ADAM - AD_Schema load fails with error
Andrew Stanford
following command;
ldifde -i -f ad_schema.ldf -s itfswd7:389 -k -j . -c
"CN=Schema,CN=Configuration,DC=X" #SchemaNamingContext
The schema instance is installed on Windows XP pro, the AD server is Server
2003. Also, I tried the above command with the -b switch specifying my user
account. My account is a Domain Admin.
I get the following error;
Add error on line 12289: Referral
The server side error is: 0x202b A referral was return from the server.
The extended server error is:
0000202B: RefErr: DSIS-03100738, data 0, 1 access points
ref 1: 'x'
754 entries modified successfully.
An error has occurred in the program.
-----------------------------------------------------------------
Inspecting the ldif.log file shows that the last entry successfully modified
was 754. The log entry for 755 says;
755: cn=DNS-Host-Name-Attributes,cn=Extended-Rights, cn=Configuration,dc=X
Entry DN: cn=DNS-Host-Name-Attributes,cn=Extended-Rights,
cn=Configuration,dc=X
...the rest of the entry is the same as the error information displayed at
the command prompt.
Any help on this matter would be great.
Thanks in advance,
Andrew
Lee Flight
that looks like the ad_schema.ldf that comes with ADAMSync,
that being the case it's
-c "cn=Configuration,dc=X" #configurationNamingContext
that you need in your ldifde command line.
Lee Flight
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:4E65725B-EBD4-4B3C...@microsoft.com...
Andrew Stanford
the file seemed to load just fine, as did the required schema_metadata.ldf
Moving on to the next step: I tried to run the following command;
adamsync /install itfswd7:389 bttest.xml /log -
Gives me the message;
Establishing connection to target server itfswd7:389.
Updating configuration file on bttest.xml.
Reading Configuration File from bttest.xml
Please enter password:
Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,dc=btweb,dc=ADAM
Unable to read attribute objectclass on
DC=btweb,DC=bakertilly,DC=net,dc=btweb,d
c=ADAM.
Here is the contents of BTTest.xml;
<?xml version="1.0" ?>
<doc>
<configuration>
<config-name>ADAMApplication</config-name>
<security-mode>object</security-mode>
<source-ad-name>btdcprimary.btweb.bakertilly.net</source-ad-name>
<source-ad-partition>DC=btweb,DC=bakertilly,DC=net</source-ad-partition>
<source-ad-account>axs2</source-ad-account>
<target-rdn>dc=btweb,dc=ADAM</target-rdn>
<account-domain>btweb</account-domain>
<query>
<base-dn>DC=btweb,DC=bakertilly,DC=net</base-dn>
<object-filter>(objectClass=*)</object-filter>
</query>
</configuration>
</doc>
So the DC server is called btdcprimary on the domain btweb.bakertilly.net
The adam instance is called adam1 and the partition is dc=btweb,dc=ADAM
Thanks,
Andrew
Lee Flight
the ADAM partition name must match the AD partition name
to within a trailing suffix in the current beta of ADAMSync (not
the improved Windows Server R2 version, also in public beta) .
So if your AD partition is
DC=btweb,DC=bakertilly,DC=net
then your ADAM partition must be
DC=btweb,DC=bakertilly,DC=net[,<target-rdn>]
where [] indicates an optional component so if you want the
ADAM partition to be
DC=btweb,DC=bakertilly,DC=net,DC=ADAM
you would need to create the partition
DC=btweb,DC=bakertilly,DC=net,DC=ADAM
and specify
<target-rdn>dc=ADAM</target-rdn>
in your config.xml. You could also just create an ADAM
partition
DC=btweb,DC=bakertilly,DC=net
and not specify and target-rdn
<target-rdn></target-rdn>
Lee Flight
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:F825ABC0-1C88-45F9...@microsoft.com...
Andrew Stanford
Thanks for your help so far. There seems to be a fair amount of important
information missing from the documentation.
I uninstalled the ADAM instance I had and installed a new one with the
parition;
dc=btweb,dc=bakertilly,dc=net,dc=adam
I edited the config file as described and managed to load it using adamsync
/install.
I have tried to run the following command and get the error shown below. It
also pops up the dialog saying that "adamsync.exe has encountered a problem,
do you want to send a error report to Microsoft etc...". ;
adamsync /sync itfswd7:389 AdamApplication /log -
Establishing connection to target server itfswd7:389.
Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=ADAM
Saved configuration file.
Error fetching message from resource fileError occured fetching
internationalize
d message number 13. Error code: 317
Any thoughts on this error. I also tried the above with a partition called
dc=btweb,dc=bakertilly,dc=net dropping the contents of the <target-rdn> tag
as suggested. I got a similar message, the only difference being the message
number. This time it seemed to be trying to read message number 87 (instead
of 13 in the previous test).
I wonder if I should be using the newer version that comes with R2. I
wasn't aware of it but have downloaded it now. Will the procedures for
install and sync be similar to what I have just been through? Is there a
document that describes the improvements to this new release?
Thanks,
Andrew Stanford
Lee Flight
inline below...
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:B26D98C5-2D13-47A3...@microsoft.com...
I have not seen either of those errors I think they have come up before
once or twice on the NGs; I have never managed a repro. It may be
that you need to uninstall ADAM and retry.
> I wonder if I should be using the newer version that comes with R2. I
> wasn't aware of it but have downloaded it now. Will the procedures for
> install and sync be similar to what I have just been through? Is there a
> document that describes the improvements to this new release?
If you can try the R2 release then that is the way to go, unfortunately
there is a woeful lack of documentation on this release at present. In
fact the R2 ADAMsync has less documentation than the beta you have
been using however my experience is that the code is improved.
The /install and /sync steps are much the same for the R2 release,
there are some minor changes to the config.xml. The only advertised
feature that has been added is the ability to sync user objects in AD
to bindProxy objects in ADAM. If you have problems with it please
post back (stating that you are using the R2 release) and we will try
and help.
Lee Flight
Lee Flight
sounds like you are making good progress, more below...
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:0E33E1C7-9B67-4051...@microsoft.com...
> Assuming that the sync goes OK (it takes about 20 minutes to fail), we are
> wondering if we can confiure it to only include a subset of users from the
> DC? i.e. only the users that are likely to use the application. What would
> you recommend?
>
> An idea that has been put forward was to create a new group and put
> required
> users into that. I am guessing that I could maybe filter the sync down to
> just users by adjusting the config file so the object-filter tag says
> (objectClass=Users), but am not sure how to limit the users that arrive in
> ADAM from there.
Yes, using an AD group is a useful idea. So if you have an AD group
called AppUsers with distinguishedName
CN=AppUsers,OU=Groups,DC=a,DC=b
and add the AD users that you want to sync to ADAM to that group then
you would need an LDAP filter something like (ignore any line wraps):
(&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))
which as an element in your config.xml would look like (ignore any line
wraps):
(&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))
that should sync just the members of the group (it would not sync their
group membership). If the users in question are already members of a
large number of groups then things will start to slow up.
A potential downside is that if as user is ever in the group when the /sync
runs then they will be sync'ed to ADAM but if they are removed from the AD
group I suspect they will remain in ADAM.
Lee Flight
Andrew Stanford
Thanks again for your help.
I ended up switching to the 2003 R2 version. It was a bit of messing around
as it seemed that it wouldn't install on anything except the trial version of
2003. Bit of a pain... never mind.
I tweaked the config file and after a few attempts managed to get it to
install.
I then had a couple of issues doing the sync. It would run for ages, then
error. I found the answer in your post to Tom C (adamsync /sync error). I
have hit a couple of other attributes that also need to be excluded, but feel
that I am on the right track.
Assuming that the sync goes OK (it takes about 20 minutes to fail), we are
wondering if we can confiure it to only include a subset of users from the
DC? i.e. only the users that are likely to use the application. What would
you recommend?
An idea that has been put forward was to create a new group and put required
users into that. I am guessing that I could maybe filter the sync down to
just users by adjusting the config file so the object-filter tag says
(objectClass=Users), but am not sure how to limit the users that arrive in
ADAM from there.
Regards,
Andrew Stanford
Andrew Stanford
The sync process is failing. It seems to take about 20 minutes and it
populates ADAM with lots of OU's and some CN's, I seem to be missing the most
important part... the actual Users.
At the end of each sync run I get an error similar to this;
Updating the configuration file DirSync cookie with a new value.
Unable to find object (ldapDisplayName=msExchADCGlobalNames) in the target
schema.
Equivalent object in the source schema is
<GUID=f62ad3546aacb340a3bacef25e2da01d>.
