Change AD user password via LDAP - requires SSL Connection?

[ohaya]

Hi,

I'm working on some Java code to change an AD user's password. From my
searching, it appears that if AD is on Win2K, that in order for this to
work, a secure connection, e.g., an SSL connection is necessary. I was
wondering if this is also the case with AD on Win2K3?

Thanks in advance!!

Jim

 

[Paul Bergson]

Yes, you have to establish a secure connection with AD (Port 636).

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[ohaya]

Paul,

Thanks for the confirmation. When I was searching, I *thought* that I
had seen a post somewhere (I can't find it anymore ) that said that
this was something that had changed in Win2K3 (vs. Win2K).

In my testing here, I only have a Win2K AD, while our "production"
environment has a Win2K3 AD, so wanted to check. I guess I probably
really should stand up a Win2K3 AD for future testing ...

Jim

 

[Joe Richards [MVP]]

You need a minimum level of LDAP encryption, this can be satisfied with
128 bit SSL as well as kerberos session encryption on 2K and on K3 and
better you can NTLM session encryption.

For instance, my adfind can set a user password with LDAP as long as you
specify the -kerbenc switch which actually enables LDAP_OPT_ENCRYPT (see
the Session Options documentation on MSDN).

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[ohaya]

Joe,

Thanks, as usual, for the info!!

Jim

You need a minimum level of LDAP encryption, this can be satisfied with
128 bit SSL as well as kerberos session encryption on 2K and on K3 and
better you can NTLM session encryption.

For instance, my adfind can set a user password with LDAP as long as you
specify the -kerbenc switch which actually enables LDAP_OPT_ENCRYPT (see
the Session Options documentation on MSDN).

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Jorge de Almeida Pinto [MVP - DS]]

I think joe means ADMOD and not ADFIND ;-)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Joe Richards [MVP]]

Hehe. Good point, I don't know my own damn apps... ;o)

Though adfind has the -kerbenc switch as well, it doesn't change
anything.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm