Re: Setting Passwords via DSML with non-admin type Domain User Cre

• Previous message: Marvin Bobo: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
• In reply to: Marvin Bobo: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
• Next in thread: Rhett Gong [MSFT]: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
• Reply: Rhett Gong [MSFT]: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 26 May 2005 14:50:24 -0500

Unfortunately I don't know enough about DSML or the authorization model with
IIS to know what is going on there. I'm not sure where is a good place to
get help on that either. I think there might be a DSML newsgroup, but i
don't know if anyone reads it (I don't :)).

I'm glad you made some progress anyway. Best of luck.

Joe
"Marvin Bobo" <marvinb@community.nospam> wrote in message
news:7026D1DF-41A1-4298-9B87-EB18956978F5@microsoft.com...
>I got the syntax correctly coded for the delete then add. Discovered that
> the real culprit is I am not able to even do a simple query using the
> non-admin userid. No matter what I do, it returns 403.1 error -
> authorization failed by IIS. Here is the snippet of code used for the
> post
> (vbscript) running on IIS 6.0 with Windows Authentication checked:
>
> sub postit(theform)
> set xmlhttp = CreateObject("Msxml2.XMLHTTP")
> url = "http://" + theform.serverName.value + "/"+ theform.dsmlURL.value
> + "/adssoap.dsmlx"
> xmlhttp.open "POST", url,false
> xmlhttp.setRequestHeader "SOAPAction", """#batchRequest"""
> xmlhttp.send theform.requestEl.value
> theform.responseEl.value = xmlhttp.responsetext + "!!!!!"
> end sub
>
> The DSML request is:
>
> <se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/">
> <se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core">
> <batchRequest>
> <modifyRequest dn="cn=testuser,ou=testou,DC=TFODev,DC=local">
> <modification name="userPassword" operation="delete">
> <value>password</value>
> </modification>
> </modifyRequest>
> <modifyRequest dn="cn=testuser,ou=testou,DC=TFODev,DC=local">
> <modification name="userPassword" operation="add">
> <value>password</value>
> </modification>
> </modifyRequest>
>
> <searchRequest dn="ou=testou,DC=TFODev,DC=local" scope="singleLevel"
> derefAliases="neverDerefAliases" sizeLimit="1000">
> <filter>
> <present name="objectclass"/>
> </filter>
> <attributes>
> <attribute name="name"/>
> <attribute name="description"/>
> <attribute name="whenCreated"/>
> <attribute name="userPassword"/>
> </attributes>
> </searchRequest>
> </batchRequest>
>
> </se:Body>
> </se:Envelope>
>
> When I execute the POST I am prompted for the userid and password, when I
> enter the admin credentials, it works, when I enter "testuser" and
> "password"
> it fails.
>
> Any thoughts?
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> I think we are confusing terms now. :)
>>
>> There are three different types of LDAP attribute modifications: add,
>> delete
>> and replace. You need to do a delete operation on the old password value
>> and an add on the new password value. This is not to be confused with
>> deleting the whole object from the tree. :)
>>
>> My guess is that it would look like this:
>> <modification name="unicodePwd" operation="delete">
>> <valuexsi:type="xsd:base64Binary">IgBvAGwAZABQAGEAcwBzAHcAbwByAGQAIgA=</value>
>> </modification>
>> <modification name="unicodePwd" operation="add">
>> <valuexsi:type="xsd:base64Binary">IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=</value>
>> </modification>
>>
>> The DSML docs on MSDN are pretty sketchy, so I'm not sure if that's right
>> or
>> how to find out since I have no DSML directory to play with. Hopefully
>> this
>> will help you though.
>>
>> Joe K.
>>
>>
>>
>>
>> "Marvin Bobo" <marvinb@community.nospam> wrote in message
>> news:BF246E03-290B-4D24-A44C-88734EF4E838@microsoft.com...
>> > Yes, I have the old password so I believe I can do this. You can do a
>> > batch
>> > of operations in a single request and it basically uses the LDAP syntax
>> > wrapped in the XML tags of the DSML schema. Deleting the old password
>> > is
>> > where I am running into the LDAP syntax. For instance, the DSML for
>> > delete
>> > is as follows:
>> >
>> > <se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/">
>> > <se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core">
>> > <batchRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> > xmlns:xsd="http://www.w3.org/2001/XMLSchema">
>> > <!--Clean up any existing entries-->
>> > <delRequest dn="cn=testuser,ou=testou,DC=TFODev,DC=local"/>
>> > <delRequest dn="cn=testuser1,ou=testou,DC=TFODev,DC=local"/>
>> > <delRequest dn="cn=testuser2,ou=testou,DC=TFODev,DC=local"/>
>> > </batchRequest>
>> > </se:Body>
>> > </se:Envelope>
>> >
>> > This would remove the user object testuser, testuser1, and testuser2
>> > from
>> > the OU testou. If this is for an object in a OU, how do you remove the
>> > attribute unicodePwd from testuser? Not even sure if I am asking the
>> > correct
