Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Issue while setting user password in ADAM using JAVA
Issue while setting user password in ADAM using JAVA [message #156039] Tue, 09 June 2009 15:06 Go to next message
VinodMaladkar  is currently offline VinodMaladkar  United States
Messages: 3
Registered: June 2009
Junior Member
Hi,

I running into some issues while creating a user record in ADAM using
java. I have customized ADAM schema.

If I add, "msDS-UserAccountDisabled", "FALSE" in java code it fails.

I have couple of questions...
1) When I created user using ADAM EDSI tool, in which attribute the
password value will be stored. I tried unicodePwd and userpassword, but
they are empty.
2) When I create user using ADAM EDSI tool, I can reset the passsword
and msDS-UserAccountDisabled=FALSE. Same thing would like to acheive
through java program. if I try to add attribute
msDS-UserAccountDisabled=FALSE, I will get "[LDAP: error code 1 -
00002077: SvcErr: DSID-03380788, problem 5012 (DIR_ERROR), data 8237".

2) If I remove msDS-UserAccountDisabled=FALSE, the record will be
created successfully without password. But how to enable the record and
set the password?

It would be really helpful if you provide some pointers...

I have pasted my java code below......
==========================================================
import javax.naming.*;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.directory.*;
import java.util.Hashtable;
import java.util.Enumeration;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
/** * Sample JNDI client ADD application to demonstrate how to create

a new user entry in MS-ADAM with user account never expires */
public class LDAPCreateUser {
public static void main(String[] args) throws
UnsupportedEncodingException {
Hashtable env = new Hashtable(); env.put
(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory ");
env.put(Context.PROVIDER_URL, "ldap://SNY2AFSAPINT01A:2389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
//env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put (Context.SECURITY_PRINCIPAL,
"CN=wacadmin,OU=Administrators,OU=people,DC=AXA,DC=COM");
env.put(Context.SECURITY_CREDENTIALS, "Password1");
//env.put("com.sun.jndi.ldap.connect.pool", "true");
//env.put(Context.REFERRAL, "follow");

try {
// Create the initial context //
DirContext ctx = new InitialDirContext(env);
LdapContext lctx = new InitialLdapContext(env,null);
// The distinguished name of the new entry
String dn = "uid=brk12343,ou=brokers,OU=people,DC=AXA,DC=COM";
// Create attributes to be associated with the new entry
Attributes attrs = new BasicAttributes(true);
// Objectclass -- required in MUST list
Attribute oc = new BasicAttribute("objectclass");
// required by 'top'
oc.add("top");
oc.add("person");
oc.add("axfperson");
oc.add("organizationalPerson");
//oc.add("inetOrgPerson");
oc.add("user");
oc.add("axfagency");
oc.add("axfsecurityresources");
//oc.add("axfsecurityuser");
attrs.put(oc);

System.out.println("brk12343");
// Other mandatory attributes -- required in MUST list
attrs.put ("uid", "brk12343");
attrs.put("sn", "SomeSN");
// required by 'person'
attrs.put("givenName","SomeGN");
attrs.put("cn", "brk12343 CN");
attrs.put("userpassword", "12brk1234");
// required by 'person' //Optional attributes -- but they must be
defined in schema
attrs.put("mail","usermail@mydomain.com");
//this 2 props are needed for user creation without password
expiration in MS-ADAM.
//attrs.put("msDS-UserAccountDisabled", "FALSE");
attrs.put("msDS-UserDontExpirePassword", "TRUE");
//attrs.put("ou", "people");
//attrs.put("ou", "brokers");
//Create the context
Context result = ctx.createSubcontext(dn, attrs);
System.out.println("Created account for: " + dn);
//set password is a ldap modfy operation
//and we'll update the userAccountControl
//enabling the acount and force the user to update ther password
//the first time they login
/*ModificationItem[] mods = new ModificationItem[2];
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\""+ "brk1234" + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");

mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
BasicAttribute("userpassword", newUnicodePassword));
mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
BasicAttribute("msDS-UserAccountDisabled", "FALSE"));
// Perform the update
ctx.modifyAttributes(dn, mods);
System.out.println("Set password & updated userccountControl"); */
// Close the contexts when we're done
result.close();
ctx.close();
} catch(NamingException e){
e.printStackTrace();
}
}
}
==========================================================


--
VinodMaladkar
------------------------------------------------------------ ------------
VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm
View this thread: http://forums.techarena.in/active-directory/1194639.htm

http://forums.techarena.in
Re: Issue while setting user password in ADAM using JAVA [message #156132 is a reply to message #156039] Wed, 10 June 2009 17:58 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
The error code 8237 means "confidentiality required".

