| |
Bumpy road to add user into Active Directory -- userAccountControl=default |
|
|
Subject: Bumpy road to add user into Active Directory -- userAccountControl=default
Author: JNDI
In response to: How to add an active user account to Active Directory
Posted on: 10/03/2012 08:33:43 PM
UserAccountControl is Active Directory's attribute that can control the behavior of user account. With this attribute, Active Directory can prevent unauthorized changes from messing up the user account. The value that is assigned to the attribute is cumulative with the most common flags as listed below:
2 -- ACCOUNTDISABLE
32 -- PASSWD_NOTREQD
512 -- NORMAL_ACCOUNT
For details, please check at: http://support.microsoft.com/kb/305144The user account created in the above example bears the attribute userAccountControl with value of 546, which is default.
dn: cn=John Smith,CN=Users,DC=myCompany,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: $N41000-S9ETGFD3FG6DS
userPassword:: DA9sjHg7y9UW8bf==
cn: John Smith
givenName: John
sn: Smith
userAccountControl: 546
Here, 546 = 512(NORMAL_ACCOUNT) + 32(PASSWD_NOTREQD) + 2(ACCOUNTDISABLE) which internally flags the account as: ACCOUNTDISABLE. That perfectly explains why the above newly added account is useless.
>
> On 10/03/2012 08:24:46 PM JNDI wrote:
Why does it matter?
Let's first look at the code below:
/**
* Sample JNDI example code to add a user account to SunOne
*/
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;
public class JNDI_Add_User {
public static void main(String[] args)
{
String ldapURL = "ldap://mySunOne.myCompany.com:389";
String bindDn = "cn=Directory Manager";
String bindPwd = "password";
// Set up the environment for creating the initial context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, bindDn);
env.put(Context.SECURITY_CREDENTIALS, bindPwd);
try {
// Create the initial context
DirContext ctx = new InitialDirContext(env);
// Attributes to represent the user
Attributes attrs = new BasicAttributes(true); // case-ignore
// objectClass
Attribute attr = new BasicAttribute("objectClass");
attr.add("top");
attr.add("person");
attr.add("organizationalPerson");
attr.add("inetOrgPerson");
attrs.put(attr);
// MUST attribute
attrs.put("cn", "John Smith");
// MAY attribute
attrs.put("givenName", "John");
attrs.put("sn", "Smith");
attrs.put("userPassword", "password");
// Create the user account
ctx.createSubcontext(
"cn=John Smith,ou=People,dc=example,dc=com",
attrs);
// close
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
}
It's working perfectly for most LDAP compliant directory servers including openLDAP, openDJ and SunOne. The newly added user account can be used to provide authentication service.
Now run the same code (with necessary changes on objectclass and others) to add user into AD (Active Directory).
/**
* Sample JNDI example code to add a user account in Active Directory
*/
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;
public class JNDI_Add_User {
public static void main(String[] args)
{
String ldapURL = "ldap://myAD.myCompany.com:389";
String bindDn = "CN=Administrator,CN=Users,DC=myCompany,DC=com";
String bindPwd = "password";
// Set up the environment for creating the initial context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, bindDn);
env.put(Context.SECURITY_CREDENTIALS, bindPwd);
try {
// Create the initial context
DirContext ctx = new InitialDirContext(env);
// Attributes to represent the user
Attributes attrs = new BasicAttributes(true); // case-ignore
// objectClass
Attribute attr = new BasicAttribute("objectClass");
attr.add("top");
attr.add("person");
attr.add("organizationalPerson");
attr.add("user");
attrs.put(attr);
// MAY attribute
attrs.put("cn", "John Smith");
attrs.put("givenName", "John");
attrs.put("sn", "Smith");
attrs.put("userPassword", "password");
// Create the user account
ctx.createSubcontext(
"cn=John Smith,CN=Users,DC=myCompany,DC=com",
attrs);
// close
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
}
The user account is added. But when this account is used for authentication, you will get the error similar like this:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
comment: AcceptSecurityContext error, data 52e, v1db1
The account is useless! Why?
References:
|
|
|
|
