Re: [ActiveDir] PHP Module for Windows
On Wed, 24 Jan 2007 15:26:47 -0800 "EIS Lists" <[EMAIL PROTECTED]> wrote: > I reviewed PlexSSO (www.ioplex.com <http://www.ioplex.com/> ), but it > appears to only run on Linux. Does anyone know of an "off the shelf" module > that will run under Windows? A number of people have asked us about this. I've been telling them "just use IIS w/ IWA" but I must admit I've never tried running PHP w/ IIS so I'm not sure if it would work. If you need the other is_memberof stuff or the AD scripting stuff in 2.0 then I'm afraid there's no way unless you write a C extension (and even then I don't think it would be as nice :-). Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Apache LDAP authentication oddity
On Fri, 19 Jan 2007 09:19:03 -0600 "Thommes, Michael M." <[EMAIL PROTECTED]> wrote: > We have an application that is using an Apache server to do LDAP > authentications against our active directory. (Yeah, I know; if only I > were king! LOL!) The application developer tells me that if he tries > doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If > he uses a search base of "ou=xxx,dc=yyy,dc=zzz", the auth works. The > user account that is being tested is some OU levels below this. He is > coding a subtree scope and he is filtering on (objectclass=user and > objectcategory=person). > > > > It's like Apache needs to start at an OU structure. I couldn't find > much on Google about this other than someone else was having the same > issue last Fall and just gave up in frustration. The Apache > documentation I could find seemed to indicate that a search of > "dc=yyy,dc=zzz" SHOULD work. What Apache LDAP authentication are you using? Is it one of those ldap_authz modules or a scripted ldap_bind hack? A network capture would tell you definitively what authentication mechanism is being used and at which end the problem resides. If you have tcpdump on the web server this is simply: # tcpdump -s 0 -w mycapture.pcap 'port 389 | port 80' Ldapsearch queries from the Apache machine might also help debug the problem. For example, the following ldapsearch query gets the CN=Users,DC=win,DC=net container (obvoiusly you would need to adjust things a little): $ ldapsearch -h 192.168.2.104 -p 389 -Y digest-md5 -U mthommes \ -w thepass -b "DC=foo,DC=net" -s one -z 100 '(CN=User)' Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Risks of exposure of machine account passwords
On Tue, 9 Jan 2007 14:13:33 +1100 "Ken Schaefer" <[EMAIL PROTECTED]> wrote: > I'm not sure what NTLM SSO Pass-Through is, but NTLM is not natively > delegatable, so you can't (in the normal course of events) use this to create > an account anywhere except on the local machine. There may be easier ways to > create accounts on local machines. Perhaps "proxy" would be a better term. When the web client requests the challenge you request it from the target server (e.g. the DC) and send it back to the client. When the client sends the password hashes you send them to the target server. So the web client doesn't authenticate with the web server it authenticates directly with the target server by proxying the NTLMSSP tokens. This is effectively a man-in-the-middle attack. Digital signatures are used to twart an MITM so if you require SMB signing you can prevent such an attack (although if you can authenticate LDAP with NTLM you might be able to get around that). Actually now that I think about it I think W2K3 requires SMB signing so maybe this permutation wouldn't work. But workstations do not require SMB signing. One could authenticate back to the client and place and create an account or simply place an executable in their Startup. But again, if you're already trusted on the network it's game over. Mike > > On Mon, 8 Jan 2007 15:33:01 -0500 > "joe" <[EMAIL PROTECTED]> wrote: > > > But I can add an improved permutation to your dirty trick. Send out an > email with a link to your site but use NTLM SSO pass-through to create a > bogus account with a predefined password. If someone with domain admin > privs so much as stumbles across your site they will create the said > account and not even know they did it. No credentials necessary and no > SSO account necessary. Just a website with an FQDN. > > There is one simple security setting that will thwart this attack > though. For bonus points, does anyone know what it is? :-> > > Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Risks of exposure of machine account passwords
On Mon, 8 Jan 2007 15:33:01 -0500 "joe" <[EMAIL PROTECTED]> wrote: > A dirty trick I have used in the > past to disprove how secure an environment was was to set up a web site on a > workstation, enable basic auth only, write a little perl cgi script to write > the creds sent to the website to a log file and throw up a website > unavailable screen and then tell admins that I have a web site that doens't > seem to authenticate users properly could they try to logon to see if it is > just my test IDs or a permission problem. I would say at least 50%-60% of > the time the admins will go to the page and type in their creds. Alternately > try to get an admin to log into a workstation I control. In far too many > cases I think you will find admins are user's too... :) If you already own a machine with an FQDN and you can send email to people as someone internal then it would be pretty hard to keep you out since you're already somewhat trusted. You can't treat everyone inside your network like criminals or you'll never get anything done. And if you do have a criminal inside you should take it up with HR not IT. But I can add an improved permutation to your dirty trick. Send out an email with a link to your site but use NTLM SSO pass-through to create a bogus account with a predefined password. If someone with domain admin privs so much as stumbles across your site they will create the said account and not even know they did it. No credentials necessary and no SSO account necessary. Just a website with an FQDN. There is one simple security setting that will thwart this attack though. For bonus points, does anyone know what it is? :-> Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Risks of exposure of machine account passwords
