How to Change Password through NetScaler in a Multi-Domain Active Directory Forest Using LDAP Referral

book

Article ID: CTX200506

calendar_today

Updated On:

Description

This article provides information on how to change the password through NetScaler in a multi-domain Active Directory forest using LDAP referral.

Introduction

Enterprise customers implementing user password change in a multi-domain forest needs to implement LDAP referral. In a multi-domain environment; one ldapaction is good enough to traverse the whole subdomain tree for user search and password change.
In the following example, suppose user hruser1 present in subdomain HR.AAATM.COM or salesuser1 present in subdomain SR.HR.AAATM.COM requires a password change on the next logon; it can be achieved by LDAP referral sent by the Global Catalog Server (GCS).

User-added image

Prerequisites

NetScaler software release 10.0 or later.
Changes to LDAP schema in GCS.

LDAP schema of GCS needs to be changed for the password attribute pwdLastSet in order to allow password change of subdomain users. In the following aaad debug output, the user's account hruser1 present in subdomain hr.aaatm.com is set to require a password change on the next logon. In order to do this, the password attribute pwdLastSet needs to be propagated to the GCS, so that the GCS knows that the password for hruser1 needs to be modified. In order to achieve this, LDAP schema of GCS has to be changed to propagate PWDLastSet attribute to the GCS. Refer to Global Catalogs and the Partial Attribute Set for information on how to include the attribute (pwdLastSet) as part of partial attribute set in the ldapschema of GCS.

Also refer to the following screen shots to configure the same:

User-added image

How is LDAP Referral Generated?

When a NetScaler receives an LDAP_REFERRAL response to a credential modify request for expired password, NetScaler follows the referral to the Active Directory (AD) server and performs the update (User Password modification) on that server.

The following are the steps for the same:

Resolve the name of the AD server in the referral using A-Record.
Perform a non-blocking connect to that server.
Initiate SSL/TLS.
Bind to the new server with the binddn credentials used with the GCS.
Verify the user object on the new server.
Attempt the credential update against the new server.

NOTE: The AD server in the referral must accept the binddn credentials configured for the GCS.

Configuration on NetScaler

The following parameters should be configured on ldapaction in NetScaler for password change:

-ldapserver (GCS: IP)
-ldapport (GCS: port)
-ldapbinddn (GCS: binddn)
-ldapbindnpassword (GCS: binddnpassword)
-ldapbase (GCS: base)
Followreferrals
SecType (SSL/TLS)
PasswordChange (ENABLED)

GCS SSL Port to be Configured for Password Change (Port 3269)

> add authentication ldapAction ldapref -serverIP 10.217.28.180 -ldapBase "dc=aaatm,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm,dc=com" -ldapBindDnPassword d83d154575d426 -encrypted -ldapLoginName sAMAccountName -followReferrals ON -secType SSL -serverPort 3269 -passwdChange ENABLED
 Done

> sh authentication ldapaction ldapref
1)      Name: ldapref
        Server IP: 10.217.28.180        Port: 3269
        Server Type: AD
        Timeout: 3 secs BindDn: cn=Administrator,cn=Users,dc=aaatm,dc=com
        Login: sAMAccountName   Base: dc=aaatm,dc=com
        Secure Type: SSL
        Password Change: ENABLED
        Authentication Enabled,         User required
        Success: 0
        Failures: 0
        Validate LDAP Server Certificate: NO
        LDAP Host Name:
        Nested Group Extraction: OFF
        LDAP Referrals: ON      Maximum Referrals: 1
 Done

Password Change Using A-Record DNS Lookup

Run the following command to change the password using A-Record DNS lookup:

> add authentication ldapAction ldapref -serverIP 10.217.28.180 -ldapBase "dc=aaatm,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm,dc=com" -ldapBindDnPassword d83d154575d426 -encrypted -ldapLoginName sAMAccountName -followReferrals ON -referralDNSLookup A-REC-secType SSL -serverPort 3269 -passwdChange ENABLED
 Done

The parameter referralDNSLookup has the values A-REC, SRV-REC, MSSRV-REC. The default parameter is A-REC.