Unable to find object (ldapDisplayName=replicatedObjectVersion) in the
target sc
hema.
Equivalent object in the source schema is
<GUID=96d4a1fcfb82bc40928dbe464e331d02>.
Unable to find object (ldapDisplayName=replicationSignature) in the target
schem
a.
Equivalent object in the source schema is
<GUID=2c605edf31c88a4a9416f99f3cf2c9dc>.
Ldap error occured. ldap_add_sW: No Such Attribute.
Extended Info: .
Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=ADAM
Saved configuration file.
I then add more "exclude" tags to the config file and try again. So far the
excludes I have added are;
<exclude>showinaddressbook</exclude>
<exclude>publicdelegates</exclude>
<exclude>msExchHideFromAddressLists</exclude>
<exclude>homeMTA</exclude>
<exclude>deliveryMechanism</exclude>
<exclude>homeMDB</exclude>
<exclude>mailNickname</exclude>
<exclude>msExchHomeServerName</exclude>
<exclude>msExchALObjectVersion</exclude>
<exclude>msExchHideFromAddressList</exclude>
<exclude>msExchMasterAccountSid</exclude>
<exclude>msExchUserAccountControl</exclude>
<exclude>msExchMailboxSecurityDescriptor</exclude>
<exclude>msExchMailboxGuid</exclude>
<exclude>dLMemDefault</exclude>
<exclude>msExchPoliciesIncluded</exclude>
<exclude>telephoneAssistant</exclude>
<exclude>replicatedObjectVersion</exclude>
<exclude>replicationSignature</exclude>
<exclude>msExchADCGlobalNames</exclude>
I didn't think there would be this many problems with the schema as I have
loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
I then run the ADSchemaAnalyzer loading the ADAM instance as the "target
schema" and the AD server as the "Base schema". I then check the "Mark
non-present elements as included" menu option and then "Create LDIF File...".
I load the resulting LDIF file into my ADAM instance. Shouldn't the ADAM &
AD schemas be the same at this point? Is there an easier way to figure out
the required "exclude" tags?
--
Regards,
Andrew Stanford
"Lee Flight" wrote:
> Hi
>
> sounds like you are making good progress, more below...
>
> "Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
> message news:0E33E1C7-9B67-4051...@microsoft.com...
>
> > Assuming that the sync goes OK (it takes about 20 minutes to fail), we are
> > wondering if we can confiure it to only include a subset of users from the
> > DC? i.e. only the users that are likely to use the application. What would
> > you recommend?
> >
> > An idea that has been put forward was to create a new group and put
> > required
> > users into that. I am guessing that I could maybe filter the sync down to
> > just users by adjusting the config file so the object-filter tag says
> > (objectClass=Users), but am not sure how to limit the users that arrive in
> > ADAM from there.
>
> Yes, using an AD group is a useful idea. So if you have an AD group
> called AppUsers with distinguishedName
>
> CN=AppUsers,OU=Groups,DC=a,DC=b
>
> and add the AD users that you want to sync to ADAM to that group then
> you would need an LDAP filter something like (ignore any line wraps):
>
> (&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))
>
> which as an element in your config.xml would look like (ignore any line
> wraps):
>
> (&(objectCategory=person)(objectClass=User)(memberOf=CN=AppUsers,OU=Groups,DC=a,DC=b))
Andrew Stanford
am not sure what to do now as the error message seems to have changed and
there doesn't seem to be any clear direction as to what attribute or class I
should be excluding now. See the error message below;
Processing Entry: Page 34, Frame 1, Entry 53, Count 1, USN 0
Processing source entry <guid=b6170c0f999c414b8467410dab6a5491>
Processing in-scope entry b6170c0f999c414b8467410dab6a5491.
(sourceobjectguid=?b6?17?0c?0f?99?9c?41?4b?84?67?41?0d?ab?6a?54?91) exists
in ta
rget. Converting object creation to object modification.
Renaming target object
CN=G_LL_PARTNER,OU=Liverpool,DC=btweb,DC=bakertilly,DC=ne
t,DC=adam to CN=G_LL_PARTNER,<GUID=60c303d5840d344c83273b981d810351>.
Deferring synchronization of attribute member to end of run. Deleting
attribute.
