Wednesday, November 28, 2012

Active Directory Password and InetOrgPerson

 

I read about a few AD oddities that I wanted to share, they are from this link.. I have not verified these myself yet, but interesting

 

Old password remains valid for an hour

As described in this Microsoft Support article, as of Windows Server 2003 SP1, once you've changed a user's password, the old password remains valid for an hour after the change. In effect, this means you can use both a users' old password and the users' new password to log in for one hour!

New password accepted in LDAP modify operation but not really accepted

In some cases (particularly with passwords containing special characters, such as non ASCII characters), Active Directory will accept a password update operation and return a “Success (0)” result for the LDAP modify operation, BUT the new password will not be useable.

For this reason, we recommend to always check that a successful BIND operation can be performed on the Active Directory with the new password after changing it. You can use the canBind* functions to do this.

 

Non-standard objectClasses

Active Directory does not respect the inetOrgPerson objectClass definition, as specified in RFC 2798. An explanation is provided below.

LSC version 1.2.0 can synchronize to and from Active Directory despite of this.

The objectClass inheritance path defined in RFC 2798 is as follows:

  • top

    • person

      • organizationalPerson

        • inetOrgPerson

However, in Active Directory, an extra objectClass, named user is inserted in this path:

  • top

    • person

      • organizationalPerson

        • user

          • inetOrgPerson

This is documented by Microsoft in the Active Directory Schema documentation.

Tuesday, November 20, 2012

LDAPSearch Commands Cygwin

 

LDAPSearch

appBackLink
ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au -D cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword "(cn=Lotus Notes 5)"

appBackLink
objectClass: appApplication
ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au -D
cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword "(cn=Lotus Notes 5)"

equivalentToMe: cn=ColvinDU,ou=Sys,ou=IT,ou=ROOT,o=ORG
member: cn=ColvinDU,ou=Sys,ou=IT,ou=ROOT,o=ORG

ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au -D
cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword objectclass:groupOfNames member

ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au -D
cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword -b "ou=NAL Objects,ou=CAS,o=SHC"
objectclass:appApplication appBackLink >>nal-users.txt

ldapsearch  -x -v -H LDAPS://DomainController.domain.com.au –D cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword "(cn=Lotus Notes 5)" appBackLink

To get the assigned users to the object below.

ldapsearch -x -v -H LDAPS://DomainController.domain.com.au -D cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword -b "ou=CAS,o=SHC"cn=ACCESSDB-SHORTCUT-RRIVALS-2K ACL

 

To create a group via LDAPAdd

$ cat group.ldif

dn: cn=xxaaxx,ou=ROOT,o=ORG

objectclass: group

cn: xxaaxx

$ ldapadd -x -v -H LDAPS://DomainController.domain.com.au -D cn=ColvinD,ou=Sys,ou=IT,ou=ROOT,o=ORG -w SpecialPassword -f group.ldif

 

To configure LDAP for SSL

$ cat /etc/openldap/ldap.conf

# LDAP Defaults

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE ou=ROOT,o=ORG

URI ldaps://domainController

TLS_REQCERT allow

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

# Define SSL and TLS properties (optional)

TLSCertificateFile /var/openldap/scdata.der

TLSCertificateKeyFile /var/openldap/scdata.der

TLSCACertificateFile /var/openldap/scdata.der

# you should set the loglevel to 256 initially, this will give you

# some good hints when debugging problems. Read man slapd.conf what the loglevel

# directive will give you

loglevel 256

$ ls /var/openldap/

openldap-data openldap-slurp run scdata.der

$ ldapsearch -x -v -H LDAPS://DomainController.domain.com.au -D cn=ColvinD,ou=Sys,o

u=IT,ou=ROOT,o=ORG -w SpecialPassword

 

Base 64 decoder

required for some Novell NDS objects
http://makcoder.sourceforge.net/demo/base64.php

End of document

Wednesday, November 14, 2012

Installation ended prematurely because of an error.

 

However, when trying to install Hotfix Rollup Pack 1 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2

http://support.citrix.com/article/CTX132122

clip_image002

"Installation ended prematurely because of an error."

The following solutions have resolved this error in the majority of cases:

Make sure short file name creation is enabled on the target machine.

Navigating to the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Make sure the value "NtfsDisable8dot3NameCreation" is equal to 0. This indicates that short file name creation is enabled. A value of 1 indicates that this functionality is disabled. You should change the value to 0.

After modifying this value, the target machine should be rebooted before attempting to launch the setup again.

Wednesday, November 07, 2012

Handbrake for Ubuntu – the easy way

 

I am sick of half baked instructions, this is all you need to download and install Handbrake for Ubuntu precise (12.04) 64bit:

 

sudo add-apt-repository  ppa:stebbins/handbrake-releases

sudo apt-get update

sudo apt-get install handbrake-gtk handbrake-cli

 

Then you run it, end of story…

Tuesday, November 06, 2012

DC Promo Answer Files

 

Your handy reference…

First Windows 2003 Server DC in the Forest

[DCInstall]
AutoConfigDNS = Yes
NewDomain = forest
NewDomainDNSName = devDave.com.au
DomainNetBiosName = devDave
ReplicaOrNewDomain = domain
ForestLevel = 2
DomainLevel = 2
DatabasePath = "%SYSTEMROOT%\Data"
LogPath = "%SYSTEMROOT%\Logs"
SysVolPath = "%SYSTEMDRIVE%\Sysvol"
SafeModeAdminPassword = Password1
DisableCancelForDnsInstall = Yes
RebootOnSuccess = Yes
SiteName = Home
UserName = administrator
Password = Password1

Promote Additional Window Server 2003 DC

[DCInstall]
AutoConfigDNS = Yes
ConfirmGc = Yes
DatabasePath = %SYSTEMROOT%\Data
DisableCancelForDnsInstall = Yes
LogPath = %SYSTEMROOT%\Logs
RebootOnSuccess = Yes
ReplicaDomainDNSName = devDave.com.au
ReplicaOrMember = Replica
ReplicaOrNewDomain = Replica
ReplicationSourceDC = dc1.devDave.com.au
SiteName = <site name>
SysVolPath = %SYSTEMDRIVE%\Sysvol
UserName = administrator
UserDomain = devDave.com.au
Password = Password1

Demote Windows Server 2003 DCs

[DCINSTALL]
UserName = administrator
Password = Password1
UserDomain = devDave.com.au
AdministratorPassword = Password1
IsLastDCInDomain = no
RebootOnSuccess = yes

Promote First Windows Server 2008 R2 DC

[DCInstall]
InstallDNS = Yes
ConfirmGc = Yes
DatabasePath = %SYSTEMROOT%\Data
LogPath = %SYSTEMROOT%\Logs
RebootOnCompletion = Yes
ReplicaDomainDNSName = devDave.com.au
ReplicaOrNewDomain = New
ReplicationSourceDC = dc1.devDave.com.au
SiteName = Home
SysVolPath = %SYSTEMDRIVE%\Sysvol
UserName = administrator
UserDomain = devDave.com.au
Password = Password1
SafeModeAdminPassword = Password1

Promote Additional Windows Server 2008 R2 DCs

[DCInstall]
InstallDNS = Yes
ConfirmGc = Yes
DatabasePath = %SYSTEMROOT%\Data
LogPath = %SYSTEMROOT%\Logs
RebootOnCompletion = Yes
ReplicaDomainDNSName = devDave.com.au
ReplicaOrNewDomain = Replica
ReplicationSourceDC = dc1.devDave.com.au
SiteName = Home
SysVolPath = %SYSTEMDRIVE%\Sysvol
UserName = administrator
UserDomain = devDave.com.au
Password = Password1
SafeModeAdminPassword = Password1

Blog Archive