>sh authentication ldapaction ldapref
1)      Name: ldapref
        Server IP:10.217.28.180      Port: 3269
        Server Type: AD
        Timeout: 3 secs BindDn: cn=Administrator,cn=Users,dc=aaatm,dc=com
        Login: sAMAccountName   Base: dc=aaatm,dc=com
        Secure Type: SSL
        Password Change: ENABLED
        Authentication Enabled,         User required
        Success: 6
        Failures: 0
        Validate LDAP Server Certificate: NO
        LDAP Host Name:
        Nested Group Extraction: OFF
        LDAP Referrals: ON      Maximum Referrals: 2
        LDAP Referral DNSLookup : A-REC
 Done

The following is the aaad debug output for successful password change using A-Record:

For password change of hruser1 present in subdomain,hr.aaatm.com

root@ns# cat /tmp/aaad.debug
Tue Dec 16 02:31:27 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[132]: start_ldap_auth attempting to auth hruser1 @ 10.217.28.180
Tue Dec 16 02:31:27 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[135]: start_ldap_auth LDAP referrals are ON
Tue Dec 16 02:31:29 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:31:29 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[956]: ns_ldap_search Searching for <<(& (sAMAccountName=hruser1) (objectClass=*))>> from base <<dc=aaatm,dc=com>>
Tue Dec 16 02:31:29 2014
  /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[980]: ns_ldap_search Sent user search query.
Tue Dec 16 02:31:29 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[338]: receive_ldap_user_search_event received LDAP_OK
Tue Dec 16 02:31:29 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[391]: receive_ldap_user_search_event User DN= <<CN=hruser1,CN=Users,DC=hr,DC=aaatm,DC=com>>
Tue Dec 16 02:31:29 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[426]: receive_ldap_user_search_event expired AD password detected delaying update until user bind sends dos code 0x773
Tue Dec 16 02:31:30 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[778]: receive_ldap_user_bind_event Got user bind event.
Tue Dec 16 02:31:30 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[416]: ns_ldap_check_result LDAP action failed (error 49): Invalid credentials
Tue Dec 16 02:31:30 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[808]: receive_ldap_user_bind_event ldap_bind user failed
Tue Dec 16 02:31:30 2014
  /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[830]: receive_ldap_user_bind_event Password expired?
Tue Dec 16 02:31:30 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[833]: receive_ldap_user_bind_event rebinding
Tue Dec 16 02:31:30 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1906]: receive_ldap_rebind_event received ldap rebind event
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1045]: ns_ldap_change_password change pwd on AD for attribute: UnicodePwd
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1719]: ldap_finish_confirm_password sent ldap modify
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1809]: receive_ldap_passwd_modify_event parsing dns name from dc.
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1147]: start_ldap_referral_with_host_info Referral host: hr.aaatm.com:636
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1102]: ldap_async_referral ldap A-REC lookup for hr.aaatm.com
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[39]: aaad_resolve_host_name Starting async DNS for hr.aaatm.com
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[181]: receive_async_dns_event dns_ai_nextent found something...
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1970]: start_ldap_referral_auth Starting referral to  hruser1 @ 10.217.28.190
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[660]: continue_ldap_init Connecting to: 10.217.28.190:636
Tue Dec 16 02:31:41 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[796]: ns_ldap_set_up_socket setting up for SSL connection to : 10.217.28.190:636
Tue Dec 16 02:31:45 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[184]: receive_ldap_bind_event receive ldap bind event
Tue Dec 16 02:31:45 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:31:45 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1045]: ns_ldap_change_password change pwd on AD for attribute: UnicodePwd
Tue Dec 16 02:31:45 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1719]: ldap_finish_confirm_password sent ldap modify
Tue Dec 16 02:31:46 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[406]: ns_ldap_check_result ldap_result found expected result LDAP_RES_MODIFY
Tue Dec 16 02:31:46 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1864]: receive_ldap_passwd_modify_event password modified success, authenticated

Password Change Using SRV-Record DNS Lookup

NOTE: The DNS lookup using SRV-REC and MSSRV-REC support is only available from Netscaler 11.x build onwards.

The password change from NetScaler should use DNS query SRV (if it is configured) with SITE configured in AD settings to determine an AD DC that is nearby and functional to initiate the password change. If referralDNSLookup is set to SRV-REC then any domain name found in ldap referral is appended to "_ldap._tcp" string to form the SRV record. For example, if referral is "hr.aaatm.com" then SRV record formed is "_ldap._tcp.hr.aaatm.com".