Modifying attributes: description, groupType, lastagedchange,
Previous entry took 0 seconds (362, 10) to process
Processing Entry: Page 34, Frame 1, Entry 54, Count 1, USN 0
Processing source entry <guid=a2ce363ab7cfba4db26be703b7b1363c>
Processing in-scope entry a2ce363ab7cfba4db26be703b7b1363c.
(sourceobjectguid=?a2?ce?36?3a?b7?cf?ba?4d?b2?6b?e7?03?b7?b1?36?3c) exists
in ta
rget. Converting object creation to object modification.
Renaming target object CN=Page
Amy-1,OU=BT,OU=ITF,DC=btweb,DC=bakertilly,DC=net,
DC=adam to CN=Page Amy-1,<GUID=26db62db0d01a54087b0d85a06960249>.
Modifying attributes: sn, l, st, title, description, postalCode,
physicalDeliver
yOfficeName, telephoneNumber, facsimileTelephoneNumber, givenName, initials,
dis
playName, otherTelephone, info, securityProtocol, deletedItemFlags, co,
departme
nt, company, proxyAddresses, streetAddress, mDBStorageQuota,
mDBOverQuotaLimit,
otherHomePhone, autoReplyMessage, garbageCollPeriod, mDBUseDefaults,
mAPIRecipie
nt, extensionAttribute1, extensionAttribute2, extensionAttribute3,
extensionAttr
ibute4, extensionAttribute5, extensionAttribute6, extensionAttribute7,
extension
Attribute8, extensionAttribute9, extensionAttribute10, msExchAssistantName,
home
Directory, homeDrive, dBCSPwd, scriptPath, userWorkstations, userParameters,
pro
filePath, comment, legacyExchangeDN, userPrincipalName,
textEncodedORAddress, ma
il, homePhone, mobile, pager, unmergedAtts, msExchPreviousAccountSid,
mDBOverHar
dQuotaLimit, msExchPoliciesExcluded, lastagedchange,
Ldap error occured. ldap_modify_sW: No Such Attribute.
Extended Info: 00000057: LdapErr: DSID-0C090A8A, comment: Error in attribute
con
version operation, data 0, vece.
Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
Saved configuration file.
Thanks in advance for your help.
--
Regards,
Andrew Stanford
Lee Flight
sorry I had not picked up you want to sync from an Exchange extended
AD schema. Using ADSchemaAnalyzer is the way to go, if you can get
the schema in sync then you do not need to fiddle with exclude attrs.
More below....
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:23E0B5E2-5B60-42C0...@microsoft.com...
> I didn't think there would be this many problems with the schema as I have
> loaded MS-AdamSchemaW2K3.LDF & MS-AdamSyncMetadata.LDF into ADAM
>
> I then run the ADSchemaAnalyzer loading the ADAM instance as the "target
> schema" and the AD server as the "Base schema". I then check the "Mark
> non-present elements as included" menu option and then "Create LDIF
> File...".
>
> I load the resulting LDIF file into my ADAM instance. Shouldn't the ADAM &
> AD schemas be the same at this point? Is there an easier way to figure out
> the required "exclude" tags?
What works for me is:
Install an ADAM instance and create the naming context that you want in it,
do not apply any LDIFs
Run ADSchemaAnalyzer load the exchange extended schema from the DC
as the *target*, load the (minimal) ADAM schema as the base. Then check
the "Mark all non-present elements as included" menu option and then
"Create LDIF File...". The resulting LDIF is around 3MB (2091 entries)
Load the LDIF just created into the ADAM Schema
Load MS-AdamSyncMetadata.LDF into the ADAM schema
Create the ADAMSync XML file and assuming that it is only user objects that
you want, use
<object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
Andrew Stanford
Finally... SUCCESS. I have managed to syncronize a Group from AD to my ADAM
instance. I even got my code to authenticate against.
So, just continuing on with my investigation of this technology... I changed
a password in AD then tried to run the adamsync again to get the new password
down into ADAM. The following is a dump from the command prompt;
C:\WINDOWS\ADAM>adamsync /sync localhost:389
dc=btweb,dc=bakertilly,dc=net,dc=ad
am /log -
Adamsync.exe v1.0 (5.2.3790.1939)
Establishing connection to target server localhost:389.
Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
Saved configuration file.
ADAMSync is querying for a writeable replica of btweb.bakertilly.net.
Establishing connection to source server btdccy.btweb.bakertilly.net:389.
