Hi,

I running into some issues while creating a user record in ADAM using java. I have customized ADAM schema.

If I add, "msDS-UserAccountDisabled", "FALSE" in java code it fails.

I have couple of questions...
1) When I created user using ADAM EDSI tool, in which attribute the password value will be stored. I tried unicodePwd and userpassword, but they are empty.
2) When I create user using ADAM EDSI tool, I can reset the passsword and msDS-UserAccountDisabled=FALSE. Same thing would like to acheive through java program. if I try to add attribute msDS-UserAccountDisabled=FALSE, I will get "[LDAP: error code 1 - 00002077: SvcErr: DSID-03380788, problem 5012 (DIR_ERROR), data 8237".

2) If I remove msDS-UserAccountDisabled=FALSE, the record will be created successfully without password. But how to enable the record and set the password?

It would be really helpful if you provide some pointers...

I have pasted my java code below......
==========================================================
import javax.naming.*;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.directory.*;
import java.util.Hashtable;
import java.util.Enumeration;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
/** * Sample JNDI client ADD application to demonstrate how to create
a new user entry in MS-ADAM with user account never expires */
public  class LDAPCreateUser {        
        public static void main(String[] args) throws UnsupportedEncodingException {
            Hashtable env = new Hashtable(); env.put (Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://SNY2AFSAPINT01A:2389");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            //env.put(Context.SECURITY_PROTOCOL, "ssl");
            env.put (Context.SECURITY_PRINCIPAL, "CN=wacadmin,OU=Administrators,OU=people,DC=AXA,DC=COM");
            env.put(Context.SECURITY_CREDENTIALS, "Password1");
            //env.put("com.sun.jndi.ldap.connect.pool", "true");
            //env.put(Context.REFERRAL, "follow");

            try {
                // Create the initial context //
                DirContext ctx = new  InitialDirContext(env);
                LdapContext lctx = new InitialLdapContext(env,null);
                // The distinguished name of the new entry
                String dn = "uid=brk12343,ou=brokers,OU=people,DC=AXA,DC=COM";
                // Create attributes to be associated with the new entry
                Attributes  attrs = new BasicAttributes(true);
                // Objectclass -- required in MUST list
                Attribute oc = new  BasicAttribute("objectclass");
                // required by 'top'
                oc.add("top");                
                oc.add("person");
                oc.add("axfperson");
                oc.add("organizationalPerson");
                //oc.add("inetOrgPerson");
                oc.add("user");
                oc.add("axfagency");
                oc.add("axfsecurityresources");
                //oc.add("axfsecurityuser");
                attrs.put(oc);

                System.out.println("brk12343");
                // Other mandatory attributes -- required in MUST list
                attrs.put ("uid", "brk12343");
                attrs.put("sn", "SomeSN");
                // required by 'person'
                attrs.put("givenName","SomeGN");
                attrs.put("cn", "brk12343 CN");
                attrs.put("userpassword", "12brk1234");
                // required by 'person' //Optional attributes -- but they must be defined in schema
                attrs.put("mail","userm***@mydomain.com");
                //this 2 props are needed for user creation without password expiration in MS-ADAM.
                //attrs.put("msDS-UserAccountDisabled", "FALSE");
                attrs.put("msDS-UserDontExpirePassword", "TRUE");
                //attrs.put("ou", "people");
                //attrs.put("ou", "brokers");
                //Create the context
                Context result = ctx.createSubcontext(dn, attrs);
                System.out.println("Created account for: " + dn);
                //set password is a ldap modfy operation
                //and we'll update the userAccountControl
                //enabling the acount and force the user to update ther password
                //the first time they login
                /*ModificationItem[] mods = new ModificationItem[2];
                //Replace the "unicdodePwd" attribute with a new value
                //Password must be both Unicode and a quoted string
                String newQuotedPassword = "\""+ "brk1234" + "\"";
                byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userpassword", newUnicodePassword));
                mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("msDS-UserAccountDisabled", "FALSE"));
                // Perform the update
                ctx.modifyAttributes(dn, mods);
                System.out.println("Set password & updated userccountControl"); */
                // Close the contexts when we're done
                result.close();
                ctx.close();
            } catch(NamingException e){
                e.printStackTrace();
            }
        }
    }
========================================================== -- VinodMaladkar ------------------------------------------------------------------------ VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm View this thread: http://forums.techarena.in/active-directory/1194639.htmhttp://forums.techarena.in

The error code 8237 means "confidentiality required".

By default in ADAM, password change operations can only be performed on an
encrypted channel.  You can disable this, but that's the default.

To get an encrypted channel, you need to either use SSL to ADAM or use
Negotiate authentication with the sealing flag enabled.  Your Java API may
or may not support the latter.

It looks like you code is trying to use SSL but it sounds like you aren't.

Otherwise, you need to disable the setting that requires encrypted channel
for password modifications.

Show quoteHide quote

Hello Joe,

Thank you for reply. Sorry I couldn't get back to you.

You mentioned
"you need to disable the setting that requires encrypted channel". Do you know how to do this?

Secondly I followed few more links and tried to configure ADAM for SSL.
I used the following link..

http://www.dirwiz.com/kb/index.pl/How%2520do%2520I%2520setup%2520LDAP%2520SSL%2520and%2520Certificates%2520in%2520ADAM%253F.pdf?pdf=345

But, when I see my event viewr logs,  I am continusly getting
==========================================================The directory server has failed to update the ADAM serviceConnectionPoint object in the Active Directory. This operation will be retried.
Additional Data
SCP object DN:
[]
Error value:
1323 Unable to update the password. The value provided as the current password is incorrect.
Server error:
(n/a)
Internal ID:
339006e
ADAM service account:
SNY2AFSAPINT01A\adam
User Action
If ADAM is running under a local service account, it will be unable to update the data in the Active Directory. Consider changing the ADAM service account to either NetworkService or a domain account.

If ADAM is running under a domain user account, make sure this account has sufficient rights to update the serviceConnectionPoint object.

ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

========================================================

Do you know why I am getting this error? Please let me know your thoughts... -- VinodMaladkar ------------------------------------------------------------------------ VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm View this thread: http://forums.techarena.in/active-directory/1194639.htmhttp://forums.techarena.in

Easiest solution is to use dsmgmt:

http://technet.microsoft.com/en-us/library/cc732352(WS.10).aspx

The option for "allow passwd op on unsecured connection" is what you want.

The event log you are seeing here is unrelated to this problem so you can
ignore it if you want.  It actually tells you exactly what the problem is.
The account you use to run ADAM doesn't have permission in AD to update an
object in AD (the SCP object) so it fails over and over.  You probably don't
have anything that needs the SCP, so it is not important for this to work.
You can make the problem go away by running ADAM as network service instead
although perhaps there is a reason why you wanted to use the account you are
using.
Show quoteHide quote

Joe,

Do you know in which ADAM attribute the user password is stored.

I created couple records using ADAM EDSI tool. But both userpassword and unicodePWD does not show any data.

If we need to set any of above attributes do I need to do any specific string conversions? I tried with "userpassword" and getting

[LDAP: error code 19 - 0000052D: AtrErr: DSID-033807A4, #1:
    0: 0000052D: DSID-033807A4, problem 1005 (CONSTRAINT_ATT_TYPE), data 2704, Att 23 (userPassword)

please let me know your thoughts...

Many thanks in advance... -- VinodMaladkar ------------------------------------------------------------------------ VinodMaladkar's Profile: http://forums.techarena.in/members/90645.htm View this thread: http://forums.techarena.in/active-directory/1194639.htmhttp://forums.techarena.in

Hi,

the password is stored in unicodePwd [1] but the value stored there cannot
be retrieved by LDAP search and so will not show any data in an LDAP
browser.
userPassword acts as a cleartext alias for unicodePwd under certain
conditions [2].

Lee Flight

[1]http://msdn.microsoft.com/en-us/library/cc223248(PROT.13).aspx
[2]http://msdn.microsoft.com/en-us/library/cc223249(PROT.13).aspx



Show quoteHide quote

creating one way trust
Schema Upgrade - Windows 2003 to Windows 2003 R2
Help moving a single user from a child to a parent domain
Moving a user from a child domain to a parent domain.
Movetree User, local profile issue Windows cannot log you on because your profile cannot be loaded..
Language change on PDC
DHCP Reservation (active)/(inactive)
Changing the IP address on a new Domain Controller
Server Roles & Office Split
dns in a child domain