By default in ADAM, password change operations can only be performed on an
encrypted channel. You can disable this, but that's the default.

To get an encrypted channel, you need to either use SSL to ADAM or use
Negotiate authentication with the sealing flag enabled. Your Java API may
or may not support the latter.

It looks like you code is trying to use SSL but it sounds like you aren't.

Otherwise, you need to disable the setting that requires encrypted channel
for password modifications.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"VinodMaladkar" <VinodMaladkar.3tj2rb@DoNotSpam.com> wrote in message
news:VinodMaladkar.3tj2rb@DoNotSpam.com...
>
> Hi,
>
> I running into some issues while creating a user record in ADAM using
> java. I have customized ADAM schema.
>
> If I add, "msDS-UserAccountDisabled", "FALSE" in java code it fails.
>
> I have couple of questions...
> 1) When I created user using ADAM EDSI tool, in which attribute the
> password value will be stored. I tried unicodePwd and userpassword, but
> they are empty.
> 2) When I create user using ADAM EDSI tool, I can reset the passsword
> and msDS-UserAccountDisabled=FALSE. Same thing would like to acheive
> through java program. if I try to add attribute
> msDS-UserAccountDisabled=FALSE, I will get "[LDAP: error code 1 -
> 00002077: SvcErr: DSID-03380788, problem 5012 (DIR_ERROR), data 8237".
>
> 2) If I remove msDS-UserAccountDisabled=FALSE, the record will be
> created successfully without password. But how to enable the record and
> set the password?
>
> It would be really helpful if you provide some pointers...
>
> I have pasted my java code below......
> ==========================================================
> import javax.naming.*;
> import javax.naming.ldap.LdapContext;
> import javax.naming.ldap.InitialLdapContext;
> import javax.naming.directory.*;
> import java.util.Hashtable;
> import java.util.Enumeration;
> import java.io.IOException;
> import java.io.UnsupportedEncodingException;
> /** * Sample JNDI client ADD application to demonstrate how to create
>
> a new user entry in MS-ADAM with user account never expires */
> public class LDAPCreateUser {
> public static void main(String[] args) throws
> UnsupportedEncodingException {
> Hashtable env = new Hashtable(); env.put
> (Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory ");
> env.put(Context.PROVIDER_URL, "ldap://SNY2AFSAPINT01A:2389");
> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> //env.put(Context.SECURITY_PROTOCOL, "ssl");
> env.put (Context.SECURITY_PRINCIPAL,
> "CN=wacadmin,OU=Administrators,OU=people,DC=AXA,DC=COM");
> env.put(Context.SECURITY_CREDENTIALS, "Password1");
> //env.put("com.sun.jndi.ldap.connect.pool", "true");
> //env.put(Context.REFERRAL, "follow");
>
> try {
> // Create the initial context //
> DirContext ctx = new InitialDirContext(env);
> LdapContext lctx = new InitialLdapContext(env,null);
> // The distinguished name of the new entry
> String dn = "uid=brk12343,ou=brokers,OU=people,DC=AXA,DC=COM";
> // Create attributes to be associated with the new entry
> Attributes attrs = new BasicAttributes(true);
> // Objectclass -- required in MUST list
> Attribute oc = new BasicAttribute("objectclass");
> // required by 'top'
> oc.add("top");
> oc.add("person");
> oc.add("axfperson");
> oc.add("organizationalPerson");
> //oc.add("inetOrgPerson");
> oc.add("user");
> oc.add("axfagency");
> oc.add("axfsecurityresources");
> //oc.add("axfsecurityuser");
> attrs.put(oc);
>
> System.out.println("brk12343");
> // Other mandatory attributes -- required in MUST list
> attrs.put ("uid", "brk12343");
> attrs.put("sn", "SomeSN");
> // required by 'person'
> attrs.put("givenName","SomeGN");
> attrs.put("cn", "brk12343 CN");
> attrs.put("userpassword", "12brk1234");
> // required by 'person' //Optional attributes -- but they must be
> defined in schema
> attrs.put("mail","usermail@mydomain.com");
> //this 2 props are needed for user creation without password
> expiration in MS-ADAM.
> //attrs.put("msDS-UserAccountDisabled", "FALSE");
> attrs.put("msDS-UserDontExpirePassword", "TRUE");
> //attrs.put("ou", "people");
> //attrs.put("ou", "brokers");
> //Create the context
> Context result = ctx.createSubcontext(dn, attrs);
> System.out.println("Created account for: " + dn);
> //set password is a ldap modfy operation
> //and we'll update the userAccountControl
> //enabling the acount and force the user to update ther password
> //the first time they login
> /*ModificationItem[] mods = new ModificationItem[2];
> //Replace the "unicdodePwd" attribute with a new value
> //Password must be both Unicode and a quoted string
> String newQuotedPassword = "\""+ "brk1234" + "\"";
> byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
>
> mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
> BasicAttribute("userpassword", newUnicodePassword));
> mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
> BasicAttribute("msDS-UserAccountDisabled", "FALSE"));
> // Perform the update
> ctx.modifyAttributes(dn, mods);
> System.out.println("Set password & updated userccountControl"); */
> // Close the contexts when we're done
> result.close();
> ctx.close();
> } catch(NamingException e){
> e.printStackTrace();
> }
> }
> }
> ==========================================================
>
>
> --
> VinodMaladkar
> ------------------------------------------------------------ ------------
> VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm
> View this thread: http://forums.techarena.in/active-directory/1194639.htm
>
> http://forums.techarena.in
>
Re: Issue while setting user password in ADAM using JAVA [message #156935 is a reply to message #156132] Fri, 26 June 2009 10:44 Go to previous messageGo to next message
VinodMaladkar  is currently offline VinodMaladkar  United States
Messages: 3
Registered: June 2009
Junior Member
Hello Joe,

Thank you for reply. Sorry I couldn't get back to you.

You mentioned
"you need to disable the setting that requires encrypted channel". Do
you know how to do this?

Secondly I followed few more links and tried to configure ADAM for
SSL.
I used the following link..

http://www.dirwiz.com/kb/index.pl/How%2520do%2520I%2520setup %2520LDAP%2520SSL%2520and%2520Certificates%2520in%2520ADAM%2 53F.pdf?pdf=345

But, when I see my event viewr logs, I am continusly getting
==========================================================Th e directory
server has failed to update the ADAM serviceConnectionPoint object in
the Active Directory. This operation will be retried.
Additional Data
SCP object DN:
[]
Error value:
1323 Unable to update the password. The value provided as the current
password is incorrect.
Server error:
(n/a)
Internal ID:
339006e
ADAM service account:
SNY2AFSAPINT01A\adam
User Action
If ADAM is running under a local service account, it will be unable to
update the data in the Active Directory. Consider changing the ADAM
service account to either NetworkService or a domain account.

If ADAM is running under a domain user account, make sure this account
has sufficient rights to update the serviceConnectionPoint object.

ServiceConnectionPoint object publication can be disabled for this
instance by setting msDS-DisableForInstances attribute on the SCP
publication configuration object.For more information, see Help and
Support Center at http://go.microsoft.com/fwlink/events.asp.

========================================================

Do you know why I am getting this error? Please let me know your
thoughts...


--
VinodMaladkar
------------------------------------------------------------ ------------
VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm
View this thread: http://forums.techarena.in/active-directory/1194639.htm

http://forums.techarena.in
Re: Issue while setting user password in ADAM using JAVA [message #156944 is a reply to message #156935] Fri, 26 June 2009 15:47 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
Easiest solution is to use dsmgmt:

http://technet.microsoft.com/en-us/library/cc732352(WS.10).aspx

The option for "allow passwd op on unsecured connection" is what you want.

