Monday, December 24, 2012

Windows password recovery USB

 

Most of these providers are going to payed supply and the instructions are awful. Here is the best one I found and used the other day.

Full web site: http://pogostick.net/~pnh/ntpasswd/ 

Download files for USB install usb110511.zip (~3MB) (md5sum: 50ced8d2a5febe22199f99acec74e63b)

How to make an bootable USB drive

Get a soon to be blank USB

Copy the files from the above usb*.zip onto the USB drive root folder

either as root or via sudo, use disk utility or df or any other utility to find the usb drive name (generally /dev/sdb1)

unmount the drive if it mounted, either as root or via sudo,

syslinux.exe –ma /dev/sdb1

Boot and away you go..

image

Tuesday, December 11, 2012

AD:DS verses AD:LDS

 

You have a requirement to provide an LDAP directory service to applications. And as a part of this there has been a discussion comparing full Active Directory (AD:DS) verses an Active Directory as an LDAP instance (AD:LDS).

The key differentiators between the two services are:

 

Active Directory Domain Services

Active Directory was designed and built in the late nineties for release with Windows Server 2000. The system was a direct replacement for Windows NT 4 Domains but is based on the X.500 standards. The solution was built as a replacement for file and print management but always contained methods to extend the schema and therefore extending functionality.

 

Active Directory Lightweight Directory Service

Designed and delivered as a direct competitor to traditional LDAP services such as iPlanet LDAP server AD:LDS (released as ADAM in Windows Server 2003) uses the same code base as traditional Active Directory but decouples many of the file and print specific details such as Domain Controllers , Domains and Forests. With a traditional Active Directory there is a single instance per server of the directory whereas AD:LDS can run many different ‘services’ on the same computer. AD:LDS comes without most schema objects to allow for custom schemas and is ideally suited to multi-million objects in web facing environment.

 

Comparing Services

Many of the features are listed below and shown if they are supported on both platforms.

Feature

AD:DS

AD:LDS

Forest and Domain

Yes

No

Sites

Yes

Yes

Run as a services

No

Yes

Trusts

Yes

No

LDAP 2/3

Yes

Yes

Kerberos

Yes

Partial

DNS Integration (SRV records required)

Yes

No

Schema modification

Yes

Yes

Computer objects (required)

Yes

No

Hosts computers (domain members)

Yes

No

Unique names (SAMaccountName)

Yes

Yes

Support iNetOrgPerson

Yes

Yes

Static ACL (stamped)

Yes

Yes

Global Catalogue

Yes

No

Custom Indexed objects

Yes

Yes

Scale (above 1 billion objects)

Yes

Yes

FSMOs

Yes

Yes

Trusts – Traditional Kerberos

Yes

No

SAML support

Yes

Yes

ADFS support

Yes

Yes

Group policy support

Yes

Partial

GPO based object rules

Yes

No

Active Directory Users and Computers support

Yes

No

LDAP tool support

Yes

Yes

ADSI Edit

Yes

Yes

Server Core support

Yes

Yes

Self-managed (via GPO)

Yes

No

Event log

Yes

Partial

Auditing

Yes

Partial

Higher computing power required

Yes

No

Built in Active Directory sync tool

No

Yes

Security outside of “Domain Admins”

No

Yes

 

High-level comparison

Some of the key aspects of Active Directory verse LDS.

Key: The larger area is best.

clip_image002

Monday, December 03, 2012

EduPerson, AuEduPerson, schac Schema for Active Directory

 

As part of moving a Sydney University from Sun/Oracle iPlanet LDAP directory to Active Directory I have to support the educational standard objects, EduPerson, the Australian specific options required by the AFF, AuEduPerson, the university is also using the schac, the Schema for Academia. All three of these are out on the internets in different formats but not all were available for AD. I have taken these works, additional information from the schema documentation and converted them or updated them to support AD direct import. I have also be provided these to the AAF to list in there ‘files’ section of there web site.

These have all been tested on AD domain and forest modes 2003-2008r2 on Windows 2008 R2.

Make sure you turn on Advanced Features in AD users and computers to see them. And to enable the schema manager use the command “regsvr32 c:\Windows\System32\schmmgmt.dll”

Schema inplace (2) Schema inplace (3) Schema inplace (1) 

ED and AD (9)

To import these files, from a Domain Controller logged on as a Schema Admin run the following, you can run this remotely to the DC, but the command line is horrible…:

ldifde -i -f "eduPerson-active directory.ldf" -v

ldifde -i -f "aueduPerson-active directory.ldf" -v

ldifde -i -f "schac-active directory.ldf" -v

ED and AD (4) 

You will notice in some attributes the “searchFlags: 1” setting is on for some key attributes, this is anticipating searching and managing performance, this can be changed in the GUI or in the schema once scale testing is underway, this may also need to be enabled for some POSIX / PAM settings.

AD indexed

 

Following are the three schema files.

AuEduPerson

# ========================================================================================================================
#
#  File:    auEduPerson-active directory.ldf
#  Version: 20121130
#
#  Updated by Dave Colvin,
http://davestechnology.blogspot.com.au/ for direct AD import
#
#  This file should be imported with the following command while logged in to the Domain Controller as an Admin User:
#    ldifde -i -f -v auEduPerson.ldif
#
#  REMEMBER TO SEARCH AND REPLACE DC=XXX,DC=EDU,DC=AU WITH YOUR DC SUFFIX
#
# ========================================================================================================================
#  Attributes
# ========================================================================================================================
#
dn: CN=auEduPersonAffiliation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: auEduPersonAffiliation
lDAPDisplayName: auEduPersonAffiliation
adminDisplayName: auEduPersonAffiliation
adminDescription: Specifies a person's relationship to the institution in broad categories but with a finer-grained set of permissible values than eduPersonAffiliation.
attributeID: 1.3.6.1.4.1.27856.1
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=auEduPersonLegalName,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: auEduPersonLegalName
lDAPDisplayName: auEduPersonLegalName
adminDisplayName: auEduPersonLegalName
adminDescription: The user’s legal name, as per their passport, birth certificate, or other legal document.
attributeID: 1.3.6.1.4.1.27856.2
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=auEduPersonSharedToken,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: auEduPersonSharedToken
lDAPDisplayName: auEduPersonSharedToken
adminDisplayName: auEduPersonSharedToken
adminDescription: A unique identifier enabling federation spanning services such as Grid and Repositories. Values of the identifier are generated using a set formula. The value has the following qualities: unique; opaque; non-targeted; persistent; resolvable (only by an IdP that has supplied it); not re-assignable; not mutable (refreshing the value is equivalent to creating a new identity); permitted to be displayed (Note: the value is somewhat display friendly, and may be appended to the displayName with a separating space, and used as a unique display name to be included in PKI Certificate DNs and as a resource ownership label, e.g. John Citizen ZsiAvfxa0BXULgcz7QXknbGtfxk ); and portable.
attributeID: 1.3.6.1.4.1.27856.3
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
# ========================================================================================================================
#  Object classes
# ========================================================================================================================

dn: CN=auEduPerson,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: auEduPerson
lDAPDisplayName: auEduPerson
adminDisplayName: auEduPerson
adminDescription: Consists of a set of data elements or attributes about individuals within Australian higher education
governsID: 1.3.6.1.4.1.27856
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.27856.1
mayContain: 1.3.6.1.4.1.27856.2
mayContain: 1.3.6.1.4.1.27856.3
defaultObjectCategory: CN=EduPerson,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: auEduPerson
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# ========================================================================================================================

 

EduPerson

# ========================================================================================================================
#
#  File:    eduPerson-active directory.ldf
#  Version: 200806
#
#  Updated by Dave Colvin,
http://davestechnology.blogspot.com.au/ for direct AD import
#
#  This file should be imported with the following command while logged in to the Domain Controller as an Admin User:
#    ldifde -i -f eduPerson-active directory.ldif -v
#
#  REMEMBER TO SEARCH AND REPLACE DC=XXX,DC=EDU,DC=AU WITH YOUR DC SUFFIX
#
# ========================================================================================================================

# ========================================================================================================================
#  Attributes
# ========================================================================================================================

dn: CN=eduPersonAffiliation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonAffiliation
lDAPDisplayName: eduPersonAffiliation
adminDisplayName: eduPersonAffiliation
adminDescription: Specifies the person's relationship(s) to the institution, permissible values: faculty, student, staff, alum, member, affiliate, employee
attributeID: 1.3.6.1.4.1.5923.1.1.1.1
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonNickname,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonNickname
lDAPDisplayName: eduPersonNickname
adminDisplayName: eduPersonNickname
adminDescription: Person's nickname, or the informal name by which they are accustomed to be hailed
attributeID: 1.3.6.1.4.1.5923.1.1.1.2
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonOrgDN,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonOrgDN
lDAPDisplayName: eduPersonOrgDN
adminDisplayName: eduPersonOrgDN
adminDescription: Specifies the person's relationship(s) to the institution, permissible values: faculty, student, staff, alum, member, affiliate, employee
attributeID: 1.3.6.1.4.1.5923.1.1.1.3
attributeSyntax: 2.5.5.1
oMSyntax: 127
isSingleValued: TRUE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonOrgUnitDN,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonOrgUnitDN
lDAPDisplayName: eduPersonOrgUnitDN
adminDisplayName: eduPersonOrgUnitDN
adminDescription: The distinguished name(s) (DN) of the directory entries representing the person's Organizational Unit(s)
attributeID: 1.3.6.1.4.1.5923.1.1.1.4
attributeSyntax: 2.5.5.1
oMSyntax: 127
isSingleValued: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonPrimaryAffiliation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonPrimaryAffiliation
lDAPDisplayName: eduPersonPrimaryAffiliation
adminDisplayName: eduPersonPrimaryAffiliation
adminDescription: Specifies the person's PRIMARY relationship to the institution in broad categories such as student, faculty, staff, alum, etc
attributeID: 1.3.6.1.4.1.5923.1.1.1.5
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonPrincipalName,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonPrincipalName
lDAPDisplayName: eduPersonPrincipalName
adminDisplayName: eduPersonPrincipalName
adminDescription: The "NetID" of the person for the purposes of inter-institutional authentication. It should be represented in the form "user@scope" where scope defines a local security domain
attributeID: 1.3.6.1.4.1.5923.1.1.1.6
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonEntitlement,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonEntitlement
lDAPDisplayName: eduPersonEntitlement
adminDisplayName: eduPersonEntitlement
adminDescription: URI (either URN or URL) that indicates a set of rights to specific resources
attributeID: 1.3.6.1.4.1.5923.1.1.1.7
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonPrimaryOrgUnitDN,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonPrimaryOrgUnitDN
lDAPDisplayName: eduPersonPrimaryOrgUnitDN
adminDisplayName: eduPersonPrimaryOrgUnitDN
adminDescription: The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s)
attributeID: 1.3.6.1.4.1.5923.1.1.1.8
attributeSyntax: 2.5.5.1
oMSyntax: 127
isSingleValued: TRUE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonScopedAffiliation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonScopedAffiliation
lDAPDisplayName: eduPersonScopedAffiliation
adminDisplayName: eduPersonScopedAffiliation
adminDescription: Specifies the person's affiliation (see eduPersonAffiliation) within a particular security domain, the values consist of a left (affiliation) and right component (security domain) separated by an "@" sign
attributeID: 1.3.6.1.4.1.5923.1.1.1.9
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 1
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonTargetedID,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonTargetedID
lDAPDisplayName: eduPersonTargetedID
adminDisplayName: eduPersonTargetedID
adminDescription: Specifies the person's relationship(s) to the institution, permissible values: faculty, student, staff, alum, member, affiliate, employee
attributeID: 1.3.6.1.4.1.5923.1.1.1.10
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=eduPersonAssurance,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: eduPersonAssurance
lDAPDisplayName: eduPersonAssurance
adminDisplayName: eduPersonAssurance
adminDescription: Set of URIs that assert compliance with specific standards for identity assurance.
attributeID: 1.3.6.1.4.1.5923.1.1.1.11
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: FALSE
searchFlags: 0
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


# ========================================================================================================================
#  Object classes
# ========================================================================================================================

dn: CN=eduPerson,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: eduPerson
lDAPDisplayName: eduPerson
adminDisplayName: eduPerson
adminDescription: Consists of a set of data elements or attributes about individuals within higher education
governsID: 1.3.6.1.4.1.5923.1.1.2
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.5923.1.1.1.1
mayContain: 1.3.6.1.4.1.5923.1.1.1.2
mayContain: 1.3.6.1.4.1.5923.1.1.1.3
mayContain: 1.3.6.1.4.1.5923.1.1.1.4
mayContain: 1.3.6.1.4.1.5923.1.1.1.5
mayContain: 1.3.6.1.4.1.5923.1.1.1.6
mayContain: 1.3.6.1.4.1.5923.1.1.1.7
mayContain: 1.3.6.1.4.1.5923.1.1.1.8
mayContain: 1.3.6.1.4.1.5923.1.1.1.9
mayContain: 1.3.6.1.4.1.5923.1.1.1.10
mayContain: 1.3.6.1.4.1.5923.1.1.1.11
defaultObjectCategory: CN=eduPerson,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: eduPerson
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1

# ========================================================================================================================

 

SchAc

# ========================================================================================================================
#  Based on file Schac-Schema-1.4-Sun.ldif (non experimental schema items)
#
#  File:    # schac-active directory.ldf
#  Version: 20121103
#
#  updated by Dave Colvin,
http://davestechnology.blogspot.com.au/ for AD direct import...
#
#  This file should be imported with the following command while logged in to the Domain Controller as an Admin User:
#    ldifde -i -f eduPerson.ldif -v
#
#  REMEMBER TO SEARCH AND REPLACE DC=XXX,DC=EDU,DC=AU WITH YOUR DC SUFFIX
#

# ========================================================================================================================
#  Attributes
# ========================================================================================================================

