Bumpy road to add user into Active Directory -- userAccountControl=512

Subject: Bumpy road to add user into Active Directory -- userAccountControl=512
Author: JNDI
In response to: Bumpy road to add user into Active Directory -- userAccountControl=544
Posted on: 10/03/2012 08:41:25 PM

Ok, let's try one more step with userAccountControl being 512 - We want to create a normal active account with password:

        try {
                
            // Create the initial context
            DirContext ctx = new InitialDirContext(env);

            // Attributes to represent the user 
            Attributes attrs = new BasicAttributes(true); // case-ignore
            // objectClass
            Attribute attr = new BasicAttribute("objectClass");
            attr.add("top");
            attr.add("person");
            attr.add("organizationalPerson");
            attr.add("user");
            attrs.put(attr);
            // MAY attribute 
            attrs.put("cn", "John Smith");
            attrs.put("givenName", "John");
            attrs.put("sn", "Smith");
            attrs.put("userPassword", "password");
            attrs.put("userAccountControl", "512");

            // Create the user account
            ctx.createSubcontext(
            		"cn=John Smith,CN=Users,DC=myCompany,DC=com", 
            		attrs);

            // close 
            ctx.close();

        } catch (NamingException e) {
            e.printStackTrace();
        }

Sorry, you are not allowed to do that. Here is the error message:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

Hmmm?

>
> On 10/03/2012 08:38:24 PM JNDI wrote:

Let's force it to be enabled:
try { // Create the initial context DirContext ctx = new InitialDirContext(env); // Attributes to represent the user Attributes attrs = new BasicAttributes(true); // case-ignore // objectClass Attribute attr = new BasicAttribute("objectClass"); attr.add("top"); attr.add("person"); attr.add("organizationalPerson"); attr.add("user"); attrs.put(attr); // MAY attribute attrs.put("cn", "John Smith"); attrs.put("givenName", "John"); attrs.put("sn", "Smith"); attrs.put("userPassword", "password"); attrs.put("userAccountControl", "544"); // Create the user account ctx.createSubcontext( "cn=John Smith,CN=Users,DC=myCompany,DC=com", attrs); // close ctx.close(); } catch (NamingException e) { e.printStackTrace(); }

Here, 544 = 512(NORMAL_ACCOUNT) + 32(PASSWD_NOTREQD) which intentionally flags the account NOT as: ACCOUNTDISABLE. But when this account is used for authentication, you still get the same error as before:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
comment: AcceptSecurityContext error, data 52e, v1db1

Wait a minute, look at the flag 32(PASSWD_NOTREQD). Does that means what the user provided through userPassword was not even treated as password?

References:

Next Post: Bumpy road to add user into Active Directory -- SSL/StartTLS JNDI 10/03/2012 08:44:28 PM
Previous Post: Bumpy road to add user into Active Directory -- userAccountControl=544 JNDI 10/03/2012 08:38:24 PM
Next Topic: How to enable SSL on an ADLDS instance running on Windows 7 eLDAP 11/10/2012 07:30:47 PM
Previous Topic: How to extend or modify Active Directory (AD) schema -- from LDIF eLDAP 09/28/2012 09:16:01 PM
Index: by Date
Index: by Topic