Managing Passwords for ADAM Users

Managing passwords in ADAM is similar to managing passwords in Active Directory. However, there are a few important differences to be aware of. The primary difference is that the Kerberos password change protocol and the Net* APIs are not available for ADAM. This is because ADAM does not function as a Kerberos ticket granting service, nor does it expose the security account manager RPC interfaces that Active Directory does.

Because of this, the only technique available for modifying passwords on ADAM users is LDAP. None of the other techniques that the ADSI IADsUser.SetPassword and ChangePassword methods implement applies.

The other key difference is that ADAM allows us to relax the requirement on having a 128-bit secure channel for password modifications. This is helpful, because SSL is the only binding option available for ADAM users that allows encryption, and once again, SSL is not always an attractive option for administrators. SSL is notoriously more difficult to configure on ADAM than it is on Active Directory because of the extra complexity of associating the certificate with the correct service account.

To disable the requirement for a secure channel to be used for password modification operations, the thirteenth bit of the dsHeuristics attribute must be changed. The ADAM documentation contains more details on this. We mention this only because ADAM is often used for prototyping due to its portability and ease of deployment. For testing and development purposes, we often disable this requirement ourselves instead of wading through all the SSL muck. However, in production applications, we would never recommend to relax the security requirements around password management.

Programming Differences When Setting ADAM Passwords

When we relax the secure channel password requirements with ADAM, we need a way to specify that we will be sending plaintext passwords on the normal LDAP port instead of ciphertext on the SSL port. We use the IADsObjectOptions interface for this, using the ADS_OPTION_PASSWORD_PORT_NUMBER and ADS_OPTION_PASSWORD_METHOD flags in conjunction with the SetOption method. We have two ways to do this. In .NET 2.0, a new wrapper class, DirectoryEntryConfiguration, has strongly typed methods for setting these options. Listing 10.17 shows how we can accomplish this.

Listing 10.17. Using DirectoryEntryConfiguration for ADAM

//.NET 2.0 sample for ADAM password changes
DirectoryEntry entry = new DirectoryEntry(
 "LDAP://adamserver.com/CN=someuser,OU=users,O=adamsample",
 "someuser@adam",
 "UserPassword1",
 AuthenticationTypes.None
 );

entry.Options.PasswordPort = 389;
entry.Options.PasswordEncoding =
 PasswordEncodingMethod.PasswordEncodingClear;

entry.Invoke(
 "ChangePassword",
 new object[] {"UserPassword1", "UserPassword2"}
 );

In .NET 1.x, we do not have the handy wrapper class for IADsObjectOptions, so instead we will use the Invoke method via reflection to accomplish the same thing. Listing 10.18 demonstrates the necessary operations.

Listing 10.18. Setting IADsObjectOptions via Reflection

//.NET 1.x sample
const int ADS_OPTION_PASSWORD_PORTNUMBER = 6;
const int ADS_OPTION_PASSWORD_METHOD = 7;
const int ADS_PASSWORD_ENCODE_CLEAR = 1;

DirectoryEntry entry = new DirectoryEntry(
 "LDAP://adamserver.com/CN=someuser,OU=users,O=adamsample",
 "someuser@adam",
 "UserPassword1",
 AuthenticationTypes.None
 );
entry.Invoke(
 "SetOption",
 new object[] {ADS_OPTION_PASSWORD_PORTNUMBER, 389}
 );
entry.Invoke(
 "SetOption",
 new object[] {
 ADS_OPTION_PASSWORD_METHOD,
 ADS_PASSWORD_ENCODE_CLEAR
 }
 );
entry.Invoke(
 "ChangePassword",
 new object[] {"UserPassword1", "UserPassword2"}
 );

Even if we do not relax the secure channel password requirement for ADAM, it may still be necessary to change the password port number if our ADAM instance uses a different port for SSL traffic than the standard 636. Consequently, both of the techniques shown in Listings 10.17 and 10.18 still apply, though we will want to use the SSL password encoding option instead.

Additionally, it is possible to apply the LDAP password modification sample using SDS.P from the previous section on Active Directory password modification. There are two caveats.

• We may need to change the encryption method and port number as appropriate.
• When we are modifying passwords of ADAM users with an ADAM account, it will not be possible to use Kerberos channel encryption, as ADAM users cannot do Kerberos-based secure binds. That approach is not appropriate here. It is still possible to use this approach when using pass-through binding as a Windows user with a secure bind.

Sadly, all of this seems more complicated than it really needs to be, and it probably is. We hope that we have at least explained the topic thoroughly and have given you the tools you need to get the work done.