ADAM userProxy roadblock

[eric.d.friedman@gmail.com]

I am evaluating ADAM using the Sept '05 Step-by-step Guide to Deploying
ADAM. My goal is to show that I can create user proxy objects for
users (mine) that are in AD but enrich them with new attributes and
group membership in ADAM.

I've set up an ADAM instance on my local machine, which is part of an
Active Directory Domain.

I do not have an SSL cert, so I followed the instructions to disable
the SSL requirement for bind redirection.

I am stuck on the step (page 63) _Creating and Binding with an ADAM
Proxy Object_, in which I'm supposed to use ldp.exe to add a child for
my new userProxy.

I get this error message:
***Calling Add...
ldap_add_s(ld, "cn=testproxy,o=microsoft,c=us", [2] attrs)
Error: Add: Unwilling To Perform. <53>
Server error: 000020E7: SvcErr: DSID-03152AA9, problem 5003
(WILL_NOT_PERFORM), data 87

Error 0x20E7 The modification was not permitted for security reasons.

net helpmsg 87 says "The parameter is incorrect"

The parameters I'm using are ObjectClass=userProxy and
objectSID=<MyDomain>\<MyLANID>

I got an ldif dump of my user object from AD and noticed that the case
for objectSID is shown there as objectSid. Not sure if that matters --
I tried both ways with same result. At any rate, I copied the encoded
binary version from that to ldp.exe and now the error message is:

***Calling Add...
ldap_add_s(ld, "cn=testproxy,o=microsoft,c=us", [2] attrs)
Error: Add: Constraint Violation. <19>
Server error: 00002082: AtrErr: DSID-03151346, #1:
0: 00002082: DSID-03151346, problem 1005 (CONSTRAINT_ATT_TYPE), data
0, Att 90092 (objectSid):len 52

Error 0x2082 A value for the attribute was not in the acceptable range
of values.

What am I missing?

[Lee Flight]

Hi

you are likely hitting a SID encoding issue, using ldp.exe you want:

objectClass:userProxy
objectSID:<string SID>

where the string SID is of the form S-1-5-21-etc. You can read the string
SID from the AD user object using ldp.exe or

dsquery user -samid <samaccountname of user> |dsget user -sid

You can also use an LDF import to create the userProxy by dumping the
AD user to get the objectSID:

dn: CN=testproxy,o=microsoft,c=us
changetype: add
objectClass: userProxy
objectSid:: AQUAAAAAAAUVAAAAjlY1pC0dGfSmuT7fYgQAAA==

or even use a string SID in an LDIF

dn: CN=testproxy,o=microsoft,c=us
changetype: add
objectClass: userProxy
objectSid: S-1-5-21-2754958990-4095286573-3745429926-1122

[eric.d.friedman@gmail.com]

Lee, thanks for your reply. Unfortunately, it didn't work.

I tried both the base64'd binary and the string SID. The string SID
doesn't work at all -- ldifde complains that the value cannot begin
with `S'

The binary complains of a constraint violation, as follows. At first I
thought, well, maybe ADAM knows about my SID because I created the ADAM
instance, so I tried with another user's SID and got the same result:
Constraint Violation. (mispelled in the error message, by the way)

What to try next?

C:\WINNT\ADAM>more ldif.log
Connecting to "localhost:389"
Logging in as current user using SSPI
Importing directory from file "C:\Documents and
Settings\friedmed\Desktop\import
..txt"
Loading entries
1: CN=testproxy,o=microsoft,c=us
Entry DN: CN=testproxy,o=microsoft,c=us
changetype: add
Attribute 0) objectClass:userProxy
Attribute 1) objectSid: UNPRINTABLE BINARY(40)

Constraint Violoation, entry skipped

0 entries modified successfully.

The command has completed successfully

[Joe Kaplan \(MVP - ADSI\)]

What does the Base64 binary look like that you are using? It has to be the
Base64 of the binary version of the SID, not the Base64 of the SDDL string
representation of the SID. That may make it a little more painful as we
don't usually ever see the SID in raw binary.

[eric.d.friedman@gmail.com]

Here's the complete file I tried to import:

dn: CN=testproxy,o=microsoft,c=us
changetype: add
objectClass: userProxy
objectSid:: AQUAAAAAAAUVAAAA77+9Me+/vULvv70377+9ZSNfY2sE77+9AwA=

[Joe Kaplan \(MVP - ADSI\)]

That SID doesn't look right. It came out to be 38 bytes long. That isn't
an even multiple of 4 and is longer than most of the AD SIDs I've seen.
What is the SDDL for the SID in question?

Joe K.

<eric.d.friedman@gmail.com> wrote in message
news:1137184873.846717.50930@g44g2000cwa.googlegroups.com...
> Here's the complete file I tried to import:
>
> dn: CN=testproxy,o=microsoft,c=us
> changetype: add
> objectClass: userProxy
> objectSid:: AQUAAAAAAAUVAAAA77+9Me+/vULvv70377+9ZSNfY2sE77+9AwA=
>

[eric.d.friedman@gmail.com]

I don't recognize the SDDL acronym, but I'm guessing you mean the
string SID, which is:

S-1-5-21-1123561945-1708537768-1801674531-232452

I don't have dsquery.exe or dsget.exe, so I used LDAPBrowser to get the
objectSid you saw. Is there another way to get it?

[Lee Flight]

Hi

you should be able to dump the encoded objectSID from the
AD user using ldifde that should be suitable for import.

On the string SID import your LDIF line should look like

objectSid: S-1-5-21-etc.

note the single ":" as compared to the "::" for the base64 encoded string.
Also make sure that you are using the ADAM version of ldifde.

