Results 1 to 5 of 5

Thread: Issue while setting user password in ADAM using JAVA

  1. #1
    Join Date
    Apr 2009
    Posts
    8

    Issue while setting user password in ADAM using JAVA

    Hi,

    I running into some issues while creating a user record in ADAM using java. I have customized ADAM schema.

    If I add, "msDS-UserAccountDisabled", "FALSE" in java code it fails.

    I have couple of questions...
    1) When I created user using ADAM EDSI tool, in which attribute the password value will be stored. I tried unicodePwd and userpassword, but they are empty.
    2) When I create user using ADAM EDSI tool, I can reset the passsword and msDS-UserAccountDisabled=FALSE. Same thing would like to acheive through java program. if I try to add attribute msDS-UserAccountDisabled=FALSE, I will get "[LDAP: error code 1 - 00002077: SvcErr: DSID-03380788, problem 5012 (DIR_ERROR), data 8237".

    2) If I remove msDS-UserAccountDisabled=FALSE, the record will be created successfully without password. But how to enable the record and set the password?

    It would be really helpful if you provide some pointers...

    I have pasted my java code below......
    ==========================================================
    import javax.naming.*;
    import javax.naming.ldap.LdapContext;
    import javax.naming.ldap.InitialLdapContext;
    import javax.naming.directory.*;
    import java.util.Hashtable;
    import java.util.Enumeration;
    import java.io.IOException;
    import java.io.UnsupportedEncodingException;
    /** * Sample JNDI client ADD application to demonstrate how to create
    a new user entry in MS-ADAM with user account never expires */
    public class LDAPCreateUser {
    public static void main(String[] args) throws UnsupportedEncodingException {
    Hashtable env = new Hashtable(); env.put (Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://SNY2AFSAPINT01A:2389");
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    //env.put(Context.SECURITY_PROTOCOL, "ssl");
    env.put (Context.SECURITY_PRINCIPAL, "CN=wacadmin,OU=Administrators,OU=people,DC=AXA,DC=COM");
    env.put(Context.SECURITY_CREDENTIALS, "Password1");
    //env.put("com.sun.jndi.ldap.connect.pool", "true");
    //env.put(Context.REFERRAL, "follow");

    try {
    // Create the initial context //
    DirContext ctx = new InitialDirContext(env);
    LdapContext lctx = new InitialLdapContext(env,null);
    // The distinguished name of the new entry
    String dn = "uid=brk12343,ou=brokers,OU=people,DC=AXA,DC=COM";
    // Create attributes to be associated with the new entry
    Attributes attrs = new BasicAttributes(true);
    // Objectclass -- required in MUST list
    Attribute oc = new BasicAttribute("objectclass");
    // required by 'top'
    oc.add("top");
    oc.add("person");
    oc.add("axfperson");
    oc.add("organizationalPerson");
    //oc.add("inetOrgPerson");
    oc.add("user");
    oc.add("axfagency");
    oc.add("axfsecurityresources");
    //oc.add("axfsecurityuser");
    attrs.put(oc);

    System.out.println("brk12343");
    // Other mandatory attributes -- required in MUST list
    attrs.put ("uid", "brk12343");
    attrs.put("sn", "SomeSN");
    // required by 'person'
    attrs.put("givenName","SomeGN");
    attrs.put("cn", "brk12343 CN");
    attrs.put("userpassword", "12brk1234");
    // required by 'person' //Optional attributes -- but they must be defined in schema
    attrs.put("mail","usermail@mydomain.com");
    //this 2 props are needed for user creation without password expiration in MS-ADAM.
    //attrs.put("msDS-UserAccountDisabled", "FALSE");
    attrs.put("msDS-UserDontExpirePassword", "TRUE");
    //attrs.put("ou", "people");
    //attrs.put("ou", "brokers");
    //Create the context
    Context result = ctx.createSubcontext(dn, attrs);
    System.out.println("Created account for: " + dn);
    //set password is a ldap modfy operation
    //and we'll update the userAccountControl
    //enabling the acount and force the user to update ther password
    //the first time they login
    /*ModificationItem[] mods = new ModificationItem[2];
    //Replace the "unicdodePwd" attribute with a new value
    //Password must be both Unicode and a quoted string
    String newQuotedPassword = "\""+ "brk1234" + "\"";
    byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
    mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userpassword", newUnicodePassword));
    mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("msDS-UserAccountDisabled", "FALSE"));
    // Perform the update
    ctx.modifyAttributes(dn, mods);
    System.out.println("Set password & updated userccountControl"); */
    // Close the contexts when we're done
    result.close();
    ctx.close();
    } catch(NamingException e){
    e.printStackTrace();
    }
    }
    }
    ==========================================================

  2. #2
    Joe Kaplan Guest

    Re: Issue while setting user password in ADAM using JAVA

    The error code 8237 means "confidentiality required".

