User Management with Active Directory—Programming Differences When Setting ADAM Passwords

Microsoft .NET Framework, ASP.NET, Visual C# (CSharp, C Sharp, C-Sharp) Developer Training, Visual Studio

Programming Differences When Setting ADAM Passwords

When we relax the secure channel password requirements with ADAM, we need a way to specify that we will be sending plaintext passwords on the normal LDAP port instead of ciphertext on the SSL port. We use the IADsObjectOptions interface for this, using the ADS_OPTION_PASSWORD_PORT_NUMBER and ADS_OPTION_PASSWORD_METHOD flags in conjunction with the SetOption method. We have two ways to do this. In .NET 2.0, a new wrapper class, DirectoryEntryConfiguration, has strongly typed methods for setting these options. Listing 10.17 shows how we can accomplish this.

Listing 10.17: Using DirectoryEntryConfiguration for ADAM

//.NET 2.0 sample for ADAM password changes
DirectoryEntry entry = new DirectoryEntry(
  "LDAP://adamserver.com/CN=someuser,OU=users,O=adamsample",
  "someuser@adam",
  "UserPassword1",
  AuthenticationTypes.None
  );
 
entry.Options.PasswordPort = 389;
entry.Options.PasswordEncoding = 
  PasswordEncodingMethod.PasswordEncodingClear;
 
entry.Invoke(
  "ChangePassword", 
  new object[] {"UserPassword1", "UserPassword2"}
  );

In .NET 1.x, we do not have the handy wrapper class for IADsObjectOptions, so instead we will use the Invoke method via reflection to accomplish the same thing. Listing 10.18 demonstrates the necessary operations.

Listing 10.18: Setting IADsObjectOptions via Reflection

//.NET 1.x sample
const int ADS_OPTION_PASSWORD_PORTNUMBER = 6;
const int ADS_OPTION_PASSWORD_METHOD = 7;
const int ADS_PASSWORD_ENCODE_CLEAR = 1;
 
DirectoryEntry entry = new DirectoryEntry(
  "LDAP://adamserver.com/CN=someuser,OU=users,O=adamsample",
  "someuser@adam",
  "UserPassword1",
  AuthenticationTypes.None
  );
entry.Invoke(
  "SetOption", 
  new object[] {ADS_OPTION_PASSWORD_PORTNUMBER, 389}
  );
entry.Invoke(
  "SetOption", 
  new object[] {
  ADS_OPTION_PASSWORD_METHOD, 
  ADS_PASSWORD_ENCODE_CLEAR
  }
  );    
entry.Invoke(
  "ChangePassword", 
  new object[] {"UserPassword1", "UserPassword2"}
  );

Even if we do not relax the secure channel password requirement for ADAM, it may still be necessary to change the password port number if our ADAM instance uses a different port for SSL traffic than the standard 636. Consequently, both of the techniques shown in Listings 10.17 and 10.18 still apply, though we will want to use the SSL password encoding option instead.

Additionally, it is possible to apply the LDAP password modification sample using SDS.P from the previous section on Active Directory password modification. There are two caveats.

• We may need to change the encryption method and port number as appropriate.
• When we are modifying passwords of ADAM users with an ADAM account, it will not be possible to use Kerberos channel encryption, as ADAM users cannot do Kerberos-based secure binds. That approach is not appropriate here. It is still possible to use this approach when using pass-through binding as a Windows user with a secure bind.

Sadly, all of this seems more complicated than it really needs to be, and it probably is. We hope that we have at least explained the topic thoroughly and have given you the tools you need to get the work done.