Pre-existing identical SID in ADAM would be a problem but would
give a different error (Unwilling to perform... , IIRC).


Lee Flight


<eric.d.friedman@gmail.com> wrote in message
news:1137186180.271095.78530@z14g2000cwz.googlegroups.com...
>I don't recognize the SDDL acronym, but I'm guessing you mean the
> string SID, which is:
>
> S-1-5-21-1123561945-1708537768-1801674531-232452
>
> I don't have dsquery.exe or dsget.exe, so I used LDAPBrowser to get the
> objectSid you saw. Is there another way to get it?
>

[eric.d.friedman@gmail.com]

Success!

I had not noticed the double colon, so using a single one with the S-
form worked just fine.

Clearly it's time to confront the reality of growing older and decrease
the screen resolution. :-)

Thanks to both of you for the assist!

Eric

[Joe Kaplan \(MVP - ADSI\)]

Just for the record, I believe the Base64 for thisSID

S-1-5-21-1123561945-1708537768-1801674531-232452

should have been:

AQUAAAAAAAUVAAAA2TH4Qqg31mUjX2NrBIwDAA==

You had this:

AQUAAAAAAAUVAAAA77+9Me+/vULvv70377+9ZSNfY2sE77+9AwA=

Mine converts to this byte sequence:

01-05-00-00-00-00-00-05-15-00-00-00-D9-31-F8-42-A8-37-D6-65-23-5F-63-6B-04-8C-03-00

Yours converted to this:

01-05-00-00-00-00-00-05-15-00-00-00-EF-BF-BD-31-EF-BF-BD-42-EF-BF-BD-37-EF-BF-BD-65-23-5F-63-6B-04-EF-BF-BD-03-00

I'm not quite sure how you ended up with the value you did.

I hope that might help in the future. Obviously if ldifde takes the SDDL
format (S-1-xxx), then that is easier to deal with.

Best of luck,

Joe K.

<eric.d.friedman@gmail.com> wrote in message
news:1137187465.916478.206690@g49g2000cwa.googlegroups.com...
> Success!
>
> I had not noticed the double colon, so using a single one with the S-
> form worked just fine.
>
> Clearly it's time to confront the reality of growing older and decrease
> the screen resolution. :-)
>
> Thanks to both of you for the assist!
>
> Eric
>

[Lee Flight]

Thanks for providing the analysis Joe; it's good to have encoding
examples on record as ldifde is not uniformly slick with regard to
string SID, it does not always work e.g. when adding windows
principals to ADAM groups.

[choukse]

I am getting this error message when trying to add the userProxy to ADAM using ldp.exe:
-------
***Calling Add...
ldap_add_s(ld, "CN=testproxy,O=Nortel,C=CA", [2] attrs)
Error: Add: Unwilling To Perform. <53>
Server error: 000020E7: SvcErr: DSID-03152AA9, problem 5003 (WILL_NOT_PERFORM), data 8471

Error 0x20E7 The modification was not permitted for security reasons.
-----

I have gone through the following link: http://groups.google.ca/group/micros...86065572943a01

but still not able to resolve the problem.

I have tried to import the an ldf file as

dn:CN=testproxy,o=Nortel,c=CA
changetype:add
objectClass:userProxy
objectSid:S-1-5-21-1198016865-2893233462-346250739-1103

But got the same error.

I obtained the object SID using the dsquery and dsget command.

Can any one help me out?
Thanks in advance.

[Joe Kaplan]

You should be able to use this syntax in ldif:

objectSid::AQUAAAAAAAUVAAAAYUloRzY9c6zzXaMUTwQAAA==

That is the binary version of that same SID converted to Base64.

In ldp, if you want to use the SDDL format, you need to use for the value:

\SID:S-1-5-21-1198016865-2893233462-346250739-1103

[choukse]

Hi Dylan,

I tried with user-Proxy and got following error

-----------
***Calling Add...
ldap_add_s(ld, "CN=testproxy,O=Nortel,C=CA", [2] attrs)
Error: Add: No Such Attribute. <16>
Server error: 00000057: LdapErr: DSID-0C090B3D, comment: Error in attribute conversion operation, data 0, vece
Error 0x57 The parameter is incorrect.
-----------

[choukse]

Hi Joe,

I tried with the binary value as well by getting it from the AD export.
objectSid::AQUAAAAAAAUVAAAAYUloRzY9c6zzXaMUTwQAAA==
but, still I got the same error
-------------------
C:\WINDOWS\ADAM>ldifde -i -f "C:\Documents and Settings\choukse\Desktop\user.ldf
" -s localhost:50000 -j "C:\Documents and Settings\choukse\Desktop"
Connecting to "localhost:50000"
Logging in as current user using SSPI
Importing directory from file "C:\Documents and Settings\choukse\Desktop\user.ldf"
Loading entries.
Add error on line 1: Unwilling To Perform
The server side error is: 0x20e7 The modification was not permitted for security
reasons.
The extended server error is:
000020E7: SvcErr: DSID-03152AA9, problem 5003 (WILL_NOT_PERFORM), data 8471

0 entries modified successfully.
An error has occurred in the program
-------------------

While trying to add proxy element using ldp with objectSID value as
/SID:S-1-5-21-1198016865-2893233462-346250739-1103

I got other error as below

-----------
***Calling Add...
ldap_add_s(ld, "CN=testproxy,O=Nortel,C=CA", [2] attrs)
Error: Add: Constraint Violation. <19>
Server error: 00002082: AtrErr: DSID-03151346, #1:
0: 00002082: DSID-03151346, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90092 (objectSid):len 50

Error 0x2082 A value for the attribute was not in the acceptable range of values.
-----------