On Mon, 8 Jan 2007 10:39:17 -0800 "Mr Oteece" <[EMAIL PROTECTED]> wrote: > What are the risks associated with the exposure of machine account passwords > in Active Directory? Passwords are changed for machine accounts regularly, > but they don't really expire and can get rather old. If an attacker has > access to this password, what sort of access would he have to other systems > on the network via Kerberos? i.e., would he be able to forge service tickets > as other users and elevate his access elsewhere? The laxness of policy > surrounding these accounts suggests that this is not a huge risk. Should we > be more concerned with these old passwords? Those passwords are long, random and changed automatically over an schannel NETLOGON pipe. I don't know how their stored by the client but I think it's highly unlikely anyone would be able to actually extract one or snoop it. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] how to get ALL users in "Domain Users"
On Tue, 2 Jan 2007 11:34:31 -0600 "Thommes, Michael M." <[EMAIL PROTECTED]> wrote: > I am trying to get a list of all of the users in the builtin group > "Domain Users". I am using the following commands, but get incomplete > results. Can someone tell me why? Thanks! And Happy New Year to > everyone! > > > > dsquery group -name "domain users" | dsget group -members > > c:\temp\domain_users.txt Domain Users is the primary group for all users so maintaining a membership list is redundant. Simply enumerate all users (or perhaps filter on primaryGroupID 513). dsquery * -filter (primaryGroupID=513) Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix
On Tue, 12 Dec 2006 14:49:46 -0500 "Santiago, Felderi (F.)" <[EMAIL PROTECTED]> wrote: > > I know this may sounds crazy, but I need to write to the > ntSecurityDescriptor attribute on a computer account from Unix via LDAP. > Any clues? Essentially, what I am trying to do is query the > ntsecuritydescriptor attribute of an object already in AD to see the > value and would like to moving forward to set the same value to a > specific object moving forward. > > Why ldap from Unix? Well, I am dealing with Unix Admins who hate > Windows and want to do everything Unix. Any tips or tricks would be > greatly appreciated. Doubt it. Basically you need two things: an LDAP client that supports the LDAP_SERVER_SD_FLAGS_OID control and a library that understands how to decode and manipulate the binary array of ACEs that makes up a security descriptor. The first part is easy. The second part is very difficult unless you're confortable hacking in C or Java. As LDAP clients on UNIX go the best ones are: 1) OpenLDAP's C library which give you low level access to build controls and therefore will definitely allow you to set LDAP_SERVER_SD_FLAGS_OID flags. 2) Java's JNDI which should also have low level access but I'm not sure. 3) The Perl binding for OpenLDAP is pretty good but again I'm not sure you can do an arbitrary LDAPControl. As security descriptor libraries go there are only two that I'm aware of: 1) Samba has a C api and a Python binding but it could be difficult trying to decipher how to use it as it most likely is not designed specifically for generic use such as this. 2) JCIFS has code to get security descriptors and resolve names of SIDs but it only has code to decode security descriptors not encode them. But the only reason that I mention JCIFS is because if *I* had to do this, I think JNDI/JCIFS would be the path of least resistance and you would end up with a pretty nice and flexible solution. Or, if they ok with using a web interface you could write a ASP to do the work and protect it with Kerberos SSO which Firefox can do. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] _msdcs not propagated in AXFR
Ok, thanks. It's only a testing machine. I'll leave it alone. Mike On Tue, 05 Dec 2006 00:10:56 -0800 "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> wrote: > Put duct tape over the top and forget about them. > > Seriously...you mess with those (especially the OU stuff) and you will > break some wizards in SBS. Kinda like the Kitchen Sink stuff you > live with it or if you do mess with 'em, please do so not on a client's > box and only on your own that only you will touch because if there's one > thing that will make me take forks out and start stabbing folks is when > you mess up a clients box. > > Truly... when a SBSer who knows the quirks about SBS comes into a > network and sees stuff screwed around with, they will > swingmigration/flatten it and get it back to a known state because it > costs the client more in the long run when it's not "default". Granted > that "default" may not be what big server land considers default... but > it is what it is. > > I'll ping you up with Paula aka Lanwench... the world wide "Former > Enterprisers who hate the quirks of SBS but deal with them anyway" is > starting new chapters daily. > > Michael B Allen wrote: > > Yeah, but you can just ignore it and it's not the default Users > > or Computers containers. Still, is there a safe way to remove > > those? Similarly there's a safe way to remove the Default-First-Site-Name > > stuff