Solved

CFLDAP secure / changing passwords

Posted on 2014-02-07
8
877 Views
Last Modified: 2014-02-20
I am having issues getting the CFLDAP tag to be able to communicate over ( secure="CFSSL_BASIC )

NOTE: I have already exported the key from my LDAP server and imported it into the ColdFusion JRE keystore.  The account I am using to connect is an Active Directory administrator account.

In addition I cannot get it to change an active directory password.
( my end goal )

I have been trying to get some meaningful errors from the server as well but all I get is:
coldfusion.tagext.net.LdapTagException: An error has occured while trying to execute query :simple bind failed: myDomainController.xxx.xxx.edu:636.

Open in new window


My Query ( if I change the port to 636 & add the secure="CFSSL_BASIC" attribute it breaks):
<cfldap action="Query"
	name="ADResult"
	attributes="cn,mail,displayname,dn,memberof,extensionAttribute1,employeeID,sAMAccountName,password,unicodePassword"
	start="cn=users,dc=myDomain,dc=MyDomPart2,dc=edu"
	filter="(&(objectclass=user)(samaccountname=#ReplaceNoCase(userIDx, baseDomain,'')#))"
	server="#domainController#"
    port="389"
	scope = "subtree"
	username="#userID2#"
	password="#pwd2#"
>
	<cfset isLoggedIn = true> 

    <cfcatch>
        <cfset isLoggedIn = false>
    </cfcatch>
</cftry>

Open in new window



My Change Password Query ( also does not work ):
<cftry>
    <cfldap action="modify" 
        modifyType="replace" 
        attributes="password=testing"
        dn="CN=myName,CN=Users,DC=MyDomain,DC=MyDomainPart2,DC=edu" 
        server="#domainController#"
        port="636"
        secure="CFSSL_BASIC"
        username="#userID2#"
        password="#pwd2#"
    > 
    <cfcatch>
    	<cfdump var="#cfcatch#">
    </cfcatch>
</cftry>

Open in new window

0
Comment
Question by:stu215
  • 4
  • 4
8 Comments
 
LVL 10

Author Comment

by:stu215
ID: 39843143
The bind error seems to have gone away and I am now getting this error:

An error has occured while trying to execute query :[LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B8A, comment: Error in attribute conversion operation, data 0, v1db1 ]. 
One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server. 


97 :         secure="CFSSL_BASIC"
98 :         username="#userID2#"
99 :         password="#pwd2#"
100 :     >

Open in new window

0
 
LVL 25

Accepted Solution

by:
dgrafx earned 500 total points
ID: 39844072
i had difficulties with cfldap so went to vb script

i write the .vbs below programmatically using desired variables then cfexecute with CF.

save the following as a .vbs file (swapping out the variables for their values of course):

Dim UserName
Dim UserDomain
UserDomain = "#Domain#"
UserName = "#Username#"
Set User = GetObject("WinNT://"& UserDomain &"/"& UserName &"",user)
Dim NewPassword
NewPassword = "#Password#"
Call User.SetPassword(NewPassword)
Set User = Nothing
wScript.Quit

good luck ...
0
 
LVL 10

Author Comment

by:stu215
ID: 39847501
I'm running CF on a Linux server though...
( I don't think VB will work there )
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 25

Expert Comment

by:dgrafx
ID: 39847530
Ok so where is AD? Different machine right?
So can you write it on the AD machine (Windows machine) and execute it there as well?
0
 
LVL 10

Author Comment

by:stu215
ID: 39851198
Yes, its a different machine.   It is preferred that I not do it this way though...

Is it not possible to change the password with cfldap?

From what I've Googled so far, many suggest that you have to wrap it in Unicode then Base64... I am still getting the same conversion error as above though...  

I've tried a bunch of the following variations with no success:
<cfset newPWD='Testing_666'>
<cfset unicodePwd = newPWD.getBytes("UTF-16LE")/> 
<cfset unicodePwd2 = newPWD.getBytes("UnicodeLittleUnmarked")/> 
<cfset unicodePwd3 = newPWD.getBytes("UTF-16")/> 
<cfset unicodePwd4 = newPWD.getBytes("UTF-8")/> 
<cfset base64Pwd = #ToBase64(unicodePwd)#/> 

Open in new window

0
 
LVL 25

Assisted Solution

by:dgrafx
dgrafx earned 500 total points
ID: 39851242
i was able to add / edit / delete entries to AD using cfldap but was never able to change password with cfldap.
could never find a solution so i looked elsewhere and if on a windows machine then the vbs solution works like a champ.

sorry you can't use it ...
0
 
LVL 10

Author Closing Comment

by:stu215
ID: 39875327
Gave up on trying to use CFLdap to change the password and were trying a few opensource solutions or will purchase a module to change passwords...

ManageEngine was the commercial one we are debating on if the open source one does not pan out.

- Was not allowed to use the VBScript solution in our environment
0
 
LVL 25

Expert Comment

by:dgrafx
ID: 39875432
Well thanks for the points!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently while working on a project I got a very annoying cfdocument has no body error message. I had never seen this error before. So I checked the code. The code was pretty simple; it was Just showing me the cfdocumnt tag and inside that tag a …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question