We're experiencing an issue trying to enable a active directory user(windows server 2012 r2) using the net/ldap library.
Setup
First, we create a user via this method:
def create_user(attrs)
dn = "cn=#{attrs[:cn]},cn=Users,#{@base}"
cn = attrs[:cn]
pass = ascii_convert(attrs[:pwd])
updated_attrs = { cn: cn,
objectclass: ['user'],
samaccountname: cn,
userprincipalname: "#{attrs[:cn]}@#{@domain}",
unicodepwd: pass
}
@connection.add(dn: dn, attributes: updated_attrs)
result = @connection.get_operation_result
raise LdapError.new("Create AD user error: #{result}") if result.code != 0
end
This creates the user, and by default sets their userAccountControl attribute to 546 (which is what we want), when inspected in active directory this shows as:
0x222 (ACCOUNTDISABLE|PASSWD_NOTREQD|NORMAL_ACCOUNT).
Problem
Later we want to enable that user so we call:
def enable_user!(dn, cn)
u = search_query(find_user(cn)).try(:first)
if u
@connection.replace_attribute(dn, :useraccountcontrol, '512')
else
false
end
end
However, if I print @connection.get_operation_result I get:
<OpenStruct code=53, error_message="0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000", matched_dn="", message="Unwilling to perform">
With this method we want the userAccountControl to equal 512, which is the equivalent of 0x200 (NORMAL_ACCOUNT).
Things I've Tried
notes: connection is over SSL (LDAPS), and bound to an admin AD account.
- this answer
- using
#modifyinstead of#replace_attributein theenable_user!method. - passing the hex values instead of the integer representation.