Run the following command to change the password using SRV-Record DNS lookup:

> add authentication ldapAction ldapref1 -serverIP 10.217.28.180 -ldapBase "dc=aaatm,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm,dc=com" -ldapBindDnPassword d83d154575d426 -encrypted -ldapLoginName sAMAccountName -followReferrals ON -referralDNSLookup SRV-REC-secType SSL -serverPort 3269 -passwdChange ENABLED
 Done

>sh authentication ldapaction ldapref1
1)      Name: ldapref1
        Server IP:10.217.28.180      Port: 3269
        Server Type: AD
        Timeout: 3 secs BindDn: cn=Administrator,cn=Users,dc=aaatm,dc=com
        Login: sAMAccountName   Base: dc=aaatm,dc=com
        Secure Type: SSL
        Password Change: ENABLED
        Authentication Enabled,         User required
        Success: 6
        Failures: 0
        Validate LDAP Server Certificate: NO
        LDAP Host Name:
        Nested Group Extraction: OFF
        LDAP Referrals: ON      Maximum Referrals: 2
        LDAP Referral DNSLookup : MSSRV-REC

The following is the aaad debug output snippet for password change using SRV-REC lookup:

root@ns# cat /tmp/aaad.debug
Tue Dec 16 02:31:21 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[660]: continue_ldap_init Connecting to: 10.217.28.180:3269
Tue Dec 16 02:38:29 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:38:30 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[338]: receive_ldap_user_search_event received LDAP_OK
Tue Dec 16 02:38:31 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[778]: receive_ldap_user_bind_event Got user bind event.
Tue Dec 16 02:38:31 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[808]: receive_ldap_user_bind_event ldap_bind user failed
Tue Dec 16 02:38:31 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[830]: receive_ldap_user_bind_event Password expired?
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1809]: receive_ldap_passwd_modify_event parsing dns name from dc.
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1147]: start_ldap_referral_with_host_info Referral host: hr.aaatm.com:636
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1126]: ldap_async_referral ldap SRV-REC lookup for hr.aaatm.com
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[39]: aaad_resolve_host_name Starting async DNS for _ldap._tcp.hr.aaatm.com
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[181]: receive_async_dns_event dns_ai_nextent found something...
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1970]: start_ldap_referral_auth Starting referral to  hruser1 @ 10.217.28.190
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[660]: continue_ldap_init Connecting to: 10.217.28.190:636
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[796]: ns_ldap_set_up_socket setting up for SSL connection to : 10.217.28.190:636
Tue Dec 16 02:38:52 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:38:52 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1864]: receive_ldap_passwd_modify_event password modified success,authenticated

NOTE: How to create an SRV Record on the NetScaler

Password Change Using MSSRV-Record DNS Lookup

If referralDNSLookup is set to MSSRV-REC then the domain name found in the referral is appended to "_ldap._tcp.< msSRVRecordlocation>" to form the SRV record. For example, If msSRVRecordlocation is set to "dc._msdcs" and domain name is "hr.aaatm.com" then the SRV record formed is "_ldap._tcp. dc.msdcs.hr.aaatm.com".

Run the following command to change password using the MSSRV-Record DNS lookup:


> add authentication ldapAction ldapref 2-serverIP 10.217.28.180 -ldapBase "dc=aaatm,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm,dc=com" -ldapBindDnPassword d83d154575d426 -encrypted -ldapLoginName sAMAccountName -followReferrals ON -referralDNSLookup MSSRV-REC-secType SSL -serverPort 3269 -passwdChange ENABLED
 Done


>> sh authentication ldapaction ldapref2
1)      Name: ldapref
        Server IP: 10.217.28.180        Port: 3269
        Server Type: AD
        Timeout: 3 secs BindDn: cn=Administrator,cn=Users,dc=aaatm,dc=com
        Login: sAMAccountName   Base: dc=aaatm,dc=com
        Secure Type: SSL
        Password Change: ENABLED
        Authentication Enabled,         User required
        Success: 0
        Failures: 0
        Validate LDAP Server Certificate: NO
        LDAP Host Name:
        Nested Group Extraction: OFF
        LDAP Referrals: ON      Maximum Referrals: 1
        LDAP Referral DNSLookup : MSSRV-REC     MSSRV RecordLocation :
 Done

The following is the aaad debug output snippet for password change using MSSRV-REC lookup:

root@ns# cat /tmp/aaad.debug
Tue Dec 16 02:31:21 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[660]: continue_ldap_init Connecting to: 10.217.28.180:3269
Tue Dec 16 02:38:29 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:38:30 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[338]: receive_ldap_user_search_event received LDAP_OK
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1147]: start_ldap_referral_with_host_info Referral host: hr.aaatm.com:636
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1126]: ldap_async_referral ldap MSSRV-REC lookup for hr.aaatm.com
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[39]: aaad_resolve_host_name Starting async DNS for _ldap._tcp.dc._msdcs.hr.aaatm.com
Tue Dec 16 02:38:51 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1970]: start_ldap_referral_auth Starting referral to  hruser1 @ 10.217.28.190
Tue Dec 16 02:38:52 2014
 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:38:52 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1864]: receive_ldap_passwd_modify_event password modifed success, authenticated

Issue/Introduction

This article provides information on how to change the password through NetScaler in a multi-domain Active Directory forest using LDAP referral.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"