application data that is specific
to each Windows security principal, and an attribute on the ADAM proxy object
can be used to uniquely link each proxy object to a particular Windows
security principal. A unique identifier on a Windows security principal, such
as a security ID (SID) or a globally unique identifier (GUID), can be used
for this linking. If your application is unable to authenticate against
Active Directory, and you need to synchronize directory contents between ADAM
and Active Directory, you can use a synchronization service, such as
Microsoft Identity Integration Server (MIIS). However, this option introduces
a delay between the originating update and the synchronization of the update.
Joe Kaplan
depends a lot on your application. They are often used for integrating
applications that only support LDAP simple bind or for applications that
require some sort of flat directory structure instead of a multi-domain
forest. I think there are some legitimate uses of them even for new .NET
web apps, but they are best avoided if there is an alternative as they
generally require some sort of sync process which essentially causes ongoing
operational maintenance.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"orozcoc" <oro...@discussions.microsoft.com> wrote in message
news:AEB7DE4C-C31C-4CE5...@microsoft.com...