April 24th, 2010, 02:47 PM
CFLDAP - Adding User to Active Directory HELP!
Hi, after a lot of searching and no result, i come here looking for some silver lining on a dark cloud.
I am trying to add users to an active directory using the CFLDAP tag. I am using Coldfusion 9 Developer Edition, and Windows Server 2008 Standard with Active Directory Domain Controller and AD LDS.
No matter what i have tried, i get various errors and after much googling on those, i still havent managed to find an answer
Interestingly enough, i can sucesffully query the Microsoft AD to authenticate users using:
This works perfectly and all attributes are returned succesffully.
attributes = "givenName,sn,displayName,mail,streetAddress,l,st,postalCode,c,userPrincipalName,userAccountControl,pwdLastSet,profilePath,scriptPath,homeDrive,homeDirectory,homePhone,mobile,title,department,company,sAMAccountName,description">
For trying to add the user, I am using:
Please observe that the port number 50000 is so set because an LDS running on a AD DC has the ports 50000 and 50001 for SSL. though with the ports 369 and 636 the same errors are obtained.
So far i have learned that the password for the user can only be defined in another step and that the userAcountControl is than set to enabled or normal, so that no password is defined in this first step. There is also a question regarding SSL need, but it seems i only need SSL when changing a userīs password.
The error i am getting now is:
An error has occured while trying to execute add :[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 2030, v1772 ].
One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server.
Apparently, Error Code 49 relates to invalid credentials and the data 2030 refers to "no such user"...
I am the Active Directory system administrator, and with various different administative accounts defined in the username and password parts of the CFLDAP tag, the same error is achieved, which as far as i understood, rules out the ERROR code 49. In relation to the data 2030, well of course the user is not yet found because i am trying to create it.
How do i get around to that? is there another way of adding an user to the Active Directory server using coldfusion??
Thank you in advance!
April 25th, 2010, 08:26 PM
I'm afraid I can't really offer much advice, since it seems like an AD issue. The problem with LDAP in general is that working through problems like this is always hard, as each LDAP system can work in different ways, can be configured to use different security and authentication schemes, and require exactly the right attributes (sometimes even the right order or the right series of LDAP calls) in order to work.
You may have better luck asking about the specific AD requirements on the DevShed LDAP forum or on a forum specific to AD.
April 26th, 2010, 10:17 AM
Hi kiteless, thank you very much for your reply. Knowing it is probably not a coldfusion issue is somewhat refreshing. At least now i can focus in 1 area... ahha... I'll research some more and if get it working i'll post again explaining what the solution was in case someone else stumbles up the same problem.
My arrival here is yet another instance of searching for the answer to a problem and only finding other people with the same problem.
I haven't tried digging into ColdFusion's Active Directory (AD) cross-talk capabilities since about 2003. Back then I learned a few things:
- AD only like general LDAP calls when they query information or make bind attempts.
- Anything requiring password changing, setting, or account creation requires execution from the domain controller itself, i.e. your script needs to execute from that box
These were lessons learned 7 years ago, which resulted in our building some ASP scripts that live on the AD server itself - not the most secure solution - and having CF call these via CFHTTP. I hated this solution.
I'm finding myself here in hopes that CF9 has some magical way of making it work that wasn't around 7 years ago. What was it then, v5? I'll keep looking around. It's not sounding like there is a solution that doesn't involve executing local code on the AD server, which I'm not about to put in the DMZ. There's got to be a way...
exactly the same problem
did you find any solution to your problem ? I've exactly the same problem