This article provides information on how to change the password through NetScaler in a multi-domain Active Directory forest using LDAP referral.
Enterprise customers implementing user password change in a multi-domain forest needs to implement LDAP referral. In a multi-domain environment; one ldapaction is good enough to traverse the whole subdomain tree for user search and password change.
In the following example, suppose user hruser1 present in subdomain HR.AAATM.COM or salesuser1 present in subdomain SR.HR.AAATM.COM requires a password change on the next logon; it can be achieved by LDAP referral sent by the Global Catalog Server (GCS).
NetScaler software release 10.0 or later.
Changes to LDAP schema in GCS.
LDAP schema of GCS needs to be changed for the password attribute pwdLastSet in order to allow password change of subdomain users. In the following aaad debug output, the user's account hruser1 present in subdomain hr.aaatm.com is set to require a password change on the next logon. In order to do this, the password attribute pwdLastSet needs to be propagated to the GCS, so that the GCS knows that the password for hruser1 needs to be modified. In order to achieve this, LDAP schema of GCS has to be changed to propagate PWDLastSet attribute to the GCS. Refer to Global Catalogs and the Partial Attribute Set for information on how to include the attribute (pwdLastSet) as part of partial attribute set in the ldapschema of GCS.
Also refer to the following screen shots to configure the same:
When a NetScaler receives an LDAP_REFERRAL response to a credential modify request for expired password, NetScaler follows the referral to the Active Directory (AD) server and performs the update (User Password modification) on that server.
The following are the steps for the same:
Resolve the name of the AD server in the referral using A-Record.
Perform a non-blocking connect to that server.
Initiate SSL/TLS.
Bind to the new server with the binddn credentials used with the GCS.
Verify the user object on the new server.
Attempt the credential update against the new server.
NOTE: The AD server in the referral must accept the binddn credentials configured for the GCS.
The following parameters should be configured on ldapaction in NetScaler for password change:
-ldapserver (GCS: IP)
-ldapport (GCS: port)
-ldapbinddn (GCS: binddn)
-ldapbindnpassword (GCS: binddnpassword)
-ldapbase (GCS: base)
Followreferrals
SecType (SSL/TLS)
PasswordChange (ENABLED)
GCS SSL Port to be Configured for Password Change (Port 3269)
> add authentication ldapAction ldapref -serverIP 10.217.28.180 -ldapBase "dc=aaatm,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm,dc=com" -ldapBindDnPassword d83d154575d426 -encrypted -ldapLoginName sAMAccountName -followReferrals ON -secType SSL -serverPort 3269 -passwdChange ENABLED Done |
> sh authentication ldapaction ldapref 1) Name: ldapref Server IP: 10.217.28.180 Port: 3269 Server Type: AD Timeout: 3 secs BindDn: cn=Administrator,cn=Users,dc=aaatm,dc=com Login: sAMAccountName Base: dc=aaatm,dc=com Secure Type: SSL Password Change: ENABLED Authentication Enabled, User required Success: 0 Failures: 0 Validate LDAP Server Certificate: NO LDAP Host Name: Nested Group Extraction: OFF LDAP Referrals: ON Maximum Referrals: 1 Done |
Run the following command to change the password using A-Record DNS lookup:
> add authentication ldapAction ldapref -serverIP 10.217.28.180 -ldapBase "dc=aaatm,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm,dc=com" -ldapBindDnPassword d83d154575d426 -encrypted -ldapLoginName sAMAccountName -followReferrals ON -referralDNSLookup A-REC-secType SSL -serverPort 3269 -passwdChange ENABLED Done |
The parameter referralDNSLookup has the values A-REC, SRV-REC, MSSRV-REC. The default parameter is A-REC.
>sh authentication ldapaction ldapref 1) Name: ldapref Server IP:10.217.28.180 Port: 3269 Server Type: AD Timeout: 3 secs BindDn: cn=Administrator,cn=Users,dc=aaatm,dc=com Login: sAMAccountName Base: dc=aaatm,dc=com Secure Type: SSL Password Change: ENABLED Authentication Enabled, User required Success: 6 Failures: 0 Validate LDAP Server Certificate: NO LDAP Host Name: Nested Group Extraction: OFF LDAP Referrals: ON Maximum Referrals: 2 LDAP Referral DNSLookup : A-REC Done |
The following is the aaad debug output for successful password change using A-Record:
For password change of hruser1 present in subdomain,hr.aaatm.com
root@ns# cat /tmp/aaad.debug Tue Dec 16 02:31:27 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[132]: start_ldap_auth attempting to auth hruser1 @ 10.217.28.180 Tue Dec 16 02:31:27 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[135]: start_ldap_auth LDAP referrals are ON Tue Dec 16 02:31:29 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK Tue Dec 16 02:31:29 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[956]: ns_ldap_search Searching for <<(& (sAMAccountName=hruser1) (objectClass=*))>> from base <<dc=aaatm,dc=com>> Tue Dec 16 02:31:29 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[980]: ns_ldap_search Sent user search query. Tue Dec 16 02:31:29 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[338]: receive_ldap_user_search_event received LDAP_OK Tue Dec 16 02:31:29 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[391]: receive_ldap_user_search_event User DN= <<CN=hruser1,CN=Users,DC=hr,DC=aaatm,DC=com>> Tue Dec 16 02:31:29 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[426]: receive_ldap_user_search_event expired AD password detected delaying update until user bind sends dos code 0x773 Tue Dec 16 02:31:30 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[778]: receive_ldap_user_bind_event Got user bind event. Tue Dec 16 02:31:30 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[416]: ns_ldap_check_result LDAP action failed (error 49): Invalid credentials Tue Dec 16 02:31:30 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[808]: receive_ldap_user_bind_event ldap_bind user failed Tue Dec 16 02:31:30 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[830]: receive_ldap_user_bind_event Password expired? Tue Dec 16 02:31:30 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[833]: receive_ldap_user_bind_event rebinding Tue Dec 16 02:31:30 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1906]: receive_ldap_rebind_event received ldap rebind event Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1045]: ns_ldap_change_password change pwd on AD for attribute: UnicodePwd Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1719]: ldap_finish_confirm_password sent ldap modify Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1809]: receive_ldap_passwd_modify_event parsing dns name from dc. Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1147]: start_ldap_referral_with_host_info Referral host: hr.aaatm.com:636 Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1102]: ldap_async_referral ldap A-REC lookup for hr.aaatm.com Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[39]: aaad_resolve_host_name Starting async DNS for hr.aaatm.com Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[181]: receive_async_dns_event dns_ai_nextent found something... Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1970]: start_ldap_referral_auth Starting referral to hruser1 @ 10.217.28.190 Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[660]: continue_ldap_init Connecting to: 10.217.28.190:636 Tue Dec 16 02:31:41 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[796]: ns_ldap_set_up_socket setting up for SSL connection to : 10.217.28.190:636 Tue Dec 16 02:31:45 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[184]: receive_ldap_bind_event receive ldap bind event Tue Dec 16 02:31:45 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK Tue Dec 16 02:31:45 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1045]: ns_ldap_change_password change pwd on AD for attribute: UnicodePwd Tue Dec 16 02:31:45 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1719]: ldap_finish_confirm_password sent ldap modify Tue Dec 16 02:31:46 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[406]: ns_ldap_check_result ldap_result found expected result LDAP_RES_MODIFY Tue Dec 16 02:31:46 2014 /home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1864]: receive_ldap_passwd_modify_event password modified success, authenticated
NOTE: The DNS lookup using SRV-REC and MSSRV-REC support is only available from Netscaler 11.x build onwards.
The password change from NetScaler should use DNS query SRV (if it is configured) with SITE configured in AD settings to determine an AD DC that is nearby and functional to initiate the password change. If referralDNSLookup is set to SRV-REC then any domain name found in ldap referral is appended to "_ldap._tcp" string to form the SRV record. For example, if referral is "hr.aaatm.com" then SRV record formed is "_ldap._tcp.hr.aaatm.com".
Run the following command to change the password using SRV-Record DNS lookup:
> add authentication ldapAction ldapref1 -serverIP 10.217.28.180 -ldapBase "dc=aaatm,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm,dc=com" -ldapBindDnPassword d83d154575d426 -encrypted -ldapLoginName sAMAccountName -followReferrals ON -referralDNSLookup SRV-REC-secType SSL -serverPort 3269 -passwdChange ENABLED Done |
>sh authentication ldapaction ldapref1 1) Name: ldapref1 Server IP:10.217.28.180 Port: 3269 Server Type: AD Timeout: 3 secs BindDn: cn=Administrator,cn=Users,dc=aaatm,dc=com Login: sAMAccountName Base: dc=aaatm,dc=com Secure Type: SSL Password Change: ENABLED Authentication Enabled, User required Success: 6 Failures: 0 Validate LDAP Server Certificate: NO LDAP Host Name: Nested Group Extraction: OFF LDAP Referrals: ON Maximum Referrals: 2 LDAP Referral DNSLookup : MSSRV-REC |
The following is the aaad debug output snippet for password change using SRV-REC lookup:
root@ns# cat /tmp/aaad.debug
Tue Dec 16 02:31:21 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[660]: continue_ldap_init Connecting to: 10.217.28.180:3269
Tue Dec 16 02:38:29 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:38:30 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[338]: receive_ldap_user_search_event received LDAP_OK
Tue Dec 16 02:38:31 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[778]: receive_ldap_user_bind_event Got user bind event.