too? > > > > Mike > > > > On Mon, 04 Dec 2006 20:28:42 -0800 > > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> wrote: > > > > > >> http://msmvps.com/blogs/bradley/archive/2005/07/27/59808.aspx > >> http://www.sbslinks.com/images/wp5z50vd.gif > >> > >> Joe? Deji? Got some forks? > >> > >> Laura A. Robinson wrote: > >> > >>> Please tell me that you're making that up. Otherwise I'll have to stab > >>> myself in the eye with a fork. "My Business" > >>> > >>> Words fail me. :-) > >>> > >>> Laura > >>> > >>> > >>>> -Original Message- > >>>> From: [EMAIL PROTECTED] > >>>> [mailto:[EMAIL PROTECTED] On Behalf Of > >>>> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] > >>>> Sent: Monday, December 04, 2006 9:13 PM > >>>> To: ActiveDir@mail.activedir.org > >>>> Subject: Re: [ActiveDir] _msdcs not propagated in AXFR > >>>> > >>>> We install the Kitchen Sink service too don't forget ;-) > >>>> > >>>> (wait until we start talking about the My Business > >>>> OU...that's usually good for another freak out or two) > >>>> > >>>> Laura A. Robinson wrote: > >>>> > >>>> > >>>>> Small point- dcpromo creates those zones as mentioned in > >>>>> > >>>>> > >>>> the original > >>>> > >>>> > >>>>> question *if* you have not configured DNS beforehand, *if* > >>>>> > >>>>> > >>>> you tell > >>>> > >>>> > >>>>> dcpromo to go ahead and do it for you, and *if* you're building the > >>>>> forest root domain. If you have configured DNS beforehand, how the > >>>>> zones get created (as stub zones, as subdomains, etc.) will > >>>>> > >>>>> > >>>> depend on > >>>> > >>>> > >>>>> that preconfiguration. If you're not building the forest > >>>>> > >>>>> > >>>> root domain, > >>>> > >>>> > >>>>> the subdomain already exists and dcpromo is just populating it. > >>>>> > >>>>> I bring this up only because there are many companies that have > >>>>> existing DNS infrastructures and it's important to know > >>>>> > >>>>> > >>>> that "default" > >>>> > >>>> > >>>>> is not equivalent to "mandatory". It is not a requirem
Re: [ActiveDir] _msdcs not propagated in AXFR
Yeah, but you can just ignore it and it's not the default Users or Computers containers. Still, is there a safe way to remove those? Similarly there's a safe way to remove the Default-First-Site-Name stuff too? Mike On Mon, 04 Dec 2006 20:28:42 -0800 "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> wrote: > http://msmvps.com/blogs/bradley/archive/2005/07/27/59808.aspx > http://www.sbslinks.com/images/wp5z50vd.gif > > Joe? Deji? Got some forks? > > Laura A. Robinson wrote: > > Please tell me that you're making that up. Otherwise I'll have to stab > > myself in the eye with a fork. "My Business" > > > > Words fail me. :-) > > > > Laura > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] On Behalf Of > >> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] > >> Sent: Monday, December 04, 2006 9:13 PM > >> To: ActiveDir@mail.activedir.org > >> Subject: Re: [ActiveDir] _msdcs not propagated in AXFR > >> > >> We install the Kitchen Sink service too don't forget ;-) > >> > >> (wait until we start talking about the My Business > >> OU...that's usually good for another freak out or two) > >> > >> Laura A. Robinson wrote: > >> > >>> Small point- dcpromo creates those zones as mentioned in > >>> > >> the original > >> > >>> question *if* you have not configured DNS beforehand, *if* > >>> > >> you tell > >> > >>> dcpromo to go ahead and do it for you, and *if* you're building the > >>> forest root domain. If you have configured DNS beforehand, how the > >>> zones get created (as stub zones, as subdomains, etc.) will > >>> > >> depend on > >> > >>> that preconfiguration. If you're not building the forest > >>> > >> root domain, > >> > >>> the subdomain already exists and dcpromo is just populating it. > >>> > >>> I bring this up only because there are many companies that have > >>> existing DNS infrastructures and it's important to know > >>> > >> that "default" > >> > >>> is not equivalent to "mandatory". It is not a requirement that the > >>> _msdcs zone be either a separate zone or a subdomain in an existing > >>> zone, whether it's a stub or a full zone, etc. > >>> > >>> Of course, since we're talking SBS, all of this goes out the window > >>> (no pun intended). SBS is its own freaky little animal. > >>> > >>> Laura > >>> > >>> > >>> > >>>> -Original Message- > >>>> From: [EMAIL PROTECTED] > >>>> [mailto:[EMAIL PROTECTED] On Behalf Of Hans > >>>> Halbmayr > >>>> Sent: Monday, December 04, 2006 1:06 PM > >>>> To: ActiveDir@mail.activedir.org > >>>> Subject: Re: [ActiveDir] _msdcs not propagated in AXFR > >>>> > >>>> Usually dcpromo creates all these zones. Windows creates > >>>> > >> these zones > >> > >>>> in a forest partition. If you have a linux DNS server just create > >>>> another slave zone of _msdcs.example.com. > >>>> The gray one is only the delegation. > >>>> > >>>> Hans > >>>> > >>>> > >>>> - Original Message > >>>> From: Michael B Allen <[EMAIL PROTECTED]> > >>>> To: ActiveDir@mail.activedir.org > >>>> Cc: [EMAIL PROTECTED] > >>>> Sent: Saturday, December 2, 2006 5:39:26 PM > >>>> Subject: Re: [ActiveDir] _msdcs not propagated in AXFR > >>>> > >>>> > >>>> Ok, so basically _msdcs is just a separate zone. Do Windows DNS > >>>> setups usually do this? I'm using SBS. > >>>> > >>>> I have a bind DNS server running on a linux machine with a > >>>> > >> slave zone > >> > >>>> for example.com. The AXFR doesn't have those records > >>>> > >> (aside from the > >> > >>>> NS record). So what you're saying is that I need to setup a
Re: [ActiveDir] _msdcs not propagated in AXFR
I have confirmed that this is indeed the solution and that it works.
For posterity here's what I did.
