Solved

CFLDAP secure / changing passwords

Posted on 2014-02-07
8
926 Views
Last Modified: 2014-02-20
I am having issues getting the CFLDAP tag to be able to communicate over ( secure="CFSSL_BASIC )

NOTE: I have already exported the key from my LDAP server and imported it into the ColdFusion JRE keystore.  The account I am using to connect is an Active Directory administrator account.

In addition I cannot get it to change an active directory password.
( my end goal )

I have been trying to get some meaningful errors from the server as well but all I get is:
coldfusion.tagext.net.LdapTagException: An error has occured while trying to execute query :simple bind failed: myDomainController.xxx.xxx.edu:636.

Open in new window


My Query ( if I change the port to 636 & add the secure="CFSSL_BASIC" attribute it breaks):
<cfldap action="Query"
	name="ADResult"
	attributes="cn,mail,displayname,dn,memberof,extensionAttribute1,employeeID,sAMAccountName,password,unicodePassword"
	start="cn=users,dc=myDomain,dc=MyDomPart2,dc=edu"
	filter="(&(objectclass=user)(samaccountname=#ReplaceNoCase(userIDx, baseDomain,'')#))"
	server="#domainController#"
    port="389"
	scope = "subtree"
	username="#userID2#"
	password="#pwd2#"
>
	<cfset isLoggedIn = true> 

    <cfcatch>
        <cfset isLoggedIn = false>
    </cfcatch>
</cftry>

Open in new window



My Change Password Query ( also does not work ):
<cftry>
    <cfldap action="modify" 
        modifyType="replace" 
        attributes="password=testing"
        dn="CN=myName,CN=Users,DC=MyDomain,DC=MyDomainPart2,DC=edu" 
        server="#domainController#"
        port="636"
        secure="CFSSL_BASIC"
        username="#userID2#"
        password="#pwd2#"
    > 
    <cfcatch>
    	<cfdump var="#cfcatch#">
    </cfcatch>
</cftry>

Open in new window

0
Comment
Question by:stu215
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 10

Author Comment

by:stu215
ID: 39843143
The bind error seems to have gone away and I am now getting this error:

An error has occured while trying to execute query :[LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B8A, comment: Error in attribute conversion operation, data 0, v1db1 ]. 
One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server. 


97 :         secure="CFSSL_BASIC"
98 :         username="#userID2#"
99 :         password="#pwd2#"
100 :     >

Open in new window

0
 
LVL 25

Accepted Solution

by:
dgrafx earned 500 total points
ID: 39844072
i had difficulties with cfldap so went to vb script

i write the .vbs below programmatically using desired variables then cfexecute with CF.

save the following as a .vbs file (swapping out the variables for their values of course):

Dim UserName
Dim UserDomain
UserDomain = "#Domain#"
UserName = "#Username#"
Set User = GetObject("WinNT://"& UserDomain &"/"& UserName &"",user)
Dim NewPassword
NewPassword = "#Password#"
Call User.SetPassword(NewPassword)
Set User = Nothing
wScript.Quit

good luck ...
0
 
LVL 10

Author Comment

by:stu215
ID: 39847501
I'm running CF on a Linux server though...
( I don't think VB will work there )
0
Command Line Tips and Tricks

The command line is a powerful tool at the disposal of every Linux user. Although Linux distros come with beautiful user interfaces, it's worthwhile to learn the command line because it allows you to do a number of things that you otherwise cannot do from the GUI.  

 
LVL 25

Expert Comment

by:dgrafx
ID: 39847530
Ok so where is AD? Different machine right?
So can you write it on the AD machine (Windows machine) and execute it there as well?
0
 
LVL 10

Author Comment

by:stu215
ID: 39851198
Yes, its a different machine.   It is preferred that I not do it this way though...

Is it not possible to change the password with cfldap?

From what I've Googled so far, many suggest that you have to wrap it in Unicode then Base64... I am still getting the same conversion error as above though...  

I've tried a bunch of the following variations with no success:
<cfset newPWD='Testing_666'>
<cfset unicodePwd = newPWD.getBytes("UTF-16LE")/> 
<cfset unicodePwd2 = newPWD.getBytes("UnicodeLittleUnmarked")/> 
<cfset unicodePwd3 = newPWD.getBytes("UTF-16")/> 
<cfset unicodePwd4 = newPWD.getBytes("UTF-8")/> 
<cfset base64Pwd = #ToBase64(unicodePwd)#/> 

Open in new window

0
 
LVL 25

Assisted Solution

by:dgrafx
dgrafx earned 500 total points
ID: 39851242
i was able to add / edit / delete entries to AD using cfldap but was never able to change password with cfldap.
could never find a solution so i looked elsewhere and if on a windows machine then the vbs solution works like a champ.

sorry you can't use it ...
0
 
LVL 10

Author Closing Comment

by:stu215
ID: 39875327
Gave up on trying to use CFLdap to change the password and were trying a few opensource solutions or will purchase a module to change passwords...

ManageEngine was the commercial one we are debating on if the open source one does not pan out.

- Was not allowed to use the VBScript solution in our environment
0
 
LVL 25

Expert Comment

by:dgrafx
ID: 39875432
Well thanks for the points!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question