I am working with ADAM and have successfully setup a user using the Proxy Bind Redirection with AD, based on the MSFT step-by-step guide. Is anyone aware of how to setup up the Proxy Bind for users in ADAM programmatically? I have written VBS scripts to set up non-binding users, OUs, set attributes, passwords, etc…but am not sure how to set up the proxy bind with scripts. Any advice is greatly appreciated. Thanks in advanced!

So, are you saying that you want to automate a process to create bindProxy
objects in ADAM pointing to AD resources? Typically, people use a tool like
ADAMSync to do this since it is usually not a one time load thing. Your AD
will evolve over time and you want to stay in sync.

However, if you just want to do this programmatically, the most important
part is to set the objectSid attribute on the bindProxy object to the SID of
the windows user you want to proxy. The actual syntax will vary depending
on the API that you use. In .NET System.DirectoryServices, you get the SID
in binary format as a byte array and then set the objectSid attribute equal
to this byte array during the creation process before the first
CommitChanges call. It is similar in script, but I don't know how to
actually deal with byte arrays in script very well, so I'm not sure of the
syntax. Script would not be my first choice, although I'm also a .NET guy,
so I have a tendency to use it anyway. You did ask this question on a .NET
newsgroup.

You can also do this with LDIF files or the LDAP API or
System.DirectoryServices.Protocols, which is what I might elect to use,
depending on the other details.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<Rod Clingaman> wrote

I apologize for the delay, but I was not aware that a reply had existed. Thanks Joe for the reply! First I will explain my situation: We have a .Net app that will utilize ADAM. ADAM will bind to AD. Some of the users we will add directly into ADAM. Other users will be bound from AD. The AD may contain 50K users, and we want to bind maybe 1000 of them. In the MSFT doco, they talk about administrating ADAM Proxy objects programmatically using a tool that they supply called bindredirect.exe. However, I can not find that application. In a nutshell, what I would like to accomplish is a way that the admins can setup the proxy users more efficiently than by doing them one-by-one as seen via the LDP app. Maybe I should investigate the ADAMsync tool for this.

On another similar topic, "ADAM and SSL", I cannot believe the trouble I am having to get this setup, especially since it seems like there's allot of doco out there stating how others have had trouble, and they specified what they have done to making the steps easier to understand. I have still not succeeded with this. I complete all the steps and still get the following error in LDP:

ld = ldap_sslinit("FICTIONWDA001.FIC.DEV", 50053, 1)
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3)
Error 81 = ldap_connect(hLdap, NULL)
Server error: empty
Error 0x51: Fail to connect to FICTIONWDA001.FIC.DEV.

The other thing that puzzles me is that the MachineKeys directory that gets mentioned in every article, never gets a new file when I install the certificates. There are 6 old files in there with long hash names. The server is 2003, and it also acts as a domain controller.

Any advice is greatly appreciated!

If you need to create a bunch of bind proxy objects, I'd suggest looking at
a tool like ADAMSync, as it can also keep those accounts in sync for you.
Usually, it is the ongoing "churn" in your main directory that becomes the
big problem. You could do a one-time population of the bind proxies using
an LDIF file, but you probably won't want to deal with the changes by hand.

I'd suggest starting a new topic on ADAM SSL in
microsoft.public.windows.server.active_directory. There are more ADAM
"infrastructure" guys who hang out there who can help. It sounds to me like
you might be installing a certificate without installing the private key
with it. If you are importing the certificate and aren't using a p12 or pfx
file, then that's likely the problem. However, please do start a new thread
to discuss it over there.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<Rod Clingaman> wrote