ADAM and Non SSL Password Changes

I have an ADAM instance set up. I know you can change the dsheuristics
attribute in the configuration partition to allow ADAM to change passwords on
an open port. I f I have an instance already set up to use SSL to change
passwords and then set the attribute value of the dsheuristics to allow non
SSL passwor changes will the current user objects be effected by this? I.e.
will there passwords expire and or stop working?

Disabling this flag allows non-SSL password changes to be done. You can
still do SSL password changes.

Depending on the code mechanism you are using for pwd changes, you don't
need SSL specifically to get password changes on an encrypted channel
anyway. I do this all the time. You can't use ADSI for that though and
must use a lower level LDAP API that supports negotiate authentication.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"jskalicky" <jskalicky@discussions.microsoft.com> wrote in message
news:61F3F5F3-C79F-4578-BE40-1DFEEF650D7C@microsoft.com...
>I have an ADAM instance set up. I know you can change the dsheuristics
> attribute in the configuration partition to allow ADAM to change passwords
> on
> an open port. I f I have an instance already set up to use SSL to change
> passwords and then set the attribute value of the dsheuristics to allow
> non
> SSL passwor changes will the current user objects be effected by this?
> I.e.
> will there passwords expire and or stop working?
>
>

Joe,

If I set that attribute value to allow non ssl password changes would a
straight JNDI bind to the directory still work to perform the password
change?

"Joe Kaplan" wrote:

> Disabling this flag allows non-SSL password changes to be done. You can
> still do SSL password changes.
>
> Depending on the code mechanism you are using for pwd changes, you don't
> need SSL specifically to get password changes on an encrypted channel
> anyway. I do this all the time. You can't use ADSI for that though and
> must use a lower level LDAP API that supports negotiate authentication.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "jskalicky" <jskalicky@discussions.microsoft.com> wrote in message
> news:61F3F5F3-C79F-4578-BE40-1DFEEF650D7C@microsoft.com...
> >I have an ADAM instance set up. I know you can change the dsheuristics
> > attribute in the configuration partition to allow ADAM to change passwords
> > on
> > an open port. I f I have an instance already set up to use SSL to change
> > passwords and then set the attribute value of the dsheuristics to allow
> > non
> > SSL passwor changes will the current user objects be effected by this?
> > I.e.
> > will there passwords expire and or stop working?
> >
> >
>
>

Actually, I mispoke. For an ADAM user to change their own pwd, Negotiate
auth is not available. The only SASL mechanism for ADAM users is Digest
auth. I'm not totally sure if that works for SSPI encryption. I also don't
know if JNDI can do any of this stuff or not since some of the
implementation details are in the MS SSPI level (SSPI signing/sealing).

With JNDI and LDAP simple bind, you need SSL for encrypted channel. As to
whether or not you want to use SSL, that is up to you. I think it is a good
idea to use SSL whenever simple bind is involved, but in some cases the
traffic doesn't traverse a network where it could be sniffed, so there is no
risk.

The flag is basically global though. There is no "per user" aspect of it.
If a pwd changing LDAP mod operation is sent, it will either be accepted or
rejected based on whether you allow unsecure pwd changes and whether SSL was
used during the connect.

I'm pretty sure you can do the actual LDAP operation in JNDI. I'm not a
Java guy, but the LDAP aspect of it is fairly simple.

Password change is just a modification request with a "remove" operation
containing the old password and an "add" operation containing the new
password. Depending on whether you target the userPassword or the
unicodePwd attribute, the actual format of the data you pass in will differ.

This is actually all ADSI is doing under the hood when it does an SSL/LDAP
password change. Unfortunately, the exact semantics of this can't be done
in normal ADSI property cache manipulation.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"jskalicky" <jskalicky@discussions.microsoft.com> wrote in message
news:465A93FC-53DA-449C-B4F8-E971A7F32C62@microsoft.com...
> Joe,
>
> If I set that attribute value to allow non ssl password changes would a
> straight JNDI bind to the directory still work to perform the password
> change?
>
> "Joe Kaplan" wrote:
>
>> Disabling this flag allows non-SSL password changes to be done. You can
>> still do SSL password changes.
>>
>> Depending on the code mechanism you are using for pwd changes, you don't
>> need SSL specifically to get password changes on an encrypted channel
>> anyway. I do this all the time. You can't use ADSI for that though and
>> must use a lower level LDAP API that supports negotiate authentication.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "jskalicky" <jskalicky@discussions.microsoft.com> wrote in message
>> news:61F3F5F3-C79F-4578-BE40-1DFEEF650D7C@microsoft.com...
>> >I have an ADAM instance set up. I know you can change the dsheuristics
>> > attribute in the configuration partition to allow ADAM to change
>> > passwords
>> > on
>> > an open port. I f I have an instance already set up to use SSL to
>> > change
>> > passwords and then set the attribute value of the dsheuristics to allow
>> > non
>> > SSL passwor changes will the current user objects be effected by this?
>> > I.e.
>> > will there passwords expire and or stop working?
>> >
>> >
>>
>>