published by whitemice on Thu, 07/25/2019 - 11:29
Uh oh, Active Directory password is going to expire!
Ugh, do I need to log into a Windows workstation to change by password?
Nope, it is as easy as:
published by whitemice on Sun, 04/22/2018 - 11:14
One of the beauties of LDAP is how simply it lets the user or application perform searching. The various attribute types hint how to intelligently perform searches such as case sensitivity with strings, whether dashes should be treated as relevant characters in the case of phone numbers, etc... However, there are circumstances when you need to override this intelligence and make your search more or less strict. For example: in the case of case sensitivity of a string. That is the purpose of the extensibleMatch.
Look at this bit of schema:
published by whitemice on Mon, 10/09/2017 - 11:03
On a particular instance of OpenGroupware Coils the switch from an OpenLDAP server to an Active Directory service - which should be nearly seamless - resulted in "Failure to apply LDAP pages results control.". Interesting, as Active Directory certainly supports paged results - the 1.2.840.113556.1.4.319 control.
But there is a caveat! Of course.
published by whitemice on Mon, 06/05/2017 - 20:11
All the interesting objects in an Active Directory DSA have an objectSID which is used throughout the Windows subsystems as the reference for the object. When using a Samba4 (or later) domain controller it is possible to simply query for an object by its SID, as one would expect - like "(&(objectSID=S-1-...))". However, when using a Microsoft DC searching for an object by its SID is not as straight-forward; attempting to do so will only result in an invalid search filter error.
published by whitemice on Tue, 03/07/2017 - 09:18
Occasionally one gets reminded of something old.
[root@NAS04256 ~]# kinit adam@example.com
Password for adam@Example.Com:
kinit: KDC reply did not match expectations while getting initial credentials
Huh.
[root@NAS04256 ~]# kinit adam@EXAMPLE.COM
Password for adam@EXAMPLE.COM:
[root@NAS04256 ~]#
In some cases the case of the realm name matters.
published by whitemice on Thu, 02/09/2017 - 07:09
So you have a lovely LDIF file of Active Directory schema that you want to import using the ldbmodify tool provided with Samba4... but when you attempt the import it fails with the error:
Error: First line of ldif must be a dn not 'dn'
Modified 0 records with 0 failures
Eh? @&^$*&;@&^@! It does start with a dn: attribute it is an LDIF file!
Once you cool down you look at the file using od, just in case, and you see:
