Solved

CFLDAP secure / changing passwords

Posted on 2014-02-07
8
807 Views
Last Modified: 2014-02-20
I am having issues getting the CFLDAP tag to be able to communicate over ( secure="CFSSL_BASIC )

NOTE: I have already exported the key from my LDAP server and imported it into the ColdFusion JRE keystore.  The account I am using to connect is an Active Directory administrator account.

In addition I cannot get it to change an active directory password.
( my end goal )

I have been trying to get some meaningful errors from the server as well but all I get is:
coldfusion.tagext.net.LdapTagException: An error has occured while trying to execute query :simple bind failed: myDomainController.xxx.xxx.edu:636.

Open in new window


My Query ( if I change the port to 636 & add the secure="CFSSL_BASIC" attribute it breaks):
<cfldap action="Query"
	name="ADResult"
	attributes="cn,mail,displayname,dn,memberof,extensionAttribute1,employeeID,sAMAccountName,password,unicodePassword"
	start="cn=users,dc=myDomain,dc=MyDomPart2,dc=edu"
	filter="(&(objectclass=user)(samaccountname=#ReplaceNoCase(userIDx, baseDomain,'')#))"
	server="#domainController#"
    port="389"
	scope = "subtree"
	username="#userID2#"
	password="#pwd2#"
>
	<cfset isLoggedIn = true> 

    <cfcatch>
        <cfset isLoggedIn = false>
    </cfcatch>
</cftry>

Open in new window



My Change Password Query ( also does not work ):
<cftry>
    <cfldap action="modify" 
        modifyType="replace" 
        attributes="password=testing"
        dn="CN=myName,CN=Users,DC=MyDomain,DC=MyDomainPart2,DC=edu" 
        server="#domainController#"
        port="636"
        secure="CFSSL_BASIC"
        username="#userID2#"
        password="#pwd2#"
    > 
    <cfcatch>
    	<cfdump var="#cfcatch#">
    </cfcatch>
</cftry>

Open in new window

0
Comment
Question by:stu215
  • 4
  • 4
8 Comments
 
LVL 10

Author Comment

by:stu215
Comment Utility
The bind error seems to have gone away and I am now getting this error:

An error has occured while trying to execute query :[LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B8A, comment: Error in attribute conversion operation, data 0, v1db1 ]. 
One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server. 


97 :         secure="CFSSL_BASIC"
98 :         username="#userID2#"
99 :         password="#pwd2#"
100 :     >

Open in new window

0
 
LVL 24

Accepted Solution

by:
dgrafx earned 500 total points
Comment Utility
i had difficulties with cfldap so went to vb script

i write the .vbs below programmatically using desired variables then cfexecute with CF.

save the following as a .vbs file (swapping out the variables for their values of course):

Dim UserName
Dim UserDomain
UserDomain = "#Domain#"
UserName = "#Username#"
Set User = GetObject("WinNT://"& UserDomain &"/"& UserName &"",user)
Dim NewPassword
NewPassword = "#Password#"
Call User.SetPassword(NewPassword)
Set User = Nothing
wScript.Quit

good luck ...
0
 
LVL 10

Author Comment

by:stu215
Comment Utility
I'm running CF on a Linux server though...
( I don't think VB will work there )
0
 
LVL 24

Expert Comment

by:dgrafx
Comment Utility
Ok so where is AD? Different machine right?
So can you write it on the AD machine (Windows machine) and execute it there as well?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Author Comment

by:stu215
Comment Utility
Yes, its a different machine.   It is preferred that I not do it this way though...

Is it not possible to change the password with cfldap?

From what I've Googled so far, many suggest that you have to wrap it in Unicode then Base64... I am still getting the same conversion error as above though...  

I've tried a bunch of the following variations with no success:
<cfset newPWD='Testing_666'>
<cfset unicodePwd = newPWD.getBytes("UTF-16LE")/> 
<cfset unicodePwd2 = newPWD.getBytes("UnicodeLittleUnmarked")/> 
<cfset unicodePwd3 = newPWD.getBytes("UTF-16")/> 
<cfset unicodePwd4 = newPWD.getBytes("UTF-8")/> 
<cfset base64Pwd = #ToBase64(unicodePwd)#/> 

Open in new window

0
 
LVL 24

Assisted Solution

by:dgrafx
dgrafx earned 500 total points
Comment Utility
i was able to add / edit / delete entries to AD using cfldap but was never able to change password with cfldap.
could never find a solution so i looked elsewhere and if on a windows machine then the vbs solution works like a champ.

sorry you can't use it ...
0
 
LVL 10

Author Closing Comment

by:stu215
Comment Utility
Gave up on trying to use CFLdap to change the password and were trying a few opensource solutions or will purchase a module to change passwords...

ManageEngine was the commercial one we are debating on if the open source one does not pan out.

- Was not allowed to use the VBScript solution in our environment
0
 
LVL 24

Expert Comment

by:dgrafx
Comment Utility
Well thanks for the points!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now