I enabled Zone transfers under DNS > Forward Lookup Zones >
_msdcs.example.com > Properties > Zone Transfers and tested that from
the Linux machine with:
$ dig -t AXFR @192.168.1.1
Then I added the following to the Linux named.conf (in addition to the
other slave zone for example.com):
zone "_msdcs.example.com" IN {
type slave;
file "data/slave-_msdcs.example.com";
masters { 192.168.1.1; };
};
and restarted named. Then I tested with:
$ dig -t SRV _ldap.dc._msdcs.example.com
Thanks,
Mike
On Mon, 4 Dec 2006 10:06:10 -0800 (PST)
Hans Halbmayr <[EMAIL PROTECTED]> wrote:
> Usually dcpromo creates all these zones. Windows creates these zones in a
> forest partition. If you have a linux DNS server just create another slave
> zone of _msdcs.example.com. The gray one is only the delegation.
>
> Hans
>
>
> - Original Message
> From: Michael B Allen <[EMAIL PROTECTED]>
> To: ActiveDir@mail.activedir.org
> Cc: [EMAIL PROTECTED]
> Sent: Saturday, December 2, 2006 5:39:26 PM
> Subject: Re: [ActiveDir] _msdcs not propagated in AXFR
>
>
> Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups
> usually do this? I'm using SBS.
>
> I have a bind DNS server running on a linux machine with a slave zone
> for example.com. The AXFR doesn't have those records (aside from the
> NS record). So what you're saying is that I need to setup another slave
> zone for the _msdcs subdomain?
>
> Mike
>
> On Sat, 2 Dec 2006 03:02:22 -0800 (PST)
> Hans Halbmayr <[EMAIL PROTECTED]> wrote:
>
> > Hi Mike,
> >
> > the gray one is the delegation of the zone. The _msdcs ist a subdomain of
> > your forest root. Because it is needed all over the forest it is delegated.
> >
> > Regards
> > Hans
> >
> > - Original Message
> > From: Michael B Allen <[EMAIL PROTECTED]>
> > To: ActiveDir@mail.activedir.org
> > Cc: [EMAIL PROTECTED]
> > Sent: Saturday, December 2, 2006 12:15:29 AM
> > Subject: Re: [ActiveDir] _msdcs not propagated in AXFR
> >
> >
> > I'm not sure I understand. In DNS admin I see two zones. One
> > for _msdcs.example.com with all the usual _msdcs records and
> > one for example.com which incedentally has an NS record for
> > _msdcs.example.com. The little folder thingy for this _msdcs is grey
> > which I guess signifies that it's some kind of link to the other zone?
> >
> > So I understand why the _msdcs records other than the one NS record are
> > not transferring but I don't understand why the structure is split into
> > two zones and if I can/should do something about it.
> >
> > Mike
> >
> > On Fri, 1 Dec 2006 11:27:14 -0800
> > "Akomolafe, Deji" <[EMAIL PROTECTED]> wrote:
> >
> > > Seen this? http://support.microsoft.com/kb/817470
> > >
> > >
> > > Sincerely,
> > >_
> > > (, / | /) /) /)
> > > /---| (/_ __ ___// _ // _
> > > ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
> > > (_/ /)
> > >(/
> > > Microsoft MVP - Directory Services
> > > www.akomolafe.com - we know IT
> > > -5.75, -3.23
> > > Do you now realize that Today is the Tomorrow you were worried about
> > > Yesterday? -anon
> > >
> > >
> > >
> > > From: Michael B Allen
> > > Sent: Fri 12/1/2006 9:40 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] _msdcs not propagated in AXFR
> > >
> > >
> > > Does anyone know why the _msdcs records are not returned in an AXFR DNS
> > > query? This means that slave zones will not have those records and that
> > > software querying for a domain controller may not find one.
> > >
> > > Mike
> > >
> > > --
> > > Michael B Allen
> > > PHP Active Directory SSO
> > > http://www.ioplex.com/
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> > >
> >
> >
> > --
> > Michael B Allen
> > PHP Active Directory SSO
> > http://www.ioplex.com/
> > List info : http://www.activedir.org/List.aspx
>
Re: [ActiveDir] _msdcs not propagated in AXFR
Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr <[EMAIL PROTECTED]> wrote: > Hi Mike, > > the gray one is the delegation of the zone. The _msdcs ist a subdomain of > your forest root. Because it is needed all over the forest it is delegated. > > Regards > Hans > > ----- Original Message > From: Michael B Allen <[EMAIL PROTECTED]> > To: ActiveDir@mail.activedir.org > Cc: [EMAIL PROTECTED] > Sent: Saturday, December 2, 2006 12:15:29 AM > Subject: Re: [ActiveDir] _msdcs not propagated in AXFR > > > I'm not sure I understand. In DNS admin I see two zones. One > for _msdcs.example.com with all the usual _msdcs records and > one for example.com which incedentally has an NS record for > _msdcs.example.com. The little folder thingy for this _msdcs is grey > which I guess signifies that it's some kind of link to the other zone? > > So I understand why the _msdcs records other than the one NS record are > not transferring but I don't understand why the structure is split into > two zones and if I can/should do something about it. > > Mike > > On Fri, 1 Dec 2006 11:27:14 -0800 > "Akomolafe, Deji" <[EMAIL PROTECTED]> wrote: > > > Seen this? http://support.microsoft.com/kb/817470 > > > > > > Sincerely, > >_ > > (, / | /) /) /) > > /---| (/_ __ ___// _ // _ > > ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ > > (_/ /) > >(/ > > Microsoft MVP - Directory Services > > www.akomolafe.com - we know IT > > -5.75, -3.23 > > Do you now realize that Today is the Tomorrow you were worried about > > Yesterday? -anon > > > > > > > > From: Michael B Allen > > Sent: Fri 12/1/2006 9:40 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] _msdcs not propagated in AXFR > > > > > > Does anyone know why the _msdcs records are not returned in an AXFR DNS > > query? This means that slave zones will not have those records and that > > software querying for a domain controller may not find one. > > > > Mike > > > > -- > > Michael B Allen > > PHP Active Directory SSO > > http://www.ioplex.com/ > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > > > > > -- > Michael B Allen > PHP Active Directory SSO > http://www.ioplex.com/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > > > > > Do you Yahoo!? > Everyone is raving about the all-new Yahoo! Mail beta. > http://new.mail.yahoo.com > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] _msdcs not propagated in AXFR
I'm not sure I understand. In DNS admin I see two zones. One for _msdcs.example.com with all the usual _msdcs records and one for example.com which incedentally has an NS record for _msdcs.example.com. The little folder thingy for this _msdcs is grey which I guess signifies that it's some kind of link to the other zone? So I understand why the _msdcs records other than the one NS record are not transferring but I don't understand why the structure is split into two zones and if I can/should do something about it. Mike On Fri, 1 Dec 2006 11:27:14 -0800 "Akomolafe, Deji" <[EMAIL PROTECTED]> wrote: > Seen this? http://support.microsoft.com/kb/817470 > > > Sincerely, >_ > (, / | /) /) /) > /---| (/_ __ ___// _ // _ > ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) >(/ > Microsoft MVP - Directory Services > www.akomolafe.com - we know IT > -5.75, -3.23 > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: Michael B Allen > Sent: Fri 12/1/2006 9:40 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] _msdcs not propagated in AXFR > > > Does anyone know why the _msdcs records are not returned in an AXFR DNS > query? This means that slave zones will not have those records and that > software querying for a domain controller may not find one. > > Mike > > -- > Michael B Allen > PHP Active Directory SSO > http://www.ioplex.com/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] _msdcs not propagated in AXFR
Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Kerberos is Killing Me!
Try it again but specify the full DN to the Comptuers container. Mike On Thu, 16 Nov 2006 14:41:41 -0500 hboogz <[EMAIL PROTECTED]> wrote: > Thanks Michael, > > I ran the following command and got the following output. > > C:\>dsquery * (dc=phippsny,dc=org) -filter > "(servicePrincipalName=host/phmaindc1)" > > dsquery failed:A referral was returned from the server. > type dsquery /? for help. -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Kerberos is Killing Me!
On Thu, 16 Nov 2006 12:08:46 -0500 hboogz <[EMAIL PROTECTED]> wrote: > I am having continued issues with Kerberos. I tried running tokensz against > the problem server and i get this error message.. > > C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation > /target_s > erver:host/phmaindc1 > > Name: Negotiate Comment: Microsoft Package Negotiator > Current PackageInfo->MaxToken: 12128 > > Asked for delegate, but didn't get it. > Check if server is trusted for delegation. > > QueryKeyInfo: > Signature algorithm = > Encrypt algorithm = RSADSI RC4 > KeySize = 128 > Flags = 2001c > Signature Algorithm = -138 > Encrypt Algorithm = 26625 > QueryContextAttributes (lifespan): Status = 2148074242 0x80090302 > SEC_E_NOT_SUPP > ORTED > > > any ideas ? Run kerbtray and make sure your TGT is forwardable. Also, run the following: C:\>dsquery * (dc=X) -filter "(servicePrincipalName=host/phmaindc1)" to make sure you only have one account. Mike > I keep getting the following event log message on a domain controller which > prevents users from accessing it and authenticating to it. > > Event Type:Error > Event Source:Kerberos > Event Category:None > Event ID:4 > Date:11/16/2006 > Time:12:02:37 PM > User:N/A > Computer:PHMAINDC1 > Description: > The kerberos client received a KRB_AP_ERR_MODIFIED error from the server > host/phmaindc1.phippsny.org. The target name used was host/phprint1. This > indicates that the password used to encrypt the kerberos service ticket is > different than that on the target server. Commonly, this is due to > identically named machine accounts in the target realm (PHIPPSNY.ORG), and > the client realm. Please contact your system administrator. Have you messed with the account at all since logging off and on. Run kerbtray, purge your tickets and try again. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Reverse DNS Lookup?
On Fri, 3 Nov 2006 16:07:17 -0500 "joe" <[EMAIL PROTECTED]> wrote: > It does work assuming the reverse zones are populated... > > G:\>nslookup 192.168.0.10 > Server: r2dc1.test.loc > Address: 192.168.0.10 > > Name:r2dc1.test.loc > Address: 192.168.0.10 Yeah, somethings wrong with doing this on my test DC. If I point nslookup at a slave running bind it works. Something's wrong with the reverse zone on my DC. Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Reverse DNS Lookup?
Yes, but I'm not aware of how exactly to do a reverse lookup with nslookup. On linux you can do 'nslookup ' (you can also do 'host ' but that doesn't appear to work with nslookup on Windows. On Fri, 3 Nov 2006 22:33:33 +0200 "Boaz Galil" <[EMAIL PROTECTED]> wrote: > Have you tired : nslookup > > > > On 11/3/06, Michael B Allen <[EMAIL PROTECTED]> wrote: > > > > Can someone tell me how to do a reverse DNS lookup? > > > > The following: > > > > C:\>ping -a 192.168.1.15 > > > > returns only the first label of the name. Is there a way to return a > > fully qualified DNS name? > > > > Mike > > > > -- > > Michael B Allen > > PHP Active Directory SSO > > http://www.ioplex.com/ > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > > > -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Reverse DNS Lookup?