Using file .?dam3A.tmp as a store for deferred dn-references.
Populating the schema cache
Populating the well known objects cache
Starting synchronization run from DC=btweb,DC=bakertilly,DC=net.
Starting DirSync Search with object mode security.
Processing Entry: Page 1, Frame 1, Entry 0, Count 0, USN 0
Processing source entry <guid=832ea0dc80bedc46bc5b759afe29e969>
Processing in-scope entry 832ea0dc80bedc46bc5b759afe29e969.
Modifying target object CN=Harding-Rolls
Simon,OU=BT,OU=ITF,DC=btweb,DC=bakertil
ly,DC=net.
Modifying attributes: dBCSPwd, lockoutTime, lastagedchange,
Ldap error occured. ldap_modify_sW: Constraint Violation.
Extended Info: 00000057: AtrErr: DSID-030F0BB6, #1:
0: 00000057: DSID-030F0BB6, problem 1005 (CONSTRAINT_ATT_TYPE), data
0,
Att 90296 (lockoutTime)
.
Saving Configuration File on DC=btweb,DC=bakertilly,DC=net,DC=adam
Saved configuration file.
Any ideas on this one.
--
Regards,
Andrew Stanford
"Lee Flight" wrote:
> <object-filter>(&(objectCategory=Person)(objectClass=User))</object-filter> ADAMSync /install and the ADAMSync /sync as usual.HTHLee Flight
>
>
Andrew Stanford
but wasn't exactly what I wanted as it took ages to resync every user again.
I had a look at the other switches. Ran with the /MAI switch, changed
password in AD again, ran adamsync /sync again and it worked OK this time.
Is this approach OK. I was sure what it meant by marking the ADAM instance
as authorative, but it sounds like we are giving the ADAM instance more
privaleges maybe.
Can you just clarify/confirm that I am on the right track here.
--
Regards,
Andrew Stanford
Lee Flight
I think the problem with lockoutTime may be a bug. I will chase
it up. As a workaround add lockoutTime as an <exclude> attribute
in your XML configuration file and reapply the install.
I'm confused by the statement "got my code to authenticate against"
as ADAMSync cannot synch. passwords between AD and ADAM.
If what you are saying is that you used a windows account from the
domain that the ADAM server is a member of and authenticated OK
then that's fine.
Thanks
Lee Flight
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:EF6C14D3-ED60-41EA...@microsoft.com...
Lee Flight
[See my previous reply]
I suspect that the reason /fs worked was because the problem attribute
lockoutTime has been reset in the AD it originated from (by ,say,
a succesful logon after the lockout Duration).
Ditto for /MAI which I believe just marks the ADAM instance in a
config set as authoritative but I'm not sure as I have never used it.
I will file a bug against the lockoutTime attribute issue to try and
get it excluded, in the meantime use an <exclude>.
HTH
Lee Flight
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:44B60E0D-243B-4DBB...@microsoft.com...
Andrew Stanford
However, it only seems to work when the ADAM server is connected to the
network.
The idea is that we have an application, which will be taken out of the
office. Not an unusual idea presented like that, but we are taking a server
and a team of users out of the office. So a team will have a 2003 server
running a ASP.net application. The team will access this using forms based
security, which will hopefully be able to authenticate them against the ADAM
instance. A requirement is that they access the application using the
credentials that they use when in the office.
So we are looking at populating an ADAM instance while they are still in the
office, then using this for authentication while they are away.
We have discovered that the authentication code does seem to need to be
connected to the network containing the AD, otherwise it fails. Is it
possible to authenticate against ADAM while the ADAM instance is not
connected to the AD network?
Lee Flight
Take a look at the ADAM Technical Reference
and search for the section on
Authentication in ADAM
to see the options for authentication. When you authenticate using a
domain account to an ADAM instance on an AD domain member
server ADAM punts the authentication request to AD; ADAM is
not a "caching" DC. As you will see from the link above options
for local authentication are using Windows accounts in the server
SAM or creating native ADAM users, for the latter if you need
password synchronization with the domain accounts you will need
a password synchronization tool which is likely to be more heavyweight
than you would want to consider.
Maybe before exploring any more it might be a good idea to write up
your requirement, much as your 2nd and 3rd paragraph below, and post
adsi.general newsgroup as although forms auth against an instance will
work there are other considerations, outside my expertise (e.g. the lack
of impersonation for ADAM principals) that might dictate your way
forward.
