Active Directory used to store the pwm* LDAP attributes... it works.
1,127 views
Skip to first unread message
webkode
May 26, 2015, 8:48:09 PM5/26/15
to pwm-g...@googlegroups.com
I've got the Active Directory to store password "pwm" related attributes. It does work. I did run few test cases where I successfully set my challenge questions and then I was able to reset my password by answering the challenge questions.
Here's my ldifde export to guide you in adding these attributes; I have added them manually in ADSIEdit
Remember - you need to do it with a user that belongs to "Schema Admins" built-in administrators group.
In my case I use Windows 2008 R2 to run AD.
Hint for adding classSchema pwmUser object: objectClassCategory: 3 --> means "auxiliary"; governsID means OID in this case.
Just read the object names to figure out which attributeSyntax to use etc.
Let me know if you have any questions.
dn: CN=pwmEventLog,CN=Schema,CN=Configuration,DC=yourdomain,DC=comchangetype: addobjectClass: topobjectClass: attributeSchemacn: pwmEventLogdistinguishedName: CN=pwmEventLog,CN=Schema,CN=Configuration,DC=yourdomain,DC=cominstanceType: 4whenCreated: 20150526210529.0ZwhenChanged: 20150526210529.0ZuSNCreated: 726253attributeID: 1.3.6.1.4.1.35015.1.2.1attributeSyntax: 2.5.5.10isSingleValued: FALSEuSNChanged: 726253showInAdvancedViewOnly: TRUEadminDisplayName: pwmEventLogoMSyntax: 4lDAPDisplayName: pwmEventLogname: pwmEventLogobjectGUID:: CyMc/gXI3kSQGEAnNmp8Lw==schemaIDGUID:: BDUe3tc+zEqEv5etjojwfw==objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=yourdomain,DC=comdSCorePropagationData: 16010101000000.0ZmsDS-IntId: -1831913333
dn: CN=pwmGUID,CN=Schema,CN=Configuration,DC=yourdomain,DC=comchangetype: addobjectClass: topobjectClass: attributeSchemacn: pwmGUIDdistinguishedName: CN=pwmGUID,CN=Schema,CN=Configuration,DC=yourdomain,DC=cominstanceType: 4whenCreated: 20150526205107.0ZwhenChanged: 20150526205107.0ZuSNCreated: 726245attributeID: 1.3.6.1.4.1.35015.1.2.4attributeSyntax: 2.5.5.10isSingleValued: TRUEuSNChanged: 726245showInAdvancedViewOnly: TRUEadminDisplayName: pwmGUIDoMSyntax: 4lDAPDisplayName: pwmGUIDname: pwmGUIDobjectGUID:: 3Zq3HArYWUGPFqkc2Lq6pg==schemaIDGUID:: 8XonC+3doUmONxr0BKfvig==objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=yourdomain,DC=comdSCorePropagationData: 16010101000000.0ZmsDS-IntId: -2077169648
dn: CN=pwmLastPwdUpdate,CN=Schema,CN=Configuration,DC=yourdomain,DC=comchangetype: addobjectClass: topobjectClass: attributeSchemacn: pwmLastPwdUpdatedistinguishedName: CN=pwmLastPwdUpdate,CN=Schema,CN=Configuration,DC=yourdomain,DC=cominstanceType: 4whenCreated: 20150526205819.0ZwhenChanged: 20150526205819.0ZuSNCreated: 726248attributeID: 1.3.6.1.4.1.35015.1.2.3attributeSyntax: 2.5.5.16isSingleValued: TRUEuSNChanged: 726248showInAdvancedViewOnly: TRUEadminDisplayName: pwmLastPwdUpdateoMSyntax: 65lDAPDisplayName: pwmLastPwdUpdatename: pwmLastPwdUpdateobjectGUID:: 36Yh2osCmEmrVD6l7iifCQ==schemaIDGUID:: cyFvCFHdC0+NyFx57YZ5ug==objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=yourdomain,DC=comdSCorePropagationData: 16010101000000.0ZmsDS-IntId: -2027845050
