So it was rather nippy here today so I thought I would work on some updates for AdMod that I have been putting off for some time.
One of those updates involves allowing AdMod to do intra-forest cross domain moves, like, for instance, you want to move a group of contacts from one domain to another… No one ever wants to do that right?
So I start going down the road of adding in the code, should be as simple as throwing in the Server Control with the proper OID[1] and little error checking and voila… Boom.
: [2k3dc10.child1.joe.com] Error 0x30 (48) – Inappropriate Authentication
  Extended Error: 8009030E: SecErr: DSID-031B063D, problem 4001 (INAPPROPRIATE_AUTH), data 0
What does that error mean?
F:\DEV\cpp\AdMod>err 8009030E
# for hex 0x8009030e / decimal -2146893042 :
 SEC_E_NO_CREDENTIALS                                         winerror.h
# No credentials are available in the security package
# 1 matches found for “8009030E”
Well that isn’t much fun… I know I am fully authenticated so authentication shouldn’t be an issue. I run it from the source DC and it works fine… Great, some sort of delegation failure? I look over the MSDN docs for the 10th time at
and don’t see anything about having to do any special auth or delegation so what could it be? I chat online with ~Eric for a while about the issue and then talk him through what kind of lawn mower he should get and also peek around at resources available to me and don’t see anything that could be considered tricky or problematic. I continue poking around and finally[2] see what the problem is. I need to enable delegation on the bind with ISC_REQ_DELEGATE. That’s new to me, I haven’t ever seen that one before.
So I go poke around MSDN some more to try and see the example code and documentation they have for setting that on the LDAP options and find zip – not the good kind of zip like a zip file full of docs. I find zip as in goose egg, nada, nothing, have a nice day, don’t let the door hit you in the ass zip.
So I work out the code and insert it into my open_ldap function in my LDAP library and add the required “true” for the new option in the open ldap connection request from AdMod and without any other change, low and behold the cross domain switch (-xdom) now works perfectly.
I have written up the required notes and sent them off to MSDN so that the article on LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID hopefully gets updated to include the necessary info for folks. In the meanwhile since I am a relatively nice guy I will offer up some source used to enable the delegation until MSDN publishes something. If you can’t figure out how to use the ldap_rename_ext to do this then it is hopeless as MSDN gives you all of that source code plus there is nothing to it once you get that far…
   uErr=ldap_get_option(pLdap,LDAP_OPT_SSPI_FLAGS,&uCurrentFlags);    if (uErr)     {      // handle the error     }    uCurrentFlags |= ISC_REQ_DELEGATE;    uErr=ldap_set_option(pLdap,LDAP_OPT_SSPI_FLAGS,&uCurrentFlags);    if (uErr)     {      // handle the error     }
Note: I am not accepting any questions whatsoever on the code above. None. Figure it out. Thanks!
Â
 joe
[1] Read that like VOID but drop the V and if you silly British/Aussie folks said VOID in some other way than say like BOYD then you, well, never mind. A-LUM-in-UM
[2] This was far more long drawn out and boring/exciting than I can actually talk about.
Â