Tue Dec 16 02:38:31 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[808]: receive_ldap_user_bind_event ldap_bind user failed
Tue Dec 16 02:38:31 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[830]: receive_ldap_user_bind_event Password expired?
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1809]: receive_ldap_passwd_modify_event parsing dns name from dc.
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1147]: start_ldap_referral_with_host_info Referral host: hr.aaatm.com:636
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1126]: ldap_async_referral ldap SRV-REC lookup for hr.aaatm.com
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[39]: aaad_resolve_host_name Starting async DNS for _ldap._tcp.hr.aaatm.com
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[181]: receive_async_dns_event dns_ai_nextent found something...
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1970]: start_ldap_referral_auth Starting referral to hruser1 @ 10.217.28.190
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[660]: continue_ldap_init Connecting to: 10.217.28.190:636
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[796]: ns_ldap_set_up_socket setting up for SSL connection to : 10.217.28.190:636
Tue Dec 16 02:38:52 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:38:52 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1864]: receive_ldap_passwd_modify_event password modified success,authenticated
NOTE: How to create an SRV Record on the NetScaler
If referralDNSLookup is set to MSSRV-REC then the domain name found in the referral is appended to "_ldap._tcp.< msSRVRecordlocation>" to form the SRV record. For example, If msSRVRecordlocation is set to "dc._msdcs" and domain name is "hr.aaatm.com" then the SRV record formed is "_ldap._tcp. dc.msdcs.hr.aaatm.com".
Run the following command to change password using the MSSRV-Record DNS lookup:
> add authentication ldapAction ldapref 2-serverIP 10.217.28.180 -ldapBase "dc=aaatm,dc=com" -ldapBindDn "cn=Administrator,cn=Users,dc=aaatm,dc=com" -ldapBindDnPassword d83d154575d426 -encrypted -ldapLoginName sAMAccountName -followReferrals ON -referralDNSLookup MSSRV-REC-secType SSL -serverPort 3269 -passwdChange ENABLED Done |
>> sh authentication ldapaction ldapref2 1) Name: ldapref Server IP: 10.217.28.180 Port: 3269 Server Type: AD Timeout: 3 secs BindDn: cn=Administrator,cn=Users,dc=aaatm,dc=com Login: sAMAccountName Base: dc=aaatm,dc=com Secure Type: SSL Password Change: ENABLED Authentication Enabled, User required Success: 0 Failures: 0 Validate LDAP Server Certificate: NO LDAP Host Name: Nested Group Extraction: OFF LDAP Referrals: ON Maximum Referrals: 1 LDAP Referral DNSLookup : MSSRV-REC MSSRV RecordLocation : Done |
The following is the aaad debug output snippet for password change using MSSRV-REC lookup:
root@ns# cat /tmp/aaad.debug
Tue Dec 16 02:31:21 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[660]: continue_ldap_init Connecting to: 10.217.28.180:3269
Tue Dec 16 02:38:29 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:38:30 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[338]: receive_ldap_user_search_event received LDAP_OK
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1147]: start_ldap_referral_with_host_info Referral host: hr.aaatm.com:636
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_common.c[1126]: ldap_async_referral ldap MSSRV-REC lookup for hr.aaatm.com
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/name_resolver.c[39]: aaad_resolve_host_name Starting async DNS for _ldap._tcp.dc._msdcs.hr.aaatm.com
Tue Dec 16 02:38:51 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1970]: start_ldap_referral_auth Starting referral to hruser1 @ 10.217.28.190
Tue Dec 16 02:38:52 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[195]: receive_ldap_bind_event Bind OK
Tue Dec 16 02:38:52 2014
/home/build/TOT/usr.src/netscaler/aaad/ldap_drv.c[1864]: receive_ldap_passwd_modify_event password modifed success, authenticated