Schema security issues - how to verify a schema bind

Schema security issues - how to verify a schema bind

Post by Mat » Thu, 01 May 2003 22:46:24



I'm still having problems with custom attributes returning the
"Handling of this ADSVALUE is not yet implemented". After reading a
bunch of posts it sounds (could be wrong) that it's a security issue
with the schema.

I'm now trying to prove this is a security issue to the LDAP group.
The problem is my LDAP group doesn't know Microsoft tools and we are
not using Active Directory for LDAP (I think we use a product called
Live Content). So I need to prove there is a problem binding to the
schema.

My plan is to write code will fail if we really have a problem binding
to the schema. First I ran this code:

Function myGetClassInfo()
 Dim oOrg, oOrgUnit, oCustomUser As IADs
 oOrg = GetObject("LDAP://test.directory.com:1714/o=mycomp")
 oOrgUnit = GetObject("LDAP://test.directory.eds.com:1714/ou=people,o=mycomp")
 oCustomUser = GetObject("LDAP://test.directory.eds.com:1714/cn=ABC123,ou=employees,ou=people,o=mycomp")
End Function

I used this code to find some classes and their paths. I came up with
three classes named "organization", "organizationalUnit" and
"OmyCompUser". I then ran this code to get the schema:

Function myGetSchemaInfo()
 Dim clsOrg, clsOrgUnit, clsmyCompUser As IADsClass
 clsOrg = GetObject("LDAP://test.directory.com:1714/schema/organization")
 clsOrgUnit = GetObject("LDAP://test.directory.com:1714/schema/organizationalUnit")
 clsmyCompUser = GetObject("LDAP://test.directory.com:1714/schema/OmyCompUser")
End Function

The "organization" and "organizationalUnit" commands work. I am able
to view the manditory and optional fields. The "OmyCompUser" command,
which is the one I need, fails with a generic "Cannont create ActiveX
component" error.

So, is this a valid way to test if you are able to access certain
schema? Should I feel confident that the error is on the LDAP side
based on this information? Since I don't know much about LDAP I'm not
sure what to tell the group to research. They claim that the schema
information is available and it must be a bug with ADSI.

One final note. Not sure if it matters but the "ldapsearch.exe" that
comes with the 500 SDK works fine when retrieving the value of a
custom attribute. To the LDAP group this is further evidence that
there is no problem with the schema. It would help if I could explain
to them why the SDK commands work and the AD code does not.

 
 
 

Schema security issues - how to verify a schema bind

Post by Mat » Fri, 02 May 2003 23:11:14


Thanks - I just found that same information last night. I originally
thought this to be the fault of my "other" LDAP server but I now think
it's on Microsoft's side.

In my case, I do have the registry entry but I don't have keys for
"time" or "file". I do see a "modifyTimeStamp" property in the schema
but I'm not sure if it's exposed as stated by the support article. It
basically comes down to three issues according to Microsoft:

1) Server didn't expose the correct properties
2) ADSI unable to process the schema
3) ADSI unalbe to write the file to the file system

I suppose 1 is possible but I don't think so since I did an ldapsearch
and found this "modifyTimeStamp" property. But, they don't say how you
can test if ADSI can see the property or not.

I think 2 is total disgrace and give up. The whole basis of the
article is that ADSI can't process the schema. How does it help to
list that as a reason?

I don't think 3 is a problem or how it could be a problem. I suppose
if your ADSI code was running under an ID that couldn't write to the
file system then maybe but that isn't my case.

I think my situation falls under reason 2. Unfortunately this does me
no good in trying to figure out how to fix it. I just have a feeling
that if there were things we could do on the LDAP server to make this
work, then Microsoft would post those solutions. Since they don't post
any solutions that we could actually try, it makes me suspect there is
a problem on the ADSI side.

Anyone have any other ideas how I can prove or disprove that ADSI can
bind to the schema?


> I wonder if this article would help you at all.

> http://support.microsoft.com/default.aspx?scid=http://support.microso...

> I'm having the same issue with a Novell LDAP server.  No luck in solving it
> yet. I'mi trying to use a work around posted here:
> http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=153151

> Hope this helps!


 
 
 

Schema security issues - how to verify a schema bind

Post by amerrel » Sat, 03 May 2003 00:07:41


I finally got mine working. I used the work around that was posted on the
second link I listed in my first reply.  I'm currently cleaning up my code
and after I do I"ll post it to see if it helps you.  I did have to make a
setting change on the LDAP server.  I found a flag in eDirectory called
"nonStdClientSchemaCompatMode" the allowed my ASP.NET page cache the schema.
From what I read that flag makes the schema compatible with LDAP v2 or
something like that.  Here is the link where I found that information:
http://developer.novell.com/support/sample/tids/ildap01/ildap01.htm

I"ll post my code as soon as I clean it up.


> Thanks - I just found that same information last night. I originally
> thought this to be the fault of my "other" LDAP server but I now think
> it's on Microsoft's side.

> In my case, I do have the registry entry but I don't have keys for
> "time" or "file". I do see a "modifyTimeStamp" property in the schema
> but I'm not sure if it's exposed as stated by the support article. It
> basically comes down to three issues according to Microsoft:

> 1) Server didn't expose the correct properties
> 2) ADSI unable to process the schema
> 3) ADSI unalbe to write the file to the file system

> I suppose 1 is possible but I don't think so since I did an ldapsearch
> and found this "modifyTimeStamp" property. But, they don't say how you
> can test if ADSI can see the property or not.

> I think 2 is total disgrace and give up. The whole basis of the
> article is that ADSI can't process the schema. How does it help to
> list that as a reason?