>> > question or if I am offbase. Once I have some clarity here I can try
>> > some
>> > items. Any thoughts?
>> >
>> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >
>> >> Ok, so in this case you are just doing an LDAP replace operation.
>> >> That
>> >> is
>> >> essentially the AD equivalent of Reset Password when modifying
>> >> unicodePwd.
>> >> This is done by administrators when creating an account with an
>> >> initial
>> >> password or doing an administrative reset when the user forgets.
>> >>
>> >> To do a change password, you do two mod ops, a "delete" and an "add",
>> >> although I'm not sure what the DSML for this is. You delete the old
>> >> password value and add the new one. You need the old password to do
>> >> this.
>> >> I assume DSML lets you do a batch of modifications in a single
>> >> operation.
>> >>
>> >> Generally, normal users have rights to change their own password but
>> >> cannot
>> >> set the password for anyone. Admins can set the password for anyone
>> >> and
>> >> can
>> >> change their own, but can't change a normal user's password.
>> >>
>> >> So, I think it might depend on what you are trying to do here. If the
>> >> goal
>> >> is for end user password change, then you can do that, but you need
>> >> the
>> >> old
>> >> password.
>> >> "Marvin Bobo" <marvinb@community.nospam> wrote in message
>> >> news:556AE95B-B6F6-49FD-A058-10D2087853D4@microsoft.com...
>> >> > My apologies, code would help but I am not sure how to do the remove
>> >> > op
>> >> > in
>> >> > DSML. What is happening is we have an external system that will
>> >> > "create"
>> >> > the
>> >> > password and this is transferred to Active Directory in support of a
>> >> > proprietary application. Therefore the unicodePwd field is being
>> >> > modified.
>> >> > What I am not sure of is how to "remove" the unicodePwd attribute
>> >> > and
>> >> > then
>> >> > set it. Here is the batch request (in DSML) which works under
>> >> > administrator
>> >> > level but not doing the suggestion in your original post.
>> >> >
>> >> > <se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/">
>> >> > <se:Body xmlns="urn:oasis:names:tc:DSML:2:0:core">
>> >> > <batchRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> >> > xmlns:xsd="http://www.w3.org/2001/XMLSchema">
>> >> > <modifyRequest dn="cn=test,ou=testou,DC=TFODev,DC=local">
>> >> > <modification name="unicodePwd" operation="replace">
>> >> > <value
>> >> > xsi:type="xsd:base64Binary">IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=</value>
>> >> > </modification>
>> >> > </modifyRequest>
>> >> > </batchRequest>
>> >> > </se:Body>
>> >> > </se:Envelope>
>> >> >
>> >> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >> >
>> >> >> It isn't easy finding any help for DSML as it is not very well
>> >> >> used.
>> >> >> I
>> >> >> actually know almost nothing about it.
>> >> >>
>> >> >> Based on the previous post that you referred to (which I guess I
>> >> >> wrote
>> >> >> :)),
>> >> >> I want to ask if you are doing the remove and add mod op instead of
>> >> >> the
>> >> >> replace. If you show your code, that might help (although I know
>> >> >> neither
>> >> >> DSML or PERL very well, I should be able to figure it out,
>> >> >> especially
>> >> >> if
>> >> >> you
>> >> >> post both versions).
>> >> >>
>> >> >> If you try to do a set password (just an LDAP replace), you'll
>> >> >> probably
>> >> >> have
>> >> >> a permissions problem because normal users don't have rights to
>> >> >> reset
>> >> >> passwords, only to change their own.
>> >> >>
>> >> >> HTH,
>> >> >>
>> >> >> Joe K.
>> >> >> "Marvin Bobo" <marvinb@community.nospam> wrote in message
>> >> >> news:FC83C34F-44F5-4108-A60A-DF55EFB0F7BF@microsoft.com...
>> >> >> > When I execute the DSML request to change the password as Admin,
>> >> >> > works
>> >> >> > ok.
>> >> >> > When I execute as the domain user, fails with "HTTP Error 401.3 -
>> >> >> > Unauthorized: Access is denied due to an ACL set on the requested
>> >> >> > resource".
>> >> >> > I have set the specific user to full control on the ou and
>> >> >> > container
>> >> >> > for
>> >> >> > the
>> >> >> > user. The domain user logging on is changing its own account.
>> >> >> >
>> >> >> > Here is a post that is related to what I need to do but this is
>> >> >> > with
>> >> >> > LDAPs
>> >> >> > using Perl scripts:
>> >> >> >
>> >> >> > http://msdn.microsoft.com/newsgroups/managed/Default.aspx?dg=microsoft.public.active.directory.interfaces&mid=8461ad71-02a4-4759-8812-b0494e900898&sloc=en-us
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>

• Previous message: Marvin Bobo: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
• In reply to: Marvin Bobo: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
• Next in thread: Rhett Gong [MSFT]: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
• Reply: Rhett Gong [MSFT]: "Re: Setting Passwords via DSML with non-admin type Domain User Cre"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]