Active Directory Tips & Tricks

Last modified 01 Feb 2022 19:38 +01:00

Frequently Asked Questions

What are the ERR_13748_MATCHING_RULE_NO_SYNTAX errors that are flooding my log files?

You may see errors in your logfiles that look like this:

2019-09-26 13:23:37,271 [] [main] INFO (org.apache.directory.api.ldap.model.schema.registries.Registries): ERR_13748_MATCHING_RULE_NO_SYNTAX The MatchingRule 2.5.13.21 does not have a syntax. This is invalid

The short story is that those may be safely ignored.

The long story is, that Active Directory is quite a strange server. It is mostly LDAP-inspired, but it looks like strict LDAP compliance was not a high priority for Active Directory authors. The fact is that there are many places in Active Directory LDAP schema that are not strictly compliant with LDAP standards and common practices. Those errors are reporting the issues in Active Directory schema. But midPoint Active Directory connector was built in such a way that it can live with those issues. Therefore midPoint and AD connector can be used even if those issues are reported to the log.

The issues are reported because that is how Apache Directory API is implemented. The Apache Directory API assumes that it talks to an LDAP-compliant server. But it talks to Active Directory. Therefore it reports the LDAP compliance issues. Currently there is no simple way how to silence those error reports except for setting the log levels. This can be hopefully improved in future versions of Apache Directory API.

PowerShell

Please see SSH Connector for a method to execute PowerShell scripts on Windows servers.

Initialization

Import-Module ActiveDirectory
cd AD:

Looking around the domain

cd "DC=win,DC=evolveum,DC=com"
cd "CN=Users"
Get-ADUser idmadmin
Get-ADUser -Filter *
Get-ADUser -Filter 'Name -like "*adm*"'
Get-ADObject -LDAPFilter "(cn=*adm*)" -SearchBase "CN=Users,DC=win,DC=evolveum,DC=com" -SearchScope Subtree

RootDSE and Schema

Get-ADRootDSE
$schema =[DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()
$schema.FindClass("user")
$schema.FindClass("user").mandatoryproperties | ogv
$schema.FindClass("user").optionalproperties | ogv

GUI Tools

Show account attributes

Turn on advanced features in "Users and Computers":

Active Directory Users and Computers → View → Advanced Features (check)

Edit user properties. There will be "Attribute Editor" tab that shows the LDAP-like view of the user.

Grant access rights to idmadmin user

Active Directory Users and Computers → expand the domain → right click on "Users" → Delegate Control

Users and groups (principal): idmadmin

Delegate the following common tasks:

  • Create, delete and manage user accounts

  • Reset user passwords and force password change at next logon

  • Read all user information

  • Create, delete and manage groups

  • Modify the membership of a group

  • Create, delete and manage inetOrgPerson accounts (TODO: is this needed?)

  • Reset inetOrgPerson accounts and force password change at next logon (TODO: is this needed?)

  • Read all inetOrgPerson information

Password policy

Password policy is defined in group policy. Open "Group Policy Management" tool. navigate to Forest → Domains → <domain> → Group Policy Objects → Default Domain Policy. Choose "Settings" tab. See Computer configuration → Policies → Windows Settings → Security Settings → Account Policies/Password Policy

LDAP

Getting LDAP Schema

Search the following DN:

CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com

For example, use the ldapsearch comman-line tool:

ldapsearch -x -h chimera -p 389 -D "CN=Administrator,CN=Users,DC=example,DC=com" -w 'secret' -b 'CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=com' -s sub "(objectclass=*)"  * objectclasses attributetypes matchingrules syntaxes

Enabling LDAPS

Either install Active Directory Certificate Services (AD CS) using Server Manager ("Add role") or install server certificate manually: https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc

If you install AD CS but, for some reason, the server certificate for DC was not created, you can create it manually.

(I was roughly following https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/ - "Domain Controller - Initial Enrollment" chapter.)

  1. Open "certlm.msc" or "mmc.exe" with "Certificates" snap-in for Window s2008 R2 DC. The following is based on "mmc.exe" for Windows 2008 R2.

  2. Right-Click the Personal store and select All Tasks - Request New Certificate. Click Next twice until the screen with available templates appears.

  3. Select the check box next to Domain Controller, expand the Details and click Properties

  4. Click Subject tab and select Alternative name to be of type DNS. Enter your server DNS to Value input box.

  5. Click OK.

  6. Click the Enroll button.

To export the AD CA certificate:

  1. find Manage computer certificates window

  2. in Personal - Certificates

  3. in Server Manager select: Roles - AD Certificate Services - Enterprise PKI - (your authority certifikate)

  4. in the right window pane click Properties on your CA Certificate, then click Details and Copy to file…​

  5. select DER encoded binary X.509 (.CER) format and save the file.

To import the AD CA certificate to midPoint keystore:

  1. stop midPoint

  2. backup $midpoint.home/keystore.jceks

  3. copy the CA certificate file (e.g. cacert.cer) to midPoint server

  4. run the following command: keytool -import -alias ad-ca -keystore $midpoint.home/keystore.jceks -storetype jceks -file cacert.cer

  5. start midPoint

If not working, please check if you already set up javax.net.ssl.trustStore to midPoint keystore.

Was this page helpful?
YES NO
Thanks for your feedback