I'm trying to create a new Active Directory user via ldap, but the user is disabled on creation. I am trying to set the userAccountControl attribute to 512, but I am getting an error WILL_NOT_PERFORM. I've read this is because the password isn't being set, but I can't tell why. Creating the user with the userPassword attribute set is working fine.
Here is the code:
// Create a container set of attributes
Attributes container = new BasicAttributes();
// Assign the properties we need to set on the user
container.put(new BasicAttribute("objectClass", "user"));
container.put(new BasicAttribute("cn", userName));
container.put(new BasicAttribute("sAMAccountName", userName));
container.put(new BasicAttribute("name", userName));
container.put(new BasicAttribute("givenName", userName));
container.put(new BasicAttribute("userPassword", password));
String fullDomainName = getFullUserName(userName);
// Create the entry
try{
context.createSubcontext(fullDomainName, container);
}catch(Exception e){
System.err.println("Error creating user: " );
e.printStackTrace();
throw e;
}
ModificationItem[] userMods = new ModificationItem[1];
userMods[0] = new ModificationItem(InitialLdapContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl", "512"));
try{
context.modifyAttributes(fullDomainName, userMods);
}catch(Exception e){
System.err.println("Could not update userAccountControl flag");
e.printStackTrace();
throw e;
}
The first part where I create the user works, the 2nd part where I try to set the userAccountControl flag fails. Any help would be greatly appreciated. Thanks!
I found the problem...I had to use the unicodePwd attribute and make sure it was properly encoded:
final byte[] quotedPasswordBytes = ('"'+password+'"').getBytes("UTF-16LE");
container.put(new BasicAttribute("unicodePwd", quotedPasswordBytes));
I found the answers here:
http://www.dirmgr.com/blog/2010/8/26/ldap-password-changes-in-active-directory.html
Are you connecting to LDAP as a user who has permissions to do this? Or are you connecting to LDAP as either this user, or another user with limited permissions? Perhaps you have the rights to create a new user but not to execute this kind of modify operation? Just a thought, its something I've run into before and beat my head against the wall before realizing my mistake. Good luck
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.