AD and adding group members via CFLDAP

[dnagel]

I posted this over in Advanced techniques with only one brave, yet
unfortunately uninformed taker...
Anyone here have a clue as to why I'd get the error described in the
text below???


[Only Response...]
Thank you for your response... I probably should explain better what
this code does...

It queries a data source (DB2 database) for a list of about 2000 names
(specifically their Employee number).

Then it queries the MS Active directory for a list of anyone who has an
attribute of employeeNumber that
is not an empty string.

Next, it uses a QofQ to join the two record sets together, tossing out
any records that do not match from
both of the data sources.

Then I loop over that list of employees adding them into a group.

This operation dos nothing to modify a users password.

Thanks,

D.



Ian Skinner wrote:

> This came off of another CF related list. Not sure if it applies to
> your situation or not.
>
> * You cannot change passwords unless you have a SSL cert setup for the
> CF server and the AD domain controller.
>
> I have not first hand experience with this, so all I can offer is to
> pass along the above comment.
>
> dnagel wrote:

>> So, this is the advanced techniques group... and no one feels the
>> least bit challenged?
>> Theres got to be someone who enjoys delving into LDAP out there...
>>
>> D.

I'm having a bit of trouble getting the CFLDAP Modify query to execute
after
I tied it into the CFLOOPed query... When I ran it with my own users DN it
worked great... it does not work with any other DN. My account has Domain
Adminis on this sandboxed server and is capable of making the change by hand
using the AD tools inside of MMC... Any suggestions? Thanks,

D.



<cfset servername = "AD.TESTSITE.com">
<cfset username = "DNagel@TESTSITE.com">
<cfset password = "PASSWORD">
<cfset domain = "TESTSITE">
<cfset OU = "ou=Granite">

<cfoutput>

<CFSet GroupName="TestDistribution">
<CFSet GroupDN = "cn=#GroupName#,cn=Users,dc=#domain#,dc=com">

<CFQuery name="Users" datasource="GCI_Workforce">
Select cast (WBAN8 as varchar(10)) as WBAN8, wbemal from
WTWDSECPJ1 where WBEXEMPT ='Y'
</CFQuery>

<cfldap
action="query"
server = "#servername#"
username = "#username#"
password = "#password#"
start = "#OU#,dc=#domain#,dc=com"
attributes = "dn,employeeNumber"
filter = "employeeNumber=*"
name = "adDNLookup"
scope = "subtree"

>

<CFQuery Name="JoinUsers" DBType="Query">
Select
adDNLookup.DN, adDNLookup.employeeNumber
from
adDNLookup,
Users
Where
adDNLookup.employeeNumber = Users.wban8
</CFQuery>


<CFLoop Query="JoinUsers">

<CFTry>

<!---<CFSet UserDN = "member=cn=Dennis
Nagel,CN=Users,DC=TESTSITE,DC=com">--->
<CFSet UserDN = "member=#DN#">
<CFSet UserName="#employeeNumber#">

#UserName# #UserDN#<br>
<cfldap
action="modify"
server = "#servername#"
username = "#username#"
password = "#password#"
modifytype="add"
attributes = "#UserDN#"
dn="#GroupDN#"
separator=";"

>

<cfoutput>#UserName# has been added to the group
(#GroupName#).</cfoutput>

<cfcatch type="any">
<cfif FindNoCase( "ENTRY_EXISTS", cfcatch.message )>
<cfoutput>
#UserName# is already assigned to the group
(#GroupName#).
</cfoutput>
<cfelse>
<cfoutput>
Unknown error : #cfcatch.detail#")
</cfoutput>
<cfabort>
</cfif>
</cfcatch>

</CFTry>

</CFLoop>
</cfoutput>







heres the trace info...

110028 member=CN=Mary Chalfa, OU=PSP_Indio, OU=PSP, OU=GC_Branches,
ou=Granite, dc=TESTSITE, dc=com
Unknown error : One or more of the required attributes may be
missing/incorrect or you do not have permissions to execute this
operation on the server")







--------------------------------------------------------------------------------
Debugging Information ColdFusion Server Enterprise 6,1,0,63958
Template /JDE-AD-Sync/JDE-AD-Groups.cfm
Time Stamp 22-Jun-06 12:02 PM
Locale English (US)
User Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET
CLR 1.1.4322; .NET CLR 1.0.3705)
Remote IP 127.0.0.1
Host Name 127.0.0.1




--------------------------------------------------------------------------------
Execution Time

Total Time Avg Time Count Template
687 ms 687 ms 1 C:\Inetpub\wwwroot\JDE-AD-Sync\JDE-AD-Groups.cfm
0 ms 0 ms 1 C:\Inetpub\wwwroot\JDE-AD-Sync\Application.cfm
0 ms STARTUP, PARSING, COMPILING, LOADING, & SHUTDOWN
687 ms TOTAL EXECUTION TIME
red = over 250 ms average execution time


--------------------------------------------------------------------------------
Exceptions

12:02:45.045 - Application Exception - in
C:\Inetpub\wwwroot\JDE-AD-Sync\JDE-AD-Groups.cfm : line 67
An error has occured while trying to execute modify :[LDAP:
error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 525, vece].



--------------------------------------------------------------------------------
SQL Queries

Users (Datasource=GCI_Workforce, Time=47ms, Records=2203) in
C:\Inetpub\wwwroot\JDE-AD-Sync\JDE-AD-Groups.cfm @ 12:02:44.044

Select cast (WBAN8 as varchar(10)) as WBAN8, wbemal from
WTWDSECPJ1 where WBEXEMPT ='Y'

JoinUsers (Datasource=, Time=16ms, Records=996) in
C:\Inetpub\wwwroot\JDE-AD-Sync\JDE-AD-Groups.cfm @ 12:02:45.045

Select
adDNLookup.DN, adDNLookup.employeeNumber
from
adDNLookup,
Users
Where
adDNLookup.employeeNumber = Users.wban8



--------------------------------------------------------------------------------
Scope Variables

Application Variables:
applicationname=JDE-AD-Sync
ds=GCI_WFD

Cookie Variables:
JSESSIONID=36301107041151000811062

Server Variables:
COLDFUSION=Struct (8)
OS=Struct (5)

Session Variables:
cfid=831
cftoken=54562187
sessionid=JDE-AD-SYNC_831_54562187
urltoken=CFID=831&CFTOKEN=54562187

Debug Rendering Time: 63 ms

[dnagel]

ok, I found it... re-use of the vaiable username... : -)

Damn ambiguous error messages.

Thanks to Ian for taking a look.

D.