Bumpy road to add user into Active Directory -- the End.

Subject: Bumpy road to add user into Active Directory -- the End.
Author: JNDI
In response to: Bumpy road to add user into Active Directory -- unicodePwd
Posted on: 10/03/2012 08:53:03 PM

Finally, if you want to create a normal active user account with password Abcd1234, here is the complete code:

/**
 * Sample JNDI example code to add a user account in Active Directory
 */
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;

public class JNDI_Add_User {
        
    public static void main(String[] args)
    {
    	
        String ldapURL = "ldaps://myAD.myCompany.com:636"; // SSL
        String bindDn = "CN=Administrator,CN=Users,DC=myCompany,DC=com";
        String bindPwd = "password";
    	
        // Set up the environment for creating the initial context
        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, 
        		"com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, ldapURL);
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, bindDn);
        env.put(Context.SECURITY_CREDENTIALS, bindPwd);

        try {
                
            // Create the initial context
            DirContext ctx = new InitialDirContext(env);

            // Attributes to represent the user 
            Attributes attrs = new BasicAttributes(true); // case-ignore
            // objectClass
            Attribute attr = new BasicAttribute("objectClass");
            attr.add("top");
            attr.add("person");
            attr.add("organizationalPerson");
            attr.add("user");
            attrs.put(attr);

            // MUST attribute 
            attrs.put("unicodePwd", "\"Abcd1234\"".getBytes("UTF-16LE") );
            attrs.put("userAccountControl", "512");

            // MAY attribute 
            attrs.put("cn", "John Smith");
            attrs.put("givenName", "John");
            attrs.put("sn", "Smith");

            // Create the user account
            ctx.createSubcontext(
            		"cn=John Smith,CN=Users,DC=myCompany,DC=com", 
            		attrs);

            // close 
            ctx.close();

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Note:

unicodePwd with the mysterious conversion is required;

userAccountControl=512 is required, otherwise it will be defaulted to 546;

SSL or StartTLS secure connection is required;

There may be some password policy you have to follow, like minimum length of password.

>
> On 10/03/2012 08:48:45 PM JNDI wrote:

As shown above, Microsoft does not allow client application to directly manipulate attribute userPassword. Instead, Microsoft introduced a mysterious attribute unicodePwd which requires the password value be enclosed in double quotes and then each character (including the quotes) must be converted to its UTF16 unicode equivalent (because Windows conforms to UTF16). If you want to batch load users with LDIF, it must be further converted to Base64 encoding.

For example, for the password is Abcd1234, the LDIF representation should NOT be
userPassword: Abcd1234

Instead, it MUST be:
unicodePwd:: IgBBAGIAYwBkADEAMgAzADQAIgA=

Here is the whole chain of conversion:
Abcd1234 | | v "Abcd1234" | | v 0x22 00 41 00 62 00 63 00 64 00 31 00 32 00 33 00 34 00 22 00 | | v IgBBAGIAYwBkADEAMgAzADQAIgA=

Whoa, that's really a myth!

References:

Next Post: Re: How to add an active user account to Active Directory asakhi 04/08/2014 03:28:00 PM
Previous Post: Bumpy road to add user into Active Directory -- unicodePwd JNDI 10/03/2012 08:48:45 PM
Next Topic: How to enable SSL on an ADLDS instance running on Windows 7 eLDAP 11/10/2012 07:30:47 PM
Previous Topic: How to extend or modify Active Directory (AD) schema -- from LDIF eLDAP 09/28/2012 09:16:01 PM
Index: by Date
Index: by Topic