My not so uninteresting notes

To content | To menu | To search


Entries feed - Comments feed

Sunday 15 March 2009

Creating LDAP account in Outlook

I spent a few hours to improve this script to allow creation of multiple LDAP entries with login and password. The result is here: addldap.vbs. It fix some flaws of the previous scripts such as:

  • only one ldap account
  • user has a popup on next outlook startup

It works perfectly with anonymous LDAP, but setting a password do not work very well: you can pass an array representing the password obtained by a manual setup.

But It will only work with this account because the password is encoded using DPAPI which use the user personal key to encrypt the data. Trying to deploy this to other user will badly fails (as outlook will find the whole ldap account broken).

There is a way to mitigate this problem: when using SPA authentication outlook will firt use the credential of the logged user before those supplied in the account creation (if they are different). So if you want to have a non anonymous access to LDAP and what the logged user to provide his credential you just have to call the script and supply the username, an empty array as password and set doSPA parameter to 1.

I also discovered that unlike email accounts, LDAP accounts do not prompt the user when the password is wrong. Which reduce the number of prompt the user receive when a password has expired.

At the end the only two cases where this script is useless are:

  • accessing an LDAP with a generic account
  • accessing an LDAP that do not support SPA (aka NTLM authentication)

I guess those case are pretty rare (well I hope)

Monday 23 June 2008

Microsoft my worst nightmare part 1.


It is going to be a long story with a high number of sequels it seems.

I must confess that I do not have a high esteem for Microsoft products in general but my day work force me to use them or at least support user using it and more often than not I face real stupidity in the product.

Right now my key target is Outlook from Office 2003 edition.

Using Outlook, so remove Outlook Express ?

Well it might seems logical that if you know for sure that you will use Outlook then you won't need Outlook express. If you were ready like me to remove this component with image creation tools like nlite I should not recommend you to do so !

Why ? because if you do so and try to access to a IMAP/POP3 server, it will not work because you'll need registered DLL that comes with Outlook Express and could not be provided by Outlook. Sounds good ! I spend a few hours last week on this and find no way real way to escape ! (copying DLL failed because they need to be registered, copying + trying to register with regsrv32 failed on registration, reinstallation of Outlook failed). Don't get me wrong I didn't say that you can't manage is some situation to manage to register or install outlook (especially if you do not have installed security fixes but you might run into troubles.

There must be a good reason for this, and I can understand that maybe Microsoft guys wanted to mutualise code between two versions, cool good idea, but when you install Office if one or more DLL is missing then setup should install it and do what ever is needed so that thoses DLL will be installed and registered !