Server is unwilling to perform - Can not create user object in active state

Question

I have managed to connect, query and add to AD. When adding a user object with exampleA(look down) attributes set I have no problem, however when I add:

$this->newUserEntry["UserAccountControl"] = 512; //LDAP will disable the account by default, This will create it in an enabled state

I get the following warning from ldap_add() and user object is not created:

Server is unwilling to perform

ExampleA:

        $this->newUserEntry["objectclass"][0] = "top";
        $this->newUserEntry["objectclass"][1] = "person";
        $this->newUserEntry["objectclass"][2] = "organizationalPerson";
        $this->newUserEntry["objectclass"][3] = "user";

        //---------General Tab-----------------------------------------
        $this->newUserEntry['givenname'] = $this->givenName; //first name
        $this->newUserEntry['sn'] = $this->sn; // last name
        $this->newUserEntry["displayname"] = $this->sn.', '.$this->givenName; // display name - Format: Meow, Test
        $this->newUserEntry["physicalDeliveryOfficeName"] = $this->location; //office
        $this->newUserEntry["mail"] = $this->userMail;
        $this->newUserEntry["mailNickname"] = $this->userMail; // user mail

        //Change this to mobile field
        $this->newUserEntry["telephoneNumber"] = '9897157910'; // user phone

        //----------Account Tab----------------------------------------
        $this->newUserEntry["userPrincipalName"] = $this->samaccountname.'@comp.com'; //User logon name
        $this->newUserEntry["sAMAccountname"] = $this->samaccountname; //pre windows 2007 logon name


        //----------profile Tab-----------------------------------------
        $this->newUserEntry["scriptPath"] = $this->scriptPath; //Log on script

        //----------Organization Tab------------------------------------
        $this->newUserEntry["title"] = $this->title;
        $this->newUserEntry["department"] = $this->department; // department
        $this->newUserEntry["company"] = "Open Doors Test"; // Company name
        $this->newUserEntry["manager"] = $this->managerDn; // name of the manager

What I have tried:

1-Setting password attribute:

I taught that this is happening because I do not have password attribute set, so I tried adding a password with hashing and without hashing:

password example: As33557b

$this->newUserEntry["userPassword"] = '{MD5}' . base64_encode(pack('H*',md5($this->password))); //md5HASH - hash the password

Again both attempts it failed and like before if I would remove account control user object was created with no issues.

2- Make sure the connection is over SSL:

I changed the way I was connecting via LDAP:

Before:

ldap_connect('ldap://'. $this->dnToConnect)

After:

ldap_connect('ldap://'. $this->dnToConnect, 636)

I also ran nmap -p 636 mydomain.com to make sure the port is open and I can make a connection.

3- Try setting 512 value as a string and as an integer.

Notes: I can make accounts, disable and enable them manually, so the problem should not be with the user and password that I am using to bind.

Update1:

I have narrowed down the problem to the password. I can create an Enabled account with no password and setting userAccountControl to 544, so I think the issue is with the way I am setting the password field. Bloob is about to pop, any help would be appreciate it.

Comment Section Requested Info: Password:

originally I was setting the password like:

//$this->newUserEntry["userPassword"] = '{MD5}' . base64_encode(pack('H*',md5($this->password))); //md5HASH - hash the password

Than Someone suggested to try to set it like:

$newPassword = $this->password;
$newPassword = "\"" . $newPassword . "\"";
$newPass = mb_convert_encoding($newPassword, "UTF-16LE");
$this->newUserEntry["unicodePwd"] = $newPass;

Answer 1

Hopefully this will help someone, the reason I couldn't create an account in active state was due not not being able to set the attribute unicodePwd and this was due to not being able to connect over LDAPS.

I couldn't connect over LDAPS due to lack of the needed certificate and some configurations.

Resolution:

1-

a. Create following folders in your C: Directory (At the same level you see your phps top folder)

openldap -> sysconf

b. In sysconf folder:

b1. create a ldap.conf file and add the following lines:

   TLS_CACERT C:\openldap\sysconf\ssl\cacert.pem
   TLS_REQCERT     never 

b2. create a folder in sysconf named ssl:

   you will put a `certificate` in there (look at part 2 for details)

2- go to the host that hosts your Active directory, ask your Admin to do perform the instructions in the link below, and put the cert in ssl folder, also remember to convert the cert using openSSL:

https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx 

3- You can use the script below to test:

<?php

  $ldaphost = "ldaps://hostNameOfDC.DCName.com";
  $ldapUsername  = "adminUser@DCName.com";
  $ldapPassword = "adminPASS";

  $ds = ldap_connect($ldaphost,636);
  if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)){
  print "Could not set LDAPv3\r\n";
  }
  else {
// now we need to bind to the ldap server
     $bth = ldap_bind($ds, $ldapUsername, $ldapPassword) or die("\r\nCould not connect to LDAP server\r\n");
  }

  if($bth){ echo"WEEEE you did it"; }

?>

4- How to set unicodePwd (password credit to):

        $newPassword = "\"" . $newPassword . "\"";
        $newPass = mb_convert_encoding($newPassword, "UTF-16LE");
        $this->newUserEntry["unicodePwd"] = $newPass;