Can someone tell me how to do a reverse DNS lookup? The following: C:\>ping -a 192.168.1.15 returns only the first label of the name. Is there a way to return a fully qualified DNS name? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] List Groups I'm In?
On Wed, 25 Oct 2006 23:30:30 +0100
"James (njan) Eaton-Lee" <[EMAIL PROTECTED]> wrote:
> Michael B Allen wrote:
>
> > Are you sure? I know the LDAP provider won't expand nested groups but
> > I used the WinNT provider. The WinNT provider returns the primary group.
>
> Fairly - I've just tested this with an account that's a member of nested
> groups, and it only returns the groups the user is directly a member of.
> The output of the following vbscript:
>
> Set UserObj = GetObject("WinNT://Domain/Username")
> For Each GroupObj In UserObj.Groups
> List = List & GroupObj.Name & vbcrlf
> Next
> WScript.Echo List
>
> is "Test Group 2" ("Test Group 2" is nested inside "Test Group 1")
Well I'd say that's "fairly" conclusive.
Thanks for checking.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] List Groups I'm In?
On Wed, 25 Oct 2006 21:00:24 +0100 "James (njan) Eaton-Lee" <[EMAIL PROTECTED]> wrote: > The vbscript you've written won't tell you if a user is a member of the > cute_pink_bunnies group which is a member of the Enterprise Admins > group, for instance - whoami /groups will. Are you sure? I know the LDAP provider won't expand nested groups but I used the WinNT provider. The WinNT provider returns the primary group. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] List Groups I'm In?
On Wed, 25 Oct 2006 10:06:53 -0700
"Free, Bob" <[EMAIL PROTECTED]> wrote:
> whoami /groups
>
> C:\Admin\Util>where whoami
> C:\Program Files\Support Tools\whoami.exe
>
> Not exacty "stock" but then again I consider Support Tools as an
> essential part of an installation :-)
Well I can't ship that with my product.
I scraped up this VBS script that does the trick.
if WScript.Arguments.Count = 0 then
WScript.Echo "Usage: [cscript|wscript] ListGroups.vbs
/"
WScript.Quit 1
end if
Set UserObj = GetObject("WinNT://" & Replace(WScript.Arguments.Item(0), "\",
"/"))
For Each GroupObj In UserObj.Groups
List = List & GroupObj.Name & vbcrlf
Next
WScript.Echo List
Thanks,
Mike
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen
> Sent: Wednesday, October 25, 2006 9:47 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] List Groups I'm In?
>
> Was is the easiest way for a user (say on a stock XP client) to list
> what groups they're in?
>
> Specifically I'd like the user to be able to just type a command like
> 'net user list groups' or some such and get a list of NT Account names
> for tokenGroups.
>
> Or if there is a dialog somewhere that's good too.
>
> Ideas?
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] List Groups I'm In?
Was is the easiest way for a user (say on a stock XP client) to list what groups they're in? Specifically I'd like the user to be able to just type a command like 'net user list groups' or some such and get a list of NT Account names for tokenGroups. Or if there is a dialog somewhere that's good too. Ideas? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] List Attribute Syntaxes?
On Sat, 21 Oct 2006 18:30:47 -0400 Michael B Allen <[EMAIL PROTECTED]> wrote: > Apparently I don't have CN=Aggregate,CN=Schema,DC=X. I'm using W2K 2003 > but maybe it's because it's SBS? Correction: I do have it. I left out CN=Configuration. The exact DN is available through the subschemaSubentry in the RootDSE. Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] List Attribute Syntaxes?
ometimes > the quality can be impacted. > > > I know when I walk through the newsgroups and this list looking for posts to > respond to, if someone has more than one or two small paragraphs unless they > completely hook me with the subject or the first paragraph I won't read it > and just move on to something else. Subject is #1 thing I look at and that > tells me which messages to even open, then it is "how long is it". I usually > do newsgroups and listservs in short bursts of time between other things, so > anything that can be read, understood, and responded to quickly is what I > tend to go after. My responses are often long but that is simply because I > type rather quickly. If I was slower at it, I would respond a lot less. > There are others that even though they can type fast, if they can't answer > the question in a sentence or two they don't want to respond at all unless > something else sucked them into the problem like some kind of issue they > haven't ever seen before or a "pet" problem (aka something that they have > worked on and are still gathering info). :) > > >joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: Michael B Allen [mailto:[EMAIL PROTECTED] > Sent: Saturday, October 21, 2006 2:39 AM > To: ActiveDir@mail.activedir.org > Cc: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] List Attribute Syntaxes? > > Hi Joe, > > Actually I think my terminology is a little off. From snooping around > a bit I think I want the attributeSchema information under > CN=Schema,CN=Configuration,DC=example,DC=com. What I was thinking of > originally are the "attribute syntax" definitions like: > > ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) > > But it's clear now that AD doesn't really use these textual definitions > (at least not anywhere I can see). > > Anyway, the overall objective here is to do is to give my custom LDAP > client API intellegence (see previous post about scripting language > binding) about attributeSchema information so that the API can properly > type attribute values. In particular I need to create a table of at least > lDAPDisplayName, isSingleValued, and attributeSyntax. This table > will be consulted by the API to determine how to compare and present > values whether they be binary, multivalued, strings, etc. > > To make it efficient I will need an index which will be just a hashmap > where the lDAPDisplayName is the key and the attributeSchema entry > is the datum. Additionally the attributeSyntax value should be one > of several predefined OID constants (e.g. ADSTYPE_CASE_IGNORE_STRING) > so that attributeSyntaxes can be comared logically. > > Does any of this make sense? I suppose you don't get a little programmer > double talk here :-) > > Mike > > On Fri, 20 Oct 2006 23:50:03 -0400 > "joe" <[EMAIL PROTECTED]> wrote: > > > First off... anything you do with LDIF will be an LDAP query... It speaks > > pure LDAP. > > > > Next off, if I understand what you are asking, yes, you query the schema > and > > you can find all attribute syntaxes assigned, it won't tell you what they > > are, but you will know all in use. Multivalue status has nothing to do > with > > attribute syntax, that is separate. Whether something is binary or text > > depends on what you ask for and how you ask for it. You can ask for > anything > > to come back in a binary format with the standard LDAP binary modifier. > What > > that exactly means though depends on the attribute, asking, for instance > for > > a unicode text field in binary really isn't going to look all that > different > > to you either way. But asking for say one of the replication attributes > will > > result in dramatically different results being returned. > > > > > > joe > > > > > > -- > > O'Reilly Active Directory Third Edition - > > http://www.joeware.net/win/ad3e.htm > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen > > Sent: Friday, October 20, 2006 8:49 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] List Attribute Syntaxes? > > > > How can I get a list of attribute syntaxes? For each attribute used by > > a system I would like to know if it is a multivalue attribute and if
Re: [ActiveDir] List Attribute Syntaxes?