dn: CN=pwmResponseSet,CN=Schema,CN=Configuration,DC=yourdomain,DC=comchangetype: addobjectClass: topobjectClass: attributeSchemacn: pwmResponseSetdistinguishedName: CN=pwmResponseSet,CN=Schema,CN=Configuration,DC=yourdomain,DC=cominstanceType: 4whenCreated: 20150526210434.0ZwhenChanged: 20150526210434.0ZuSNCreated: 726251attributeID: 1.3.6.1.4.1.35015.1.2.2attributeSyntax: 2.5.5.10isSingleValued: FALSEuSNChanged: 726251showInAdvancedViewOnly: TRUEadminDisplayName: pwmResponseSetoMSyntax: 4lDAPDisplayName: pwmResponseSetname: pwmResponseSetobjectGUID:: y8Vou1xvf0CYot9svfAQnQ==schemaIDGUID:: 7B6BgsobpkSCtkxHZQuyqQ==objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=yourdomain,DC=comdSCorePropagationData: 16010101000000.0ZmsDS-IntId: -1651978036
dn: CN=pwmUser,CN=Schema,CN=Configuration,DC=yourdomain,DC=comchangetype: addobjectClass: topobjectClass: classSchemacn: pwmUserdistinguishedName: CN=pwmUser,CN=Schema,CN=Configuration,DC=yourdomain,DC=cominstanceType: 4whenCreated: 20150526213839.0ZwhenChanged: 20150526213839.0ZuSNCreated: 726272subClassOf: topgovernsID: 1.3.6.1.4.1.35015.1.1.1mayContain: pwmGUIDmayContain: pwmLastPwdUpdatemayContain: pwmResponseSetmayContain: pwmEventLogrDNAttID: cnuSNChanged: 726272showInAdvancedViewOnly: TRUEadminDisplayName: pwmUserobjectClassCategory: 3lDAPDisplayName: pwmUsername: pwmUserobjectGUID:: piRwYlWEsU+XYZ2b2za3hQ==schemaIDGUID:: Rjz/UKN6LEyHy5HnVKiXiQ==systemOnly: FALSEobjectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=yourdomain,DC=comdefaultObjectCategory: CN=pwmUser,CN=Schema,CN=Configuration,DC=yourdomain,DC=comdSCorePropagationData: 16010101000000.0Z
BBA Hunter
Jun 10, 2015, 9:03:16 PM6/10/15
to pwm-g...@googlegroups.com
I think I like what you have...just can't figure out where to set and what to set to enable users to update their attributes.
Am I guessing this right: You used adsiedit.msc, then went to each user ID and set a flag to enable attribute settings?
jpuc...@netcraftsmen.com
Jun 11, 2015, 2:11:34 PM6/11/15
to pwm-g...@googlegroups.com
Hi Webkode,
Thanks for taking the time to post this, it has been helpful. I'm having issue with pwmResponseSet, I was wondering if you could have a look.
Here is my Attribute:
Dn: CN=pwmResponseSet,CN=Schema,CN=Configuration,DC=mydomain,DC=com
adminDisplayName: pwmResponseSet;
attributeID: 1.3.6.1.4.1.35015.1.2.2;
attributeSyntax: 2.5.5.10 = ( OCTET_STRING );
cn: pwmResponseSet;
distinguishedName: CN=pwmResponseSet,CN=Schema,CN=Configuration,DC=mydomain,DC=com;
dSCorePropagationData (5): 6/9/2015 11:57:56 AM Eastern Daylight Time; 6/9/2015 11:42:48 AM Eastern Daylight Time; 6/9/2015 11:42:46 AM Eastern Daylight Time; 6/9/2015 11:29:28 AM Eastern Daylight Time; 0x1 = ( NEW_SD ), 0x0 = ( ), 0x0 = ( ), 0x0 = ( );
instanceType: 0x4 = ( WRITE );
isDefunct: FALSE;
isSingleValued: FALSE;
lDAPDisplayName: pwmResponseSet;
msDS-IntId: -2008826642;
name: pwmResponseSet;
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=mydomain,DC=com;
objectClass (2): top; attributeSchema;
objectGUID: 9146d87e-cba2-4c30-bf88-266e7f954662;
oMSyntax: 4 = ( OCTET_STRING );
schemaIDGUID: 75bd8f30-7a63-4922-b697-0d95651ed509;
showInAdvancedViewOnly: TRUE;
uSNChanged: 98802;
uSNCreated: 94204;
whenChanged: 6/11/2015 1:50:47 PM Eastern Daylight Time;
whenCreated: 6/9/2015 11:19:20 AM Eastern Daylight Time;
The only difference I see off the bat from yours to mine is the "changetype: add" which I can't find for the life of me...