The event log you are seeing here is unrelated to this problem so you can
ignore it if you want. It actually tells you exactly what the problem is.
The account you use to run ADAM doesn't have permission in AD to update an
object in AD (the SCP object) so it fails over and over. You probably don't
have anything that needs the SCP, so it is not important for this to work.
You can make the problem go away by running ADAM as network service instead
although perhaps there is a reason why you wanted to use the account you are
using.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"VinodMaladkar" <VinodMaladkar.3ue8zb@DoNotSpam.com> wrote in message
news:VinodMaladkar.3ue8zb@DoNotSpam.com...
>
> Hello Joe,
>
> Thank you for reply. Sorry I couldn't get back to you.
>
> You mentioned
> "you need to disable the setting that requires encrypted channel". Do
> you know how to do this?
>
> Secondly I followed few more links and tried to configure ADAM for
> SSL.
> I used the following link..
>
> http://www.dirwiz.com/kb/index.pl/How%2520do%2520I%2520setup %2520LDAP%2520SSL%2520and%2520Certificates%2520in%2520ADAM%2 53F.pdf?pdf=345
>
> But, when I see my event viewr logs, I am continusly getting
> ==========================================================Th e directory
> server has failed to update the ADAM serviceConnectionPoint object in
> the Active Directory. This operation will be retried.
> Additional Data
> SCP object DN:
> []
> Error value:
> 1323 Unable to update the password. The value provided as the current
> password is incorrect.
> Server error:
> (n/a)
> Internal ID:
> 339006e
> ADAM service account:
> SNY2AFSAPINT01A\adam
> User Action
> If ADAM is running under a local service account, it will be unable to
> update the data in the Active Directory. Consider changing the ADAM
> service account to either NetworkService or a domain account.
>
> If ADAM is running under a domain user account, make sure this account
> has sufficient rights to update the serviceConnectionPoint object.
>
> ServiceConnectionPoint object publication can be disabled for this
> instance by setting msDS-DisableForInstances attribute on the SCP
> publication configuration object.For more information, see Help and
> Support Center at http://go.microsoft.com/fwlink/events.asp.
>
> ========================================================
>
> Do you know why I am getting this error? Please let me know your
> thoughts...
>
>
> --
> VinodMaladkar
> ------------------------------------------------------------ ------------
> VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm
> View this thread: http://forums.techarena.in/active-directory/1194639.htm
>
> http://forums.techarena.in
>
Re: Issue while setting user password in ADAM using JAVA [message #157443 is a reply to message #156944] Tue, 07 July 2009 12:21 Go to previous messageGo to next message
VinodMaladkar  is currently offline VinodMaladkar  United States
Messages: 3
Registered: June 2009
Junior Member
Joe,

Do you know in which ADAM attribute the user password is stored.

I created couple records using ADAM EDSI tool. But both userpassword
and unicodePWD does not show any data.

If we need to set any of above attributes do I need to do any specific
string conversions? I tried with "userpassword" and getting

[LDAP: error code 19 - 0000052D: AtrErr: DSID-033807A4, #1:
0: 0000052D: DSID-033807A4, problem 1005 (CONSTRAINT_ATT_TYPE), data
2704, Att 23 (userPassword)

please let me know your thoughts...

Many thanks in advance...


--
VinodMaladkar
------------------------------------------------------------ ------------
VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm
View this thread: http://forums.techarena.in/active-directory/1194639.htm

http://forums.techarena.in
Re: Issue while setting user password in ADAM using JAVA [message #157490 is a reply to message #157443] Wed, 08 July 2009 07:55 Go to previous message
Lee Flight  is currently offline Lee Flight  United Kingdom
Messages: 392
Registered: July 2009
Senior Member
Hi,

the password is stored in unicodePwd but the value stored there cannot
be retrieved by LDAP search and so will not show any data in an LDAP
browser.
userPassword acts as a cleartext alias for unicodePwd under certain
conditions .

Lee Flight

http://msdn.microsoft.com/en-us/library/cc223248(PROT.13).aspx
[2]http://msdn.microsoft.com/en-us/library/cc223249(PROT.13).aspx



"VinodMaladkar" <VinodMaladkar.3uyrvb@DoNotSpam.com> wrote in message
news:VinodMaladkar.3uyrvb@DoNotSpam.com...
>
> Joe,
>
> Do you know in which ADAM attribute the user password is stored.
>
> I created couple records using ADAM EDSI tool. But both userpassword
> and unicodePWD does not show any data.
>
> If we need to set any of above attributes do I need to do any specific
> string conversions? I tried with "userpassword" and getting
>
> [LDAP: error code 19 - 0000052D: AtrErr: DSID-033807A4, #1:
> 0: 0000052D: DSID-033807A4, problem 1005 (CONSTRAINT_ATT_TYPE), data
> 2704, Att 23 (userPassword)
>
> please let me know your thoughts...
>
> Many thanks in advance...
>
>
> --
> VinodMaladkar
> ------------------------------------------------------------ ------------
> VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm
> View this thread: http://forums.techarena.in/active-directory/1194639.htm
>
> http://forums.techarena.in
>
Previous Topic:Re: An active directory Domain Controller for the domain could not becontacted in windows vista Busi
Next Topic:Command line utility to list groups administrator account is a member of
Goto Forum:
  


Current Time: Sat Oct 21 19:09:00 EDT 2017

Total time taken to generate the page: 0.03479 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software