2019-09-26 13:23:37,271  [main] INFO (org.apache.directory.api.ldap.model.schema.registries.Registries): ERR_13748_MATCHING_RULE_NO_SYNTAX The MatchingRule 220.127.116.11 does not have a syntax. This is invalid
Active Directory Tips & Tricks
- Frequently Asked Questions
- GUI Tools
- See Also
Frequently Asked Questions
What are the ERR_13748_MATCHING_RULE_NO_SYNTAX errors that are flooding my log files?
You may see errors in your logfiles that look like this:
The short story is that those may be safely ignored.
The long story is, that Active Directory is quite a strange server. It is mostly LDAP-inspired, but it looks like strict LDAP compliance was not a high priority for Active Directory authors. The fact is that there are many places in Active Directory LDAP schema that are not strictly compliant with LDAP standards and common practices. Those errors are reporting the issues in Active Directory schema. But midPoint Active Directory connector was built in such a way that it can live with those issues. Therefore midPoint and AD connector can be used even if those issues are reported to the log.
The issues are reported because that is how Apache Directory API is implemented. The Apache Directory API assumes that it talks to an LDAP-compliant server. But it talks to Active Directory. Therefore it reports the LDAP compliance issues. Currently there is no simple way how to silence those error reports except for setting the log levels. This can be hopefully improved in future versions of Apache Directory API.
|Please see SSH Connector for a method to execute PowerShell scripts on Windows servers.|
Import-Module ActiveDirectory cd AD:
Looking around the domain
cd "DC=win,DC=evolveum,DC=com" cd "CN=Users" Get-ADUser idmadmin Get-ADUser -Filter * Get-ADUser -Filter 'Name -like "*adm*"' Get-ADObject -LDAPFilter "(cn=*adm*)" -SearchBase "CN=Users,DC=win,DC=evolveum,DC=com" -SearchScope Subtree
RootDSE and Schema
$schema =[DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema() $schema.FindClass("user") $schema.FindClass("user").mandatoryproperties | ogv $schema.FindClass("user").optionalproperties | ogv
Show account attributes
Turn on advanced features in "Users and Computers":
Active Directory Users and Computers → View → Advanced Features (check)
Edit user properties. There will be "Attribute Editor" tab that shows the LDAP-like view of the user.
Grant access rights to idmadmin user
Active Directory Users and Computers → expand the domain → right click on "Users" → Delegate Control
Users and groups (principal): idmadmin
Delegate the following common tasks:
Create, delete and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete and manage groups
Modify the membership of a group
Create, delete and manage inetOrgPerson accounts (TODO: is this needed?)
Reset inetOrgPerson accounts and force password change at next logon (TODO: is this needed?)
Read all inetOrgPerson information
Password policy is defined in group policy. Open "Group Policy Management" tool. navigate to Forest → Domains → <domain> → Group Policy Objects → Default Domain Policy. Choose "Settings" tab. See Computer configuration → Policies → Windows Settings → Security Settings → Account Policies/Password Policy
Getting LDAP Schema
Search the following DN:
For example, use the ldapsearch comman-line tool:
ldapsearch -x -h chimera -p 389 -D "CN=Administrator,CN=Users,DC=example,DC=com" -w 'secret' -b 'CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com' -s sub "(objectclass=*)" \* objectclasses attributetypes matchingrules syntaxes
Either install Active Directory Certificate Services (AD CS) using Server Manager ("Add role") or install server certificate manually: https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc
If you install AD CS but, for some reason, the server certificate for DC was not created, you can create it manually.
(I was roughly following https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/ - "Domain Controller - Initial Enrollment" chapter.)
Open "certlm.msc" or "mmc.exe" with "Certificates" snap-in for Window s2008 R2 DC. The following is based on "mmc.exe" for Windows 2008 R2.
Right-Click the Personal store and select All Tasks - Request New Certificate. Click Next twice until the screen with available templates appears.
Select the check box next to Domain Controller, expand the Details and click Properties
Click Subject tab and select Alternative name to be of type DNS. Enter your server DNS to Value input box.
Click the Enroll button.
To export the AD CA certificate:
find Manage computer certificates window
in Personal - Certificates
in Server Manager select: Roles - AD Certificate Services - Enterprise PKI - (your authority certifikate)
in the right window pane click Properties on your CA Certificate, then click Details and Copy to file…
select DER encoded binary X.509 (.CER) format and save the file.
To import the AD CA certificate to midPoint keystore:
copy the CA certificate file (e.g. cacert.cer) to midPoint server
run the following command: keytool -import -alias ad-ca -keystore $midpoint.home/keystore.jceks -storetype jceks -file cacert.cer
If not working, please check if you already set up Djavax.net.ssl.trustStore to midPoint keystore.