Think you could point me in the right direction?
Thanks!
Joshua
Thanks for taking the time to post this, it has been helpful. I'm having issue with pwmResponseSet, I was wondering if you could have a look.
Here is my Attribute:
Dn: CN=pwmResponseSet,CN=Schema,CN=Configuration,DC=mydomain,DC=com
adminDisplayName: pwmResponseSet;
attributeID: 1.3.6.1.4.1.35015.1.2.2;
attributeSyntax: 2.5.5.10 = ( OCTET_STRING );
cn: pwmResponseSet;
distinguishedName: CN=pwmResponseSet,CN=Schema,CN=Configuration,DC=mydomain,DC=com;
dSCorePropagationData (5): 6/9/2015 11:57:56 AM Eastern Daylight Time; 6/9/2015 11:42:48 AM Eastern Daylight Time; 6/9/2015 11:42:46 AM Eastern Daylight Time; 6/9/2015 11:29:28 AM Eastern Daylight Time; 0x1 = ( NEW_SD ), 0x0 = ( ), 0x0 = ( ), 0x0 = ( );
instanceType: 0x4 = ( WRITE );
isDefunct: FALSE;
isSingleValued: FALSE;
lDAPDisplayName: pwmResponseSet;
msDS-IntId: -2008826642;
name: pwmResponseSet;
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=mydomain,DC=com;
objectClass (2): top; attributeSchema;
objectGUID: 9146d87e-cba2-4c30-bf88-266e7f954662;
oMSyntax: 4 = ( OCTET_STRING );
schemaIDGUID: 75bd8f30-7a63-4922-b697-0d95651ed509;
showInAdvancedViewOnly: TRUE;
uSNChanged: 98802;
uSNCreated: 94204;
whenChanged: 6/11/2015 1:50:47 PM Eastern Daylight Time;
whenCreated: 6/9/2015 11:19:20 AM Eastern Daylight Time;
The only difference I see off the bat from yours to mine is the "changetype: add" which I can't find for the life of me...
Think you could point me in the right direction?
Thanks!
Joshua
webkode
Jun 23, 2015, 2:48:44 PM6/23/15
to pwm-g...@googlegroups.com
I will need to make a better guide of what I have posted initially.
I did use the ADSIedit.msc to add the above mentioned attributes in the schema. Once you add these attributes, you should be able to set them for all users in your Active Directory.
I don't think there is a need to to "go to each user ID and set a flag to enable attribute settings" per se. These new attributes become available and can be used/set right after they are entered into schema. They are auxiliary though, and you have to have advanced view enabled in your default Windows UI to see them.
webkode
Jun 23, 2015, 2:58:19 PM6/23/15
to pwm-g...@googlegroups.com, jpuc...@netcraftsmen.com
Hi Joshua,
I see that you have added pwmResponseSet as an attribute while it should be added as a class.
Please compare:
objectClass (2): top; attributeSchema;to:
objectClass: top
objectClass: classSchemaAnd I wouldn't worry about the change: add piece. This is generated by LDIF export to indicated the action when you process it through ldifde.
So I suggest you drop this attribute and create it as a class with the properties outlined in my ldif file.
/Peter
Reply all
Reply to author
Forward
0 new messages