3

We're experiencing an issue trying to enable a active directory user(windows server 2012 r2) using the net/ldap library.

Setup

First, we create a user via this method:

def create_user(attrs)
  dn = "cn=#{attrs[:cn]},cn=Users,#{@base}"
  cn = attrs[:cn]
  pass = ascii_convert(attrs[:pwd])
  updated_attrs = { cn: cn,
                    objectclass: ['user'],
                    samaccountname: cn,
                    userprincipalname: "#{attrs[:cn]}@#{@domain}",
                    unicodepwd: pass
  }

  @connection.add(dn: dn, attributes: updated_attrs)
  result = @connection.get_operation_result
  raise LdapError.new("Create AD user error: #{result}") if result.code   != 0
end

This creates the user, and by default sets their userAccountControl attribute to 546 (which is what we want), when inspected in active directory this shows as:

0x222 (ACCOUNTDISABLE|PASSWD_NOTREQD|NORMAL_ACCOUNT).

Problem

Later we want to enable that user so we call:

def enable_user!(dn, cn)
  u = search_query(find_user(cn)).try(:first)
  if u
    @connection.replace_attribute(dn, :useraccountcontrol, '512')
  else
    false
  end
end

However, if I print @connection.get_operation_result I get:

<OpenStruct code=53, error_message="0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000", matched_dn="", message="Unwilling to perform">

With this method we want the userAccountControl to equal 512, which is the equivalent of 0x200 (NORMAL_ACCOUNT).

Things I've Tried

notes: connection is over SSL (LDAPS), and bound to an admin AD account.

  • this answer
  • using #modify instead of #replace_attribute in the enable_user! method.
  • passing the hex values instead of the integer representation.
  • perform the same modification using apache directory studio.

One interesting thing I did notice, is that I can modify useraccountcontrol to 514 which is:

0x202 (ACCOUNTDISABLE|NORMAL_ACCOUNT)

So, it seems I can modify this attribute as long as it's remaining disabled, as soon as I try to change to enabled is when I see the error.

Community
  • 1
  • 1
treiff
  • 1,246
  • 14
  • 24

1 Answers1

1

The error 0000052D is a system error code. Specifically, it means:

ERROR_PASSWORD_RESTRICTION

1325 (0x52D)

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

The problem would seem to be that the account you're enabling has a password-policy applied to it, whereby enabling it that password-policy would not be met.

I would first figure out what the password policy is for the account, then set the password to something that meets that policy criteria before flipping the bit to enable it.

If, however, you really want the user to be able to login with no password then the password should be set to null. But I'm not sure under what circumstances that would be desirable.

Community
  • 1
  • 1
ChadSikorra
  • 2,829
  • 2
  • 21
  • 27
  • Thanks, I haven't had time to really dig into this. However, I think your on the right track. I believe there is an issue with how I encoded the password in the initial `create_user` method, thus not meeting password requirements. – treiff Apr 19 '16 at 13:44
  • That could be the case. The `unicodePwd` expects a pretty specific encoding (UTF-16LE) and I'm not too sure what your `ascii_convert` is doing. [This answer](http://stackoverflow.com/a/32199465/2242593) might be of some help for that. – ChadSikorra Apr 19 '16 at 14:54
  • @treiff @ChadSikorra I am getting a different error message. `#` Has anyone ever been able to successfully enable/disable user? – Sandeep M Apr 19 '17 at 12:52
  • 1
    @SandeepM I would start a new question with the specifics of the code you're using and that error message. That's a different error code than the OP had. – ChadSikorra Apr 19 '17 at 19:11