How to enable user via LDAP in AD?

Question

In my program (jldap-based) I trying to enable user in AD by setting userAccountControl value to 512. User created with following attributes:

objectClass=user
cn=username
name=username
userAccountControl=512
userPassword={BASE64}<base64 encoded password>
sAMAccountName=username
distinguishedName=username,CN=Users,DC=company,DC=com

But I get exception:

LDAPException: Unwilling To Perform (53) Unwilling To Perform
LDAPException: Server Message: 0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

May be anybody can tell me where I'm making an error? Maybe I forgot some required attribute?

EDIT:

My code (It is trivial and I think that no errors in it):

LDAPConnection connection;
LDAPMessageQueue messageQueue;
...
LDAPAttributeSet attributes = new LDAPAttributeSet();
attributes.add(new LDAPAttribute("objectClass", "user"));
attributes.add(new LDAPAttribute("cn", "username"));
attributes.add(new LDAPAttribute("name", "username"));
attributes.add(new LDAPAttribute("userAccountControl", "512"));
attributes.add(new LDAPAttribute("userPassword", "{BASE64}<base64 encoded password>"));
attributes.add(new LDAPAttribute("sAMAccountName", "username"));
attributes.add(new LDAPAttribute("distinguishedName", "username,CN=Users,DC=company,DC=com"));

LDAPEntry entry = new LDAPEntry("CN=username,CN=Users,DC=company,DC=com", attributes);
connection.add(entry);

Please show some code as how you are setting these values. Maybe there is an error in it. — Preet Sangha, Aug 23 '11 at 08:10
I not think, that error in code, because I can create disabled user, but when I try to enable user I receive exception. — Eugene Burtsev, Aug 23 '11 at 08:51

score 4 · Accepted Answer · edited May 23 '17 at 12:23

4

This error can arise when the password is not correctly encoded. Make sure it's a Base64 encoded UTF-16LE string.

Example (if you are using Oracle JVM)

String pass = "password";
sun.misc.BASE64Encoder enc = new sun.misc.BASE64Encoder();
String encoded = enc.encode(pass.getBytes("UTF-16LE"));

UPDATE 1: Have you tried running your code without the userAccountControl attribute (to rule in or out that it's actually that attribute that is causing problems)?

I noticed that your distinguished name attribute looks a bit strange, as well. It should probably look something like CN=username,OU=Users,DC=company,DC=com.

UPDATE 2: see Adding a user with a password in Active Directory LDAP. WILL_NOT_PERFORM can be returned if you are trying to set password for an entry (which you are, since you're creating it) over a non-SSL connection. You need to make sure you are connecting to the AD server over SSL (and set up certificates as required).

edited May 23 '17 at 12:23

Community

1
1

answered Aug 23 '11 at 08:46

pap

27,064
6
41
46

Thanks you, but when I trying your example I get some exception. – Eugene Burtsev Aug 23 '11 at 08:56
Which exception? The same as before? Please post the code of how you create/update your user. – pap Aug 23 '11 at 10:15
Yes, exception is same as before. I added my code in question. – Eugene Burtsev Aug 23 '11 at 10:43
Thanks, I did mistake when write code example. In real world application I set distinguished name in right format. And thanks you for note about SSL - I think it's source of my problem. – Eugene Burtsev Aug 23 '11 at 12:17

How to enable user via LDAP in AD?

1 Answers1