Thursday, April 06, 2006


AD/AM Unsecured Passwords

Have you ever needed to bulk load AD/AM with a bunch of LDIF users for testing or conversion purposes, but been frustrated by its inability to allow password changes over an unsecured port? Well this is can be easily remedied using the dsmgmt tool that is installed with AD/AM. The tool is located in c:\WINDOWS\ADAM. Here is an example of making the change to an AD/AM instance:

dsmgmt: ds behavior

ds behavior: Connections

server connections: connect to server localhost:389
Binding to localhost:389 ...
Connected to localhost:389 using credentials of locally logged on user.

server connections: quit

ds behavior: Allow passwd op on unsecured connection
Successfully modified DS Behavior to reset password over unsecured network.

Now entries can be added to the directory with clear text passwords. The setting can be just as easily reversed after the changes are made.

NOTE: making this change will not permit the COREid identity system to change passwords in AD/AM over an unsecured port. I am not sure why, but something in the application prevents it even though the AD/AM instance is configured to allow it.

For those that would rather just stay in the LDAP Browser, you can also accomplish this by modifying the dSHeuristics attribute. It can be found at:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={}

Modify the last bit to be anything but a 0 and it will allow you to change passwords over SSL. See full Microsoft article here for more information on this attribute.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?