dn: cn=schacMotherTongue,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: schacMotherTongue
lDAPDisplayName: schacMotherTongue
adminDisplayName: schacMotherTongue
adminDescription: RFC 3066 code for prefered language of communication
attributeID: 1.3.6.1.4.1.25178.1.2.1
attributeSyntax: 2.5.5.12
oMSyntax: 64
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacGender,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.2
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: schacGender
cn: schacGender
oMSyntax: 64
adminDisplayName: schacGender
adminDescription: Representation of human gender (see ISO 5218)
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacDateOfBirth,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.3
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: schacDateOfBirth
cn: schacDateOfBirth
oMSyntax: 64
adminDisplayName: schacDateOfBirth
adminDescription: Date of birth (format YYYYMMDD, only numeric chars)
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacPlaceOfBirth,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.4
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: schacPlaceOfBirth
cn: schacPlaceOfBirth
oMSyntax: 64
adminDisplayName: schacPlaceOfBirth
adminDescription: Birth place of a person
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacCountryOfCitizenship,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.5
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacCountryOfCitizenship
cn: schacCountryOfCitizenship
oMSyntax: 64
adminDisplayName: schacCountryOfCitizenship
adminDescription: Country of citizenship of a person. Format two-letter acronym according to ISO 3166
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacSn1,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.6
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacSn1
cn: schacSn1
oMSyntax: 64
adminDisplayName: schacSn1
searchFlags: 1
showInAdvancedViewOnly: TRUE
adminDescription: First surname of a person
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacSn2,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.7
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacSn2
cn: schacSn2
oMSyntax: 64
adminDisplayName: schacSn2
searchFlags: 1
showInAdvancedViewOnly: TRUE
adminDescription: Second surname of a person
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacPersonalTitle,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.8
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: schacPersonalTitle
cn: schacPersonalTitle
oMSyntax: 64
adminDisplayName: schacPersonalTitle
adminDescription: RFC1274: personal title
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacHomeOrganization,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.9
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: schacHomeOrganization
cn: schacHomeOrganization
oMSyntax: 64
adminDisplayName: schacHomeOrganization
adminDescription: Domain name of the home organization
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacHomeOrganizationType,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.10
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: schacHomeOrganizationType
cn: schacHomeOrganizationType
oMSyntax: 64
adminDisplayName: schacHomeOrganizationType
adminDescription: Type of the home organization
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacCountryOfResidence,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.11
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacCountryOfResidence
cn: schacCountryOfResidence
oMSyntax: 64
adminDisplayName: schacCountryOfResidence
adminDescription: Country of citizenship of a person. Format two-letter acronym according to ISO 3166
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacUserPresenceID,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.12
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacUserPresenceID
cn: schacUserPresenceID
oMSyntax: 64
adminDisplayName: schacUserPresenceID
adminDescription: Used to store a set of values related to the network presence
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacPersonalPosition,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.13
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacPersonalPosition
cn: schacPersonalPosition
searchFlags: 1
showInAdvancedViewOnly: TRUE
oMSyntax: 64
adminDisplayName: schacPersonalPosition
adminDescription: Position inside an institution
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacPersonalUniqueCode,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.14
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacPersonalUniqueCode
cn: schacPersonalUniqueCode
oMSyntax: 64
searchFlags: 1
showInAdvancedViewOnly: TRUE
adminDisplayName: schacPersonalUniqueCode
adminDescription: unique code for the subject
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacPersonalUniqueID,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.15
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacPersonalUniqueID
cn: schacPersonalUniqueID
oMSyntax: 64
searchFlags: 1
showInAdvancedViewOnly: TRUE
adminDisplayName: schacPersonalUniqueID
adminDescription: Unique identifier for the subject
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacExpiryDate,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.17
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: schacExpiryDate
cn: schacExpiryDate
oMSyntax: 64
adminDisplayName: schacExpiryDate
adminDescription: Date from which the set of data is to be considered invalid (format YYYYMMDDhhmmssZ)
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacUserPrivateAttribute,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.18
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacUserPrivateAttribute
cn: schacUserPrivateAttribute
oMSyntax: 64
adminDisplayName: schacUserPrivateAttribute
adminDescription: Set of denied access attributes
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacUserStatus,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.19
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacUserStatus
cn: schacUserStatus
oMSyntax: 64
adminDisplayName: schacUserStatus
adminDescription: Used to store a set of status of a person as user of services
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacProjectMembership,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.20
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacProjectMembership
cn: schacProjectMembership
oMSyntax: 64
searchFlags: 1
showInAdvancedViewOnly: TRUE
adminDisplayName: schacProjectMembership
adminDescription: Name of the project
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacProjectSpecificRole,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.2.21
attributeSyntax: 2.5.5.12
isSingleValued: FALSE
lDAPDisplayName: schacProjectSpecificRole
cn: schacProjectSpecificRole
oMSyntax: 64
searchFlags: 1
showInAdvancedViewOnly: TRUE
adminDisplayName: schacProjectSpecificRole
adminDescription: Used to store a set of roles of a person inside a project
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: cn=schacYearOfBirth,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.25178.1.0.2.3
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
lDAPDisplayName: schacYearOfBirth
cn: schacYearOfBirth
oMSyntax: 64
adminDisplayName: schacYearOfBirth
adminDescription: Year of birth (format YYYY, only numeric chars)
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


# ========================================================================================================================
#  Object classes
# ========================================================================================================================

dn: CN=schacPersonalCharacteristics,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: schacPersonalCharacteristics
lDAPDisplayName: schacPersonalCharacteristics
adminDisplayName: schacPersonalCharacteristics
adminDescription: Personal characteristics describe the individual person represented by the entry
governsID: 1.3.6.1.4.1.25178.1.1.1
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.25178.1.2.8
mayContain: 1.3.6.1.4.1.25178.1.2.7
mayContain: 1.3.6.1.4.1.25178.1.2.6
mayContain: 1.3.6.1.4.1.25178.1.2.5
mayContain: 1.3.6.1.4.1.25178.1.2.4
mayContain: 1.3.6.1.4.1.25178.1.2.3
mayContain: 1.3.6.1.4.1.25178.1.2.2
mayContain: 1.3.6.1.4.1.25178.1.2.1
defaultObjectCategory: CN=schacPersonalCharacteristics,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: schacPersonalCharacteristics
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=schacContactLocation,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: schacContactLocation
lDAPDisplayName: schacContactLocation
adminDisplayName: schacContactLocation
adminDescription: Primary means of locating and contacting potential collaborators and other persons-of-interest at peer institutions
governsID: 1.3.6.1.4.1.25178.1.1.2
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.25178.1.2.12
mayContain: 1.3.6.1.4.1.25178.1.2.11
mayContain: 1.3.6.1.4.1.25178.1.2.10
mayContain: 1.3.6.1.4.1.25178.1.2.9
defaultObjectCategory: CN=schacContactLocation,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: schacContactLocation
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


dn: CN=schacEmployeeInfo,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: schacEmployeeInfo
lDAPDisplayName: schacEmployeeInfo
adminDisplayName: schacEmployeeInfo
adminDescription: Employee information includes attributes that have relevance to the employee role, such as position, office hours, and job title
governsID: 1.3.6.1.4.1.25178.1.1.3
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.25178.1.2.13
defaultObjectCategory: CN=schacEmployeeInfo,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: schacEmployeeInfo
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


dn: CN=schacLinkageIdentifiers,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: schacLinkageIdentifiers
lDAPDisplayName: schacLinkageIdentifiers
adminDisplayName: schacLinkageIdentifiers
adminDescription: Used to link a directory entry with records in external data stores or other directory entries
governsID: 1.3.6.1.4.1.25178
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.25178.1.2.15
mayContain: 1.3.6.1.4.1.25178.1.2.14
defaultObjectCategory: CN=schacLinkageIdentifiers,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: schacLinkageIdentifiers
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


dn: CN=schacEntryMetadata,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: schacEntryMetadata
lDAPDisplayName: schacEntryMetadata
adminDisplayName: schacEntryMetadata
adminDescription: Used to contain information about the entry itself, often its status, birth, and death
governsID: 1.3.6.1.4.1.25178.1.1.5
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.25178.1.2.17
defaultObjectCategory: CN=schacEntryMetadata,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: schacEntryMetadata
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=schacEntryConfidentiality,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: schacEntryConfidentiality
lDAPDisplayName: schacEntryConfidentiality
adminDisplayName: schacEntryConfidentiality
adminDescription: Used to indicate whether an entry is visible publicly, visible only to affiliates of the institution, or not visible at all
governsID: 1.3.6.1.4.1.25178.1.1.6
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.25178.1.2.18
defaultObjectCategory: CN=schacEntryConfidentiality,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: schacEntryConfidentiality
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=schacUserEntitlements,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: schacUserEntitlements
lDAPDisplayName: schacUserEntitlements
adminDisplayName: schacUserEntitlements
adminDescription: Authorization for services
governsID: 1.3.6.1.4.1.25178.1.1.7
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.25178.1.2.19
defaultObjectCategory: CN=schacUserEntitlements,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: schacUserEntitlements
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


dn: CN=schacGroupMembership,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: ntdsschemaadd
objectClass: classSchema
cn: schacGroupMembership
lDAPDisplayName: schacGroupMembership
adminDisplayName: schacGroupMembership
adminDescription: Groups used to provide/restrict authorization to entries and attributes
governsID: 1.3.6.1.4.1.25178.1.1.8
objectClassCategory: 3
subclassOf: top
rdnAttId: cn
mayContain: 1.3.6.1.4.1.25178.1.2.21
mayContain: 1.3.6.1.4.1.25178.1.2.20
defaultObjectCategory: CN=schacGroupMembership,cn=Schema,cn=Configuration,DC=xxx,DC=EDU,DC=AU
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=xxx,DC=EDU,DC=AU
changetype: modify
add: auxiliaryClass
auxiliaryClass: schacGroupMembership
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-


# ========================================================================================================================

Wednesday, November 28, 2012

Active Directory Password and InetOrgPerson

 

I read about a few AD oddities that I wanted to share, they are from this link.. I have not verified these myself yet, but interesting

 

Old password remains valid for an hour

As described in this Microsoft Support article, as of Windows Server 2003 SP1, once you've changed a user's password, the old password remains valid for an hour after the change. In effect, this means you can use both a users' old password and the users' new password to log in for one hour!

New password accepted in LDAP modify operation but not really accepted

In some cases (particularly with passwords containing special characters, such as non ASCII characters), Active Directory will accept a password update operation and return a “Success (0)” result for the LDAP modify operation, BUT the new password will not be useable.

For this reason, we recommend to always check that a successful BIND operation can be performed on the Active Directory with the new password after changing it. You can use the canBind* functions to do this.

 

Non-standard objectClasses

Active Directory does not respect the inetOrgPerson objectClass definition, as specified in RFC 2798. An explanation is provided below.

LSC version 1.2.0 can synchronize to and from Active Directory despite of this.

The objectClass inheritance path defined in RFC 2798 is as follows:

  • top

    • person

      • organizationalPerson

        • inetOrgPerson

However, in Active Directory, an extra objectClass, named user is inserted in this path:

  • top

    • person

      • organizationalPerson

        • user

          • inetOrgPerson

This is documented by Microsoft in the Active Directory Schema documentation.

Tuesday, November 20, 2012

LDAPSearch Commands Cygwin

 

LDAPSearch

appBackLink
ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au -D cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword "(cn=Lotus Notes 5)"

appBackLink
objectClass: appApplication
ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au -D
cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword "(cn=Lotus Notes 5)"

equivalentToMe: cn=ColvinDU,ou=Sys,ou=IT,ou=ROOT,o=ORG
member: cn=ColvinDU,ou=Sys,ou=IT,ou=ROOT,o=ORG

ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au -D
cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword objectclass:groupOfNames member

ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au -D
cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword -b "ou=NAL Objects,ou=CAS,o=SHC"
objectclass:appApplication appBackLink >>nal-users.txt

ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au –D cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword "(cn=Lotus Notes 5)" appBackLink

To get the assigned users to the object below.

ldapsearch -x -v -H LDAPS://DomainController.domain.com.au -D cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword -b "ou=CAS,o=SHC"cn=ACCESSDB-SHORTCUT-RRIVALS-2K ACL

 

To create a group via LDAPAdd

$ cat group.ldif

dn: cn=xxaaxx,ou=ROOT,o=ORG

objectclass: group

cn: xxaaxx

$ ldapadd -x -v -H LDAPS://DomainController.domain.com.au -D cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword -f group.ldif

 

To configure LDAP for SSL

$ cat /etc/openldap/ldap.conf

# LDAP Defaults

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE ou=ROOT,o=ORG

URI ldaps://domainController

TLS_REQCERT allow

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

# Define SSL and TLS properties (optional)

TLSCertificateFile /var/openldap/scdata.der

TLSCertificateKeyFile /var/openldap/scdata.der

TLSCACertificateFile /var/openldap/scdata.der

# you should set the loglevel to 256 initially, this will give you

# some good hints when debugging problems. Read man slapd.conf what the loglevel

# directive will give you

loglevel 256

$ ls /var/openldap/

openldap-data openldap-slurp run scdata.der

$ ldapsearch -x -v -H LDAPS://DomainController.domain.com.au -D cn=ColvinD,ou=Sys,o

u=IT,ou=ROOT,o=ORG -w SpecialPassword

 

Base 64 decoder

required for some Novell NDS objects
http://makcoder.sourceforge.net/demo/base64.php

End of document

Wednesday, November 14, 2012

Installation ended prematurely because of an error.

 

However, when trying to install Hotfix Rollup Pack 1 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2

http://support.citrix.com/article/CTX132122

clip_image002

"Installation ended prematurely because of an error."

The following solutions have resolved this error in the majority of cases:

Make sure short file name creation is enabled on the target machine.

Navigating to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Make sure the value "NtfsDisable8dot3NameCreation" is equal to 0. This indicates that short file name creation is enabled. A value of 1 indicates that this functionality is disabled. You should change the value to 0.

After modifying this value, the target machine should be rebooted before attempting to launch the setup again.

Wednesday, November 07, 2012

Handbrake for Ubuntu – the easy way

 

I am sick of half baked instructions, this is all you need to download and install Handbrake for Ubuntu precise (12.04) 64bit:

 

sudo add-apt-repository  ppa:stebbins/handbrake-releases

sudo apt-get update

sudo apt-get install handbrake-gtk handbrake-cli

 

Then you run it, end of story…

Tuesday, November 06, 2012

DC Promo Answer Files

 

Your handy reference…

First Windows 2003 Server DC in the Forest

[DCInstall]
AutoConfigDNS = Yes
NewDomain = forest
NewDomainDNSName = devDave.com.au
DomainNetBiosName = devDave
ReplicaOrNewDomain = domain
ForestLevel = 2
DomainLevel = 2
DatabasePath = "%SYSTEMROOT%\Data"
LogPath = "%SYSTEMROOT%\Logs"
SysVolPath = "%SYSTEMDRIVE%\Sysvol"
SafeModeAdminPassword = Password1
DisableCancelForDnsInstall = Yes
RebootOnSuccess = Yes
SiteName = Home
UserName = administrator
Password = Password1

Promote Additional Window Server 2003 DC

[DCInstall]
AutoConfigDNS = Yes
ConfirmGc = Yes
DatabasePath = %SYSTEMROOT%\Data
DisableCancelForDnsInstall = Yes
LogPath = %SYSTEMROOT%\Logs
RebootOnSuccess = Yes
ReplicaDomainDNSName = devDave.com.au
ReplicaOrMember = Replica
ReplicaOrNewDomain = Replica
ReplicationSourceDC = dc1.devDave.com.au
SiteName = <site name>
SysVolPath = %SYSTEMDRIVE%\Sysvol
UserName = administrator
UserDomain = devDave.com.au
Password = Password1

Demote Windows Server 2003 DCs

[DCINSTALL]
UserName = administrator
Password = Password1
UserDomain = devDave.com.au
AdministratorPassword = Password1
IsLastDCInDomain = no
RebootOnSuccess = yes

Promote First Windows Server 2008 R2 DC

[DCInstall]
InstallDNS = Yes
ConfirmGc = Yes
DatabasePath = %SYSTEMROOT%\Data
LogPath = %SYSTEMROOT%\Logs
RebootOnCompletion = Yes
ReplicaDomainDNSName = devDave.com.au
ReplicaOrNewDomain = New
ReplicationSourceDC = dc1.devDave.com.au
SiteName = Home
SysVolPath = %SYSTEMDRIVE%\Sysvol
UserName = administrator
UserDomain = devDave.com.au
Password = Password1
SafeModeAdminPassword = Password1

Promote Additional Windows Server 2008 R2 DCs

[DCInstall]
InstallDNS = Yes
ConfirmGc = Yes
DatabasePath = %SYSTEMROOT%\Data
LogPath = %SYSTEMROOT%\Logs
RebootOnCompletion = Yes
ReplicaDomainDNSName = devDave.com.au
ReplicaOrNewDomain = Replica
ReplicationSourceDC = dc1.devDave.com.au
SiteName = Home
SysVolPath = %SYSTEMDRIVE%\Sysvol
UserName = administrator
UserDomain = devDave.com.au
Password = Password1
SafeModeAdminPassword = Password1

Friday, October 19, 2012

A usable server cannot be found.. Citrix XenApp 6.5

 

A usable server cannot be found on which to launch the application. APP-DETAILS. Check your worker group definitions and load balancing policies to verify appropriate servers are assigned for APP-DETAILS.

This shows as an Error occurred while making the connection in the Web interface.

clip_image002

The details show up in the event log. Of course triple checking the worker groups and load balancers were not the problem… so…

clip_image004

Using QFarm shows server load 20000

clip_image005

The licence server is setup in the GPO

clip_image010

Ping works, but it was IPv6…

clip_image006

And try a telnet to the licence server port fails. But does work on the local host…

clip_image008

IP v6 was disabled so deleted the entries in DNS

image

Ensured telnet then worked remotely

Checked that the licence was active on the licence and it was good to go.

Then GPupdate /force to ensure applied.

clip_image011

Qfarm was now healthy and looking good.

clip_image012

So the error was a licence missing, of course.

Thursday, October 11, 2012

Windows Page File Size – VDI (or Server)

 

On you computer, desktop, server, VDI Session do the following:

  1. Start all the applications you need to run at the same time, Outlook, Word, Excel, AV console, Paint, options etc etc
  2. Then via task manager look at the “commit charge peak” highlighted below
  3. Now you can set your paging file minimum to be that VALUE minus the amount of RAM in you have
  4. If this value is a negative number, set a minimum size to the configured crash dump option you have set (if you have one).

So in the example below, on this VDI session I have disabled crash dump and so don't need a page file at all and this saves me IOPS.

BUT setting no page file leaves no head room for an app requiring memory and it that app can be as simple as a large JPG in MSPaint, so disabling is good for performance, but can have limits.

image

 

Reference


Rintalan Nick blog on this topic.
HTTP://blogs.citrix.com/2011/12/23/the-pagefile-done-right/ 


Mark Russinovich blog on this topic.
HTTP://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx 

Friday, October 05, 2012

High Availability for Citrix and Terminal Server, RDS Licencing

 

I have been tasked to build a highly available Terminal Server / Remote Desktop Service (TS/RDS) / Citrix XenApp solution and a part of this I need a highly available TS/RDS and Citrix licence servers. As a part of solution money comes into the design so I have decided not to bother and here is why:

  1. Once the new TS/RDS licence server is active for some time it will have a valid licence for everyone who commonly uses the system (home computer, work computers, laptops etc)
  2. To build HA into the RDS/TS licence server I will need two with shared licences to load balance which is ok, but a bit brain dead
  3. To build HA into the Citrix licence host is a cluster (over a WAN which I dont have access to build here just yet)
  4. If there is an outage in the Citrix licence server service only needs to be restored within 30 days

One TS/RDS licence server, shared with a Citrix licence server will do me fine. I will just make sure a full image backup is run weekly and stored off site for restoration in the event the primary data centre burns down.

 

Support material below (edited and updated for clarity) but original links provided.

Failed Microsoft RDS/TS License server ramifications

http://social.technet.microsoft.com/Forums/en-ZA/winserverTS/thread/ebf3a271-4554-41b0-9345-38d74133eacc

If your TS/RDSH cannot contact the license server - the clients that are have valid license will start and continue to work without error. New clients that either have no license or have expired licenses, will not be able to connect.

There is no grace period provided for your client if your TS/RDS license server failed. For each permanent Per Device CAL that is issued, an expiration period is applied. This expiration period is a random number between 52 to 89 days after the license was issued. The terminal server always attempts to renew these CALs seven days before they expire.

 

Microsoft TS/RDS Licence server High Availability

http://www.microsoft.com/technet/community/en-us/terminal/terminal_faq.mspx

The recommended method to configure Terminal Services Licensing servers for high availability is to install at least two Terminal Services Licensing servers with available Terminal Services CALs. Each server will then advertise in Active Directory as enterprise license servers with regard to the following Lightweight Directory Access Protocol (LDAP):

Each Terminal Services Licensing server should contain 50% of your CALs for load balancing within your environment. If a Terminal Services Licensing server does not have valid CALs, then that Terminal Services Licensing server will attempt to refer to other Terminal Services Licensing servers with valid CALs for license issuance.

Each client will begin a license request and upgrade 7 days before the license expiration date.

 

Initial a New Microsoft License server setup

http://technet.microsoft.com/en-us/library/cc725933.aspx

To allow ample time for you to deploy a license server, RDS/TS provides a licensing grace period. During this grace period, a server will accept connections from unlicensed clients without contacting a license server. The grace period begins the first time the TS/RD Session Host server accepts a client connection. The grace period ends after whichever of the following occurs first:

1. A permanent RDS CAL is issued by a license server to a client connecting to the RD Session Host server.

2. The number of days in the grace period is exceeded.

3. The length of the grace period is based on the operating system running on the RD Session Host server.

The grace periods are:

Operating system running on the RD Session Host server

Grace period

Windows Server 2008 R2

120 days

Windows Server 2008

120 days

Windows Server 2003 R2

120 days

Windows Server 2003

120 days

 

Microsoft’s Per User and Per Device CALs

http://technet.microsoft.com/en-us/library/cc725890.aspx

You can install both Per User and Per Device CALs onto the same license server.

You can install RDS CALs for different product versions onto the same license server. EG, you can install both Windows Server 2003 TS per Device CALs and Windows Server 2008 TS Per User CALs onto a license server that is running Windows Server 2008 R2. This provides you the ability to have one license server provide RDS CALs to Remote Desktop Session Host (RD Session Host) servers running various versions of Windows Server.

 

Microsoft License Server Backup and Restore

http://www.virtualizationadmin.com/articles-tutorials/terminal-services/licensing/terminal-services-license-server-high-availability-recovery-part2.html

Regardless of the backup processes you use to back up a license server, the following components must be included in the backup process:

1. System State, which will capture the activation status and identity of the license server.

2. LServer directory (%SYSTEMROOT%\System32\LServer by default), to capture the actual licensing database.

3. Repair directory (optional - %SYSTEMROOT%\Repair)

Preferably, the entire server should be backed up, including the system drive and any pertinent data drives, but items one and two above represent the minimum.

Recovering a License Server: If the servers operating system is still intact, then the recovery process may simply be to recover the last known working backup of the System State and LServer backup, and restore that information to the license server.

If the operating system is corrupt or the failure requires a complete server rebuild, you may have more work ahead.

 

Overall Citrix Services Outage Tolerance

http://www.brianmadden.com/forums/t/12996.aspx

1. License server can be down for 30 days before the farm stops accepting connections.

2. Data-store can be down indefinitely without affecting users. Although administrators will not be able to use the management consoles.

3. Zone Data Collectors automatically fails over to another server.

Redundant Citrix Licence Server

http://www.virtualization.vanbragt.net/index.php?option=com_content&view=article&id=563:the-need-ands-how-to-create-a-redundant-citrix-license-server&catid=53:how-to-articles&Itemid=468

There are three possibilities:

1. Clustering using Windows Clustering

2. Cold Standby solution;

3. Transferring the license to another IIS server.

Citrix Licence Server Clustering

To accomplish is this configuration you need at least planned nodes

1. IIS must be installed and not manually configured as a cluster resource.

2. To build this on a cluster you also need a shared disk, two NICS (one for the heartbeat and one for the Public network), virtual server name, Cluster IP Address;

3. Install Java Runtime in the normal way on both physical nodes

4. Then the installation of the license server can be started on the virtual, cluster, server. This must be done using the command line parameters. The full command line is:

5. msiexec /i <INSTALLSOURCE>:\Licensing\ctx_licensing.msi CTX_CLUSTER_RESOURCE_DLL_PATH="C:\ctxlic" REGISTER_CTX_LS_CLUSTERING="No" /l*v "<SHAREDDISKDRIVE>:\install_firstnode.log"

6. Following the wizard the Citrix License server installation program but change the destination folder to <SHAREDDISKDRVE>:\Citrix. Also set the location of the license fill within this folder (default <SHAREDDISKDRIVE:\Citrix\Licensing\MyFiles. After the installation move the virtual node to the second physical server.

The command for the second (or the other following nodes, when using more than two physical nodes) is:

7. msiexec /i <INSTALLSOURCE>:\Licensing\ctx_licensing.msi CTX_CLUSTER_RESOURCE_DLL_PATH="C:\ctxlic" REGISTER_CTX_LS_CLUSTERING="Yes" /l*v "e:\install_secondnode.log"

 

Citrix License Server Cold Standby solution

The license file contains the host name of the server which hosts the License server. Therefore the cold standby must have exactly the same name as your default license server.

But no server with the same name can be created in the Active Directory. But because the License server is based on Internet Information Server this machine does not need to a member of a domain. The best way is to run the cold standby in workgroup mode and the installation is done on standalone base or a complete separated network. Install the server completely configured including the license file imported. When your default server fails just turn the cold standby on (connected to the production LAN). Because the hostname is the same no additional configuration is needed. If you are using a CNAME check if the DNS A records are changed to the right IP address of the cold standby servername. When the default license server is available again, just power down the cold standby again and put the default server back in production.

Transferring Citrix licenses to another IIS server

The license file cannot be used because of the included hostname. But within MyCitrix.com it is possible to return license for re-allocation. In this solution return your license first and after that you reallocate them using the hostname of the other IIS server. Citrix limit the times you can return and reallocate the licenses, so this option should only be carried out when no other solutions is available. Use a CNAME name for you license server, so the only change should be made with the DNS tool.

 

Citrix Licence Server FAQ

http://support.citrix.com/proddocs/topic/licensing-1110/lic-faq.html

Can I rename the license server? No, License files run only on the license server for which they were made via the hostname.

If I upgrade my license server will it affect my license files? No. The license server and all product licenses are fully backward compatible and will not introduce any issues into your environment.

Can a single license server supply licenses to users connecting from different servers using different product editions? Yes. One license server can contain licenses for multiple editions of a Citrix product. The type of license checked out corresponds to the edition that is configured on the product server. A product server is configured to consume an edition of a license and therefore will check out that edition of a license.

 

Say hello or complain to me here:

http://www.linkedin.com/pub/dave-colvin/5/403/641

https://www.facebook.com/dave.colvin 

https://twitter.com/DaveColvin

Wednesday, October 03, 2012

Windows 2008 TS CALs and 2008 R2 RDS CALs

The following information is abridged from the noted sites:

http://blogs.msdn.com/b/rds/archive/2009/09/04/what-s-the-difference-between-a-rds-cal-and-a-ts-cal.aspx

The equivalence of Windows Server 2008 TS CAL & Windows Server 2008 RDS CAL

Microsoft changed the name of Terminal Services (TS) to Remote Desktop Services (RDS) in Windows Server 2008 R2. And as such, they renamed the CAL.

The new CAL is called a Windows Server 2008 RDS CAL (rather than 2008 R2 CAL). This is because R2 is a refresh release and while you need to buy new Windows Server licenses you do not need to buy new RDS CALs if you already own 2008 TS CALs.

This means you can use the Windows Server 2008 TS CALs with your Windows Server 2008 R2 Remote Desktop Services. If you have Windows Server 2003 TS CALs you will need to buy new RDS 2008 CALs.

http://blogs.msdn.com/b/rds/archive/2009/07/27/windows-server-2008-r2-rds-and-windows-server-2008-ts-cal-compatibility.aspx

Because they are compatible, you can install Windows Server 2008 TS CALs on Windows Server 2008 R2 license server and Windows Server 2008 RDS CALs on Windows Server 2008 license server. You need to request your Technical Account Manager (TAM) or Escalation Engineer (EE) for KB 968074 and install it on the license server.

Tuesday, September 18, 2012

How to Change your W2K8 R2 server from Standard to Enterprise

 

Go to a Command prompt
Dism /online /get-currentedition
Dism /online /get-targeteditions
Dism /online /Set-Edition:ServerEnterprise /ProductKey:xxxxxxxxxxxxxx

If the process fails you will most likely receive an error such as "The specified product key is not valid for the target edition. “ Verify the information is typed correctly. Use this Windows temporary key to get around this error “489J6-VHDMP-X63PK-3K798-CPX3Y”.

Several reboots are required for the upgrade process.

Enter your actual W2K8 R2 key and reboot again to make sure it took and all is well. You server should now be at the Enterprise level.

PS: I have not done this myself so your mileage may vary, I have just reposted this from Percy MvNab’s Blog as I did not know it was possible… Cheer Percy !

Blog Archive