We're experiencing an issue trying to enable a active directory user(windows server 2012 r2
) using the net/ldap
library.
First, we create a user via this method:
def create_user(attrs)
dn = "cn=#{attrs[:cn]},cn=Users,#{@base}"
cn = attrs[:cn]
pass = ascii_convert(attrs[:pwd])
updated_attrs = { cn: cn,
objectclass: ['user'],
samaccountname: cn,
userprincipalname: "#{attrs[:cn]}@#{@domain}",
unicodepwd: pass
}
@connection.add(dn: dn, attributes: updated_attrs)
result = @connection.get_operation_result
raise LdapError.new("Create AD user error: #{result}") if result.code != 0
end
This creates the user, and by default sets their userAccountControl
attribute to 546
(which is what we want), when inspected in active directory this shows as:
0x222 (ACCOUNTDISABLE|PASSWD_NOTREQD|NORMAL_ACCOUNT)
.
Later we want to enable that user so we call:
def enable_user!(dn, cn)
u = search_query(find_user(cn)).try(:first)
if u
@connection.replace_attribute(dn, :useraccountcontrol, '512')
else
false
end
end
However, if I print @connection.get_operation_result
I get:
<OpenStruct code=53, error_message="0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000", matched_dn="", message="Unwilling to perform">
With this method we want the userAccountControl
to equal 512
, which is the equivalent of 0x200 (NORMAL_ACCOUNT)
.
notes: connection is over SSL (LDAPS), and bound to an admin AD account.
#modify
instead of #replace_attribute
in the enable_user!
method.One interesting thing I did notice, is that I can modify useraccountcontrol
to 514
which is:
0x202 (ACCOUNTDISABLE|NORMAL_ACCOUNT)
So, it seems I can modify this attribute as long as it's remaining disabled, as soon as I try to change to enabled is when I see the error.
The error 0000052D
is a system error code. Specifically, it means:
ERROR_PASSWORD_RESTRICTION
1325 (0x52D)
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
The problem would seem to be that the account you're enabling has a password-policy applied to it, whereby enabling it that password-policy would not be met.
I would first figure out what the password policy is for the account, then set the password to something that meets that policy criteria before flipping the bit to enable it.
If, however, you really want the user to be able to login with no password then the password should be set to null. But I'm not sure under what circumstances that would be desirable.