HTH
Lee Flight
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:847F21FA-A526-4B1B...@microsoft.com...
Andrew Stanford
Thanks for the link. It does clarify things. What I get is that any accounts
bought into ADAM using ADAMSYNC are flagged inside the ADAM instance
somewhere as Windows Principals. So if I want to do local authentication I
need ADAM native accounts.
You mentioned password synchronization... we have been also looking at
Identity Integration Server as an alternative to ADAMSYNC to populate ADAM. I
see that this isn't going to help us as the accounts are likely to be flagged
as Windows Principals, but I guess what you might be saying is that it may be
possible for us to populate ADAM with just the usernames from AD using ADSI,
then use MIIS to sync the passwords.
I will check out the ADSI.Genernal newsgroup.
Lee Flight
inline below...
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:741F8B65-50EA-48E7...@microsoft.com...
> Thanks for the link. It does clarify things. What I get is that any
> accounts
> bought into ADAM using ADAMSYNC are flagged inside the ADAM instance
> somewhere as Windows Principals.
User objects in AD pulled by ADAMSync will get instantiated as native
ADAM user objects (as defined by the user classSchema object that you
imported into your ADAM schema). In fact, in the R2 version you could
map them to userProxy objects but that is not the default. So you should
have a native ADAM user for each AD users i.e. an ADAM user object
whose attributes have been sync'ed from AD but which will need
passwords setting if you want to authenticate against them. Of course
you might not want to authenticate against them you might just want them
as a catalog of your AD users, although I'm not clear whether you even
need that information depends on your application's requirement.
> So if I want to do local authentication I
> need ADAM native accounts.
or Windows users local to the ADAM server
> You mentioned password synchronization... we have been also looking at
> Identity Integration Server as an alternative to ADAMSYNC to populate
> ADAM. I
> see that this isn't going to help us as the accounts are likely to be
> flagged
> as Windows Principals,
They will not be Windows Principals, see above. Windows Principals
are domain accounts defined in your AD, your ADAMSync'ed objects
are shadows of the domain accounts - ADAM user objects that have
some attributes that are the same as the domain accounts, think of
the ADAM objects as a catalog of the AD objects.
> but I guess what you might be saying is that it may be
> possible for us to populate ADAM with just the usernames from AD using
> ADSI,
> then use MIIS to sync the passwords.
If you use MIIS/IIFP then it will sync the objects but with greater
flexibility
than ADAMSync; the MIIS/IIFP password synch mechanism is based
on intercepting password when a password is *changed* in AD as existing
passwords cannot be extracted from AD.
Lee Flight
Andrew Stanford
Thanks again for all your help. Sorry if I am not quite getting this right.
It sounds like you are saying that the passwords are not bought down by
adamsync (or MIIS) and I need to use some product to sync the passwords
separately, but MIIS won't do the trick as it only synchronizes changes as
they happen.
If ADAMSync is bringing accounts into ADAM as native accounts... reading the
technical doc it seems that it normally they will do a simple LDAP bind to
ADAM and have no need to access AD or local windows accounts. It only seems
to need to need this if ADAM recognises it as a windows principal. I wonder,
when is an account considered a Windows principal?
I am trying to authenticate using the .NET code;
DirectoryEntry de = new DirectoryEntry(Domain,User,Pass)
...and as ADAM doesn't have the password, is it then passing it to AD to
authenticate?
--
Regards,
Andrew Stanford
Lee Flight
inline below...
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:9DA933C5-F7BD-42A4...@microsoft.com...
> It sounds like you are saying that the passwords are not bought down by
> adamsync
Thats's right ADAMSync cannot read the password from AD
> (or MIIS) and I need to use some product to sync the passwords
> separately, but MIIS won't do the trick as it only synchronizes changes as
> they happen.
I do not believe any product can sync the password except when by
intercepting a password change as the existing AD password cannot
be extracted.
> If ADAMSync is bringing accounts into ADAM as native accounts... reading
> the
> technical doc it seems that it normally they will do a simple LDAP bind to
> ADAM and have no need to access AD or local windows accounts.
That's right the accounts you have created are native ADAM accounts
that have some attributes in common (because of the sync) but as
bindable objects in the ADAM directory they will need to have password
set on them.