    By default in ADAM, password change operations can only be performed on an
    encrypted channel. You can disable this, but that's the default.

    To get an encrypted channel, you need to either use SSL to ADAM or use
    Negotiate authentication with the sealing flag enabled. Your Java API may
    or may not support the latter.

    It looks like you code is trying to use SSL but it sounds like you aren't.

    Otherwise, you need to disable the setting that requires encrypted channel
    for password modifications.

  3. #3
    Join Date
    Apr 2009
    Posts
    8
    You mentioned
    "you need to disable the setting that requires encrypted channel". Do you know how to do this?

    Secondly I followed few more links and tried to configure ADAM for SSL.
    I used the following link..

    But, when I see my event viewr logs, I am continusly getting
    ==========================================================The directory server has failed to update the ADAM serviceConnectionPoint object in the Active Directory. This operation will be retried.
    Additional Data
    SCP object DN:
    []
    Error value:
    1323 Unable to update the password. The value provided as the current password is incorrect.
    Server error:
    (n/a)
    Internal ID:
    339006e
    ADAM service account:
    SNY2AFSAPINT01A\adam
    User Action
    If ADAM is running under a local service account, it will be unable to update the data in the Active Directory. Consider changing the ADAM service account to either NetworkService or a domain account.

    If ADAM is running under a domain user account, make sure this account has sufficient rights to update the serviceConnectionPoint object.

    ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ========================================================

    Do you know why I am getting this error? Please let me know your thoughts...

    Do you know in which ADAM attribute the user password is stored.

    I created couple records using ADAM EDSI tool. But both userpassword and unicodePWD does not show any data.

    If we need to set any of above attributes do I need to do any specific string conversions? I tried with "userpassword" and getting

    [LDAP: error code 19 - 0000052D: AtrErr: DSID-033807A4, #1:
    0: 0000052D: DSID-033807A4, problem 1005 (CONSTRAINT_ATT_TYPE), data 2704, Att 23 (userPassword)

  4. #4
    Joe Kaplan Guest

    Re: Issue while setting user password in ADAM using JAVA

    Easiest solution is to use dsmgmt:

    http://technet.microsoft.com/en-us/l...52(WS.10).aspx

    The option for "allow passwd op on unsecured connection" is what you want.

    The event log you are seeing here is unrelated to this problem so you can
    ignore it if you want. It actually tells you exactly what the problem is.
    The account you use to run ADAM doesn't have permission in AD to update an
    object in AD (the SCP object) so it fails over and over. You probably don't
    have anything that needs the SCP, so it is not important for this to work.
    You can make the problem go away by running ADAM as network service instead
    although perhaps there is a reason why you wanted to use the account you are
    using.

  5. #5
    Lee Flight Guest

    Re: Issue while setting user password in ADAM using JAVA

    the password is stored in unicodePwd [1] but the value stored there cannot
    be retrieved by LDAP search and so will not show any data in an LDAP
    browser.
    userPassword acts as a cleartext alias for unicodePwd under certain
    conditions [2].

    [1]http://msdn.microsoft.com/en-us/library/cc223248(PROT.13).aspx
    [2]http://msdn.microsoft.com/en-us/library/cc223249(PROT.13).aspx

Similar Threads

  1. Replication with ADAM failed due to password complexity
    By rowanld in forum Window 2000 Help
    Replies: 3
    Last Post: 06-01-2014, 11:05 AM
  2. Replies: 1
    Last Post: 22-05-2011, 03:41 AM
  3. How to validate user's password with PasswordEncryptor in java?
    By kamina23 in forum Software Development
    Replies: 6
    Last Post: 11-08-2010, 05:07 PM
  4. ADAM can't logon with any user, except domain user
    By stevieB in forum Active Directory
    Replies: 5
    Last Post: 26-01-2008, 11:57 AM
  5. AD/ADAM Create User (VB.Net)
    By IJAYA in forum Active Directory
    Replies: 2
    Last Post: 14-11-2006, 08:11 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,617,579.93131 seconds with 17 queries