Subject: Bumpy road to add user into Active Directory -- unicodePwd
Author: JNDI
In response to: Bumpy road to add user into Active Directory -- SSL/StartTLS
Posted on: 10/03/2012 08:48:45 PM
As shown above, Microsoft does not allow client application to directly manipulate attribute userPassword. Instead, Microsoft introduced a mysterious attribute unicodePwd which requires the password value be enclosed in double quotes and then each character (including the quotes) must be converted to its UTF16 unicode equivalent (because Windows conforms to UTF16). If you want to batch load users with LDIF, it must be further converted to Base64 encoding.
For example, for the password is Abcd1234, the LDIF representation should NOT be
Instead, it MUST be:
unicodePwd:: IgBBAGIAYwBkADEAMgAzADQAIgA=
Here is the whole chain of conversion:
Abcd1234
|
|
v
"Abcd1234"
|
|
v
0x22 00 41 00 62 00 63 00 64 00 31 00 32 00 33 00 34 00 22 00
|
|
v
IgBBAGIAYwBkADEAMgAzADQAIgA=
Whoa, that's really a myth!
>
> On 10/03/2012 08:44:28 PM
JNDI wrote:
Let's try it again with SSL a or StartTLS secure connection.
String ldapURL = "ldaps://myAD.myCompany.com:636";
String bindDn = "CN=Administrator,CN=Users,DC=myCompany,DC=com";
String bindPwd = "password";
Sorry, it doesn't help. Same error:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
Ouch!?
References:
