Wednesday, November 28, 2012

Active Directory Password and InetOrgPerson

 

I read about a few AD oddities that I wanted to share, they are from this link.. I have not verified these myself yet, but interesting

 

Old password remains valid for an hour

As described in this Microsoft Support article, as of Windows Server 2003 SP1, once you've changed a user's password, the old password remains valid for an hour after the change. In effect, this means you can use both a users' old password and the users' new password to log in for one hour!

New password accepted in LDAP modify operation but not really accepted

In some cases (particularly with passwords containing special characters, such as non ASCII characters), Active Directory will accept a password update operation and return a “Success (0)” result for the LDAP modify operation, BUT the new password will not be useable.

For this reason, we recommend to always check that a successful BIND operation can be performed on the Active Directory with the new password after changing it. You can use the canBind* functions to do this.

 

Non-standard objectClasses

Active Directory does not respect the inetOrgPerson objectClass definition, as specified in RFC 2798. An explanation is provided below.

LSC version 1.2.0 can synchronize to and from Active Directory despite of this.

The objectClass inheritance path defined in RFC 2798 is as follows:

  • top

    • person

      • organizationalPerson

        • inetOrgPerson

However, in Active Directory, an extra objectClass, named user is inserted in this path:

  • top

    • person

      • organizationalPerson

        • user

          • inetOrgPerson

This is documented by Microsoft in the Active Directory Schema documentation.

Post a Comment

Blog Archive