Hi Joe, Actually I think my terminology is a little off. From snooping around a bit I think I want the attributeSchema information under CN=Schema,CN=Configuration,DC=example,DC=com. What I was thinking of originally are the "attribute syntax" definitions like: ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) But it's clear now that AD doesn't really use these textual definitions (at least not anywhere I can see). Anyway, the overall objective here is to do is to give my custom LDAP client API intellegence (see previous post about scripting language binding) about attributeSchema information so that the API can properly type attribute values. In particular I need to create a table of at least lDAPDisplayName, isSingleValued, and attributeSyntax. This table will be consulted by the API to determine how to compare and present values whether they be binary, multivalued, strings, etc. To make it efficient I will need an index which will be just a hashmap where the lDAPDisplayName is the key and the attributeSchema entry is the datum. Additionally the attributeSyntax value should be one of several predefined OID constants (e.g. ADSTYPE_CASE_IGNORE_STRING) so that attributeSyntaxes can be comared logically. Does any of this make sense? I suppose you don't get a little programmer double talk here :-) Mike On Fri, 20 Oct 2006 23:50:03 -0400 "joe" <[EMAIL PROTECTED]> wrote: > First off... anything you do with LDIF will be an LDAP query... It speaks > pure LDAP. > > Next off, if I understand what you are asking, yes, you query the schema and > you can find all attribute syntaxes assigned, it won't tell you what they > are, but you will know all in use. Multivalue status has nothing to do with > attribute syntax, that is separate. Whether something is binary or text > depends on what you ask for and how you ask for it. You can ask for anything > to come back in a binary format with the standard LDAP binary modifier. What > that exactly means though depends on the attribute, asking, for instance for > a unicode text field in binary really isn't going to look all that different > to you either way. But asking for say one of the replication attributes will > result in dramatically different results being returned. > > > joe > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen > Sent: Friday, October 20, 2006 8:49 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] List Attribute Syntaxes? > > How can I get a list of attribute syntaxes? For each attribute used by > a system I would like to know if it is a multivalue attribute and if it > is binary or text. > > Can I get such a list using an LDAP query? > > If not can I use ldifde? > > Thanks, > Mike > > -- > Michael B Allen > PHP Active Directory SSO > http://www.ioplex.com/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ > -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] List Attribute Syntaxes?
How can I get a list of attribute syntaxes? For each attribute used by a system I would like to know if it is a multivalue attribute and if it is binary or text. Can I get such a list using an LDAP query? If not can I use ldifde? Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] LDAP Scripting Language Binding Design
Hi,
I'm desiging a scripting language binding for interfacing with AD
(and other LDAP services). Currentlyy the target language is PHP but I
will likey be doing Python as well as possibly others. Anyway I thought
I would consult the community before writing this up so if you have the
time (this is somewhat lengthy) I would apprecitate your feedback.
The only requirements for the binding is that it have full coverage WRT
getting, modifying, adding, deleting, and searching and that it be
as simple as possible but no simpler as one would expect when using a
scripting language.
The simplest "getting" case is easy. You create an associative array with
the names of the attributes you're interested in and call a function that
returns an associative array of attributes with values. Consider the
following script:
$attrs = array("userPrincipalName", "userAccountControl");
$acct = account_get(NULL, "[EMAIL PROTECTED]", $attrs);
echo "userPrincipalName: " . $acct['userPrincipalName'] . "\n";
echo "userAccountControl: " . $acct['userAccountControl'] . "\n";
This might print:
userPrincipalName: [EMAIL PROTECTED]
userAccountControl: 544
This doesn't address data type issues however. How do I specify that
an attribute is a string, binary and/or multivalued? It seems there are
three solutions to this.
1) Create a local database of metadata indicating that an attribute is
multivalued or not and string or binary. This is pretty much what Java's
JNDI does (albeit somewhat clumsey IMO).