> I don't think 3 is a problem or how it could be a problem. I suppose
> if your ADSI code was running under an ID that couldn't write to the
> file system then maybe but that isn't my case.

> I think my situation falls under reason 2. Unfortunately this does me
> no good in trying to figure out how to fix it. I just have a feeling
> that if there were things we could do on the LDAP server to make this
> work, then Microsoft would post those solutions. Since they don't post
> any solutions that we could actually try, it makes me suspect there is
> a problem on the ADSI side.

> Anyone have any other ideas how I can prove or disprove that ADSI can
> bind to the schema?




Quote:> > I wonder if this article would help you at all.

http://support.microsoft.com/default.aspx?scid=http://support.microso...

- Show quoted text -

Quote:

> > I'm having the same issue with a Novell LDAP server.  No luck in solving
it
> > yet. I'mi trying to use a work around posted here:
> > http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=153151

> > Hope this helps!

 
 
 

Schema security issues - how to verify a schema bind

Post by amerrel » Sat, 03 May 2003 01:04:45


Here is my working code:
' Creates an Instance of DirectoryEntry.
Dim entry As DirectoryEntry = New DirectoryEntry()
With entry
    .Path =  "LDAP://<IPaddress or server name>/o=xxxxxxxx"
    .Username = "cn=xxxxxxx,ou=xxxx,o=xxxxxxx" ' Admin User used for binding
    .Password = "xxxxxxx"
    .AuthenticationType = AuthenticationTypes.ServerBind
End With
' Creates an Instance of DirectorySearcher.
Dim search As DirectorySearcher = New DirectorySearcher(entry)
With search
    .Filter = "cn=xxxxxxx"
    .SearchScope = SearchScope.Subtree
    .PropertiesToLoad.Add("adspath")
    .PropertiesToLoad.Add("customProperty")
End With
Try
    ' Create an Instance of SearchResult
    Dim result As SearchResult = search.FindOne
    ' Call ADSIHelper to return custom property
    Dim myArray As Array = ADSIHelper.GetProperty(result.GetDirectoryEntry,
"customProperty", ADSTYPEENUM.ADSTYPE_DN_STRING)
    Response.Write("String for coluid = " + myArray(0) + "<br>")
    Response.Write("String for adspath = " + result.Properties("adspath")(0)
+ "<br>")
Catch ex As Exception
    Throw New Exception("Error finding user. " + ex.Message)
End Try

ADSIHelper Code:
Imports System.DirectoryServices
Imports ActiveDS

Public Class ADSIHelper
    Public Shared Function GetProperty(ByVal entry As DirectoryEntry, ByVal
propertyName As String, ByVal adsType As ADSTYPEENUM) As Object()
        'Make sure to get this value from the LDAP directory
        entry.RefreshCache(New String() {propertyName})

        'QI for the IADsPropertyList interface from the underlying IADs
        Dim propList As IADsPropertyList = CType(entry.NativeObject,
IADsPropertyList)

        'Get this property's IADsPropertyEntry
        Dim propEntry As IADsPropertyEntry =
CType(propList.GetPropertyItem(propertyName, CInt(adsType)),
IADsPropertyEntry)

        'Use this ArrayList to build the array of return values
        Dim values As New System.Collections.ArrayList()

        'Loop through each value in the collection
        Dim propValue As IADsPropertyValue
        For Each propValue In CType(propEntry.Values, Object())
            Select Case adsType
                Case ADSTYPEENUM.ADSTYPE_CASE_IGNORE_STRING
                    values.Add(propValue.CaseIgnoreString)
                Case ADSTYPEENUM.ADSTYPE_CASE_EXACT_STRING
                    values.Add(propValue.CaseExactString)
                Case ADSTYPEENUM.ADSTYPE_DN_STRING
                    values.Add(propValue.DNString)
                Case ADSTYPEENUM.ADSTYPE_INTEGER
                    values.Add(propValue.Integer)
                Case ADSTYPEENUM.ADSTYPE_BOOLEAN
                    values.Add(propValue.Boolean)
                Case ADSTYPEENUM.ADSTYPE_LARGE_INTEGER
                    values.Add(propValue.LargeInteger)
                Case ADSTYPEENUM.ADSTYPE_OCTET_STRING
                    values.Add(propValue.OctetString)
                Case Else
                    Throw New System.NotImplementedException("Handling of
this() ADSTYPE is not implemented")
            End Select
        Next propValue
        Return values.ToArray()
    End Function 'GetProperty
End Class

Hope this helps!

 
 
 

1. How Add Schema Attribute to Schema Class?

How Add Schema Attribute to Schema Class?
What is the Problem follow code?  this was not able to add a schema
attribute ....
////////////////////////////////////////////////////////////////////////////
//////////////

IADsClass *padsClass = NULL;
HRESULT hr = ADsGetObject(L"LDAP://schema/user",
                  IID_IADsClass,
                  (void**)&padsClass);

hr = padsClass->put_OptionalProperties(_variant_t(
L"ncstRankGroupPath1" ) );
////////////////////////////////////////////////////////////////////////////
////////////////////////////
of course,  "ncstRankGroupPath1" is a new Schema Attribute before time.

please help me.....

2. xhost on DECstation 3100

3. xsd schema or xdr schema

4. Event sink and renaming folders...

5. Security / schema in AD

6. Send tasks to resources

7. Schema

8. IDE controller dying?

9. Exchange schema troubles

10. Schema update failed

11. IP Schema Change on SBS2K

12. Extending schema for exchange fails

13. Changing namespace schema