> It only seems
> to need to need this if ADAM recognises it as a windows principal. I
> wonder,
> when is an account considered a Windows principal?
ADAM distinguishes between accounts dependent on how they bind
to ADAM. If ADAM (v1.0) is presented with credentials in a simple bind
the credentials presented must correspond to an object in the ADAM
directory, for the username you can present the distinguishedName
of the object (or the userPrincipalName if set). So if you set a password
on one of your ADAMSync imported user objects and you knew the
distinguishedName of that user in ADAM you could simple bind and
ADAM would check the password against that you set (and which is
stored in the password attribute of the user in ADAM).
If you perform an LDAP SASL bind to ADAM, ADAM will just
pass the credentials either the local computer or AD. If the creds
are validated ADAM will accept them and the bind will be
successful. If you have modified the access control within ADAM
to allow Windows principals access to the directory then after a
successful bind the Windows principal will have access to the
directory. In particular you might grant Windows principals access
so that they can query the shadow objects that in ADAM have
some of their AD attributes. If your AD DCs are not available then
Windows principals will not be able to bind to ADAM unless they
are accounts in the ADAM server user database (non AD users).
>
> I am trying to authenticate using the .NET code;
> DirectoryEntry de = new DirectoryEntry(Domain,User,Pass)
>
> ...and as ADAM doesn't have the password, is it then passing it to AD to
> authenticate?
as above. ADAM decides whether to ask AD based on the type of bind
so (crudely)
objADAM = new DirectoryEntry(strPath,strUserName,strPassword,AuthTypes);
where
AuthTypes = AuthenticationTypes.None;
for a native ADAM user simple bind or
AuthTypes = AuthenticationTypes.Secure;
for a windows principal
Lee Flight
Joe Kaplan (MVP - ADSI)
practice. Generally, you always want to be explicit with specifying
AuthenticationTypes (forth parameter on the DE constructor), especially with
supplying credentials.
In .NET 1.x, when you use the code below (path, user, password) and don't
specify AuthenticationTypes, it will use None as the default and try a
simple bind. However, in .NET, the default is to always use Secure bind
when nothing is specified, so the behavior may change.
This can be especially important with ADAM and simple and secure binds are
used on different types of users (ADAM or bind proxy users vs. pass through
authentication). In AD, you can generally authenticate the same user both
ways, so you might not notice the change as much.
You can avoid the whole potential mess by always being explicit. There will
be no surprises that way.
Joe K.
"Lee Flight" <l...@le.ac.uk-nospam> wrote in message
news:eVVHHYUj...@TK2MSFTNGP10.phx.gbl...
Andrew Stanford
I did originally have the DE construtor as
DirectoryEntry de = new
DirectoryEntry(Domain,User,Pass,AuthenticationTypes.Secure)
... but wondered if that was causing problems, so I dropped it out for the
time being. I wasn't exactly sure what the default was, but I am using
version 2 of the framework. I will explicitly set it to "None" I think.
Regards,
Andrew
--
Regards,
Andrew Stanford
Joe Kaplan (MVP - ADSI)
secure when no credentials are specified. 1.1 itself is a little weird in
this regard which is one of the reasons I always recommend being very
explicit.
Cheers,
Joe K.
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:CA813316-B1E9-4865...@microsoft.com...
Andrew Stanford
bought in using ADAMSYNC. If fact, if I create a new user object using ADSI
Edit, then reset the password to some value, then run the code it doesn't
work with "none" either. I thought it was supposed to?
Lee Flight
have you checked that you can bind to the user object outside of
your code using e.g. ldp.exe?
As the objects will have been created without new passwords they
will likely have been created as disabled accounts; check out the
msDS-UserAccountDisabled attribute on the object.
Lee Flight
"Andrew Stanford" <AndrewS...@discussions.microsoft.com> wrote in
message news:FF2A523B-28A7-4699...@microsoft.com...
Joe Kaplan (MVP - ADSI)
Also, remember that when binding with an ADAM user, there are two syntaxes
you can use for the user name. Either use the full DN or use the UPN. Note
that you can only use the UPN if you set the UPN though (and made sure it is
unique).
It sounds like if your simple binds were not working, then you were doing
passthrough authentication against AD with your AD users instead.
Joe K.
"Lee Flight" <l...@le.ac.uk-nospam> wrote in message
news:ucpkN2Pk...@TK2MSFTNGP14.phx.gbl...