2) Provide functions to query the context object such as account_get_str
or account_get_binary, account_get_multivalued_str, .. etc. This is
pretty much what the Microsoft ADSI providers do.
3) Provide attribute modifiers with the attribute names array to tell
the binding to construct arrays for multivalued attributes, convert
strings, etc.
The first option is a reasonable solution. The second option seems like
it's not "as simple as possible but not simpler" as it is tantamount to
explicit type casting and the scriptor is required to repeatedly assert
the type by using the approriate function. The third option is nice
because the objects are automatically typed correctly.
If we explore the 3rd option, consider the following code that prints
all memberOf attributes:
$attrs = array("multivalued(memberOf)");
$acct = account_get(NULL, "[EMAIL PROTECTED]", $attrs);
$mos = $acct['memberOf'];
foreach ($mos as $mo) {
echo "memberOf: $mo\n";
}
The key part above is the "multivalued(...)" function-like modifier
which indicates that $acct['memberOf'] should be an array of strings.
A function-like modifier is used to clearly separate it from existing
attribute modifiers like 'jpegPhoto;binary' that are passed through to
the raw LDAP api.
If no attribute modifiers or function-like modifers are specified the
attribute is assumed to be a string and will be converted from UTF-8 to
the locale encoding. To specify a multivalued binary array is desired
one would use "multivalued(name;binary)".
This method is also extensible. There could be function-like modfiers
for converting values to base64 or converting a binary sid to a sid
string (this would not be reasonable with the first option). Consider
the following example:
$attrs = array("userPrincipalName",
"base64(objectGUID;binary)",
"sidstr(objectSid;binary)",
"multivalued(memberOf)");
$acct = account_get(NULL, "[EMAIL PROTECTED]", $attrs);
foreach ($acct as $name => $value) {
if (!is_array($value)) {
echo "$name: $value\n";
} else {
foreach ($value as $v) {
echo "$name: $v\n";
}
}
}
This might print the following:
userPrincipalName: [EMAIL PROTECTED]
objectGUID: Szm2n2e8M0SA1Hz0QGgOnw==
objectSid: S-1-5-21-4133388447-792352518-2001609813-1159
memberOf: CN=Managers,CN=Users,DC=example,DC=com
memberOf: CN=CMS Admin,CN=Users,DC=example,DC=com
To modify an entry the $attrs array is reused like:
$attrs = array("distingushedName", "displayName");
$acct = account_get(NULL, "[EMAIL PROTECTED]", $attrs);
$acct['displayName'] = "James T. Kirk";
account_modify(NULL, $acct, $attrs);
Searching might look like the following:
$attrs = array("userPrincipalName", "multivalued(memberOf)");
$accts = account_search(NULL,
"DC=example,DC=com", "sub", $attrs, "(objectClass=user)");
foreach ($accts as $acct) {
echo "userPrincipalName: " . $acct['userPrincipalName'] . "\n";
$mos = $acct['memberOf'];
Re: [ActiveDir] userAccountControl 544
On Tue, 17 Oct 2006 00:42:59 -0400 "joe" <[EMAIL PROTECTED]> wrote: > With the raw LDAP API (and I would expect S.DS.Protocols), you can create an > enabled user because you can specify the password in the ADD op. You can? How? What's the name of the attribute? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Attribute for Name Component of userPrincipalName?
On Thu, 12 Oct 2006 18:36:24 -0400 "joe" <[EMAIL PROTECTED]> wrote: > The userPrincipalName uniqueness is based on the ENTIRE UPN, not just the > first component. Unless you are POSITIVE that the UPNs will be unique up to > the realm then you may want to find something else for your key. In ADAM > you can use single name without realm UPNs and ADAM will enforce that > uniqueness for you. But that is ADAM, not AD. The entries would be under a domain container and therefore they are unique. The organisation might look like the following: DC=example,DC=com CN=Supplemental,DC=example,DC=com FOO=Managers,CN=Supplemental,DC=example,DC=com objectClass=group objectSid= [EMAIL PROTECTED] where FOO is some attribute that means "The name component of the UPN". Is there such an attribute? Is 'uid' guaranteed to be the name component a user's UPN? For now I'm using sAMAccountName (e.g. sAMAccountName=Managers,CN=Supplemental,DC=example,DC=com) but this is not optimal since sAMAccountName may not match the name component of the UPN and it is yearning to be deprecated. > If you want to look up the real DNs, you can obviously do so with the full > UPN. Just do a GC query of [EMAIL PROTECTED] The whole point is to provide a cache of group sids so any querying would defeat the purpose. Mike PS: Any confusion over this post is no doubt attributed to the fact that I'm not actually using a real LDAP store for anything described here. I have written an LDAP C API wrapper that can operate on data structures in memory. Meaning I have written a very simple LDAP server. -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Attribute for Name Component of userPrincipalName?
Does anyone know of an object class that defines an attribute like userPrincipalName but just the name component and not the realm? For example, if an object had a userPrincipalName of '[EMAIL PROTECTED]' the desired attribute would be guaranteed to be 'Managers'. I'm caching group objectSids in a temporary in-memory DIT. The entries need unique DNs but I don't know the real DNs. All I have is the userPrincipalName so I was thinking I could just derive a DN from the userPrincipalName like: [EMAIL PROTECTED] -> FOO=Managers,DC=example,DC=com Right now it doesn't really matter if this is truely conformant or not, I'm just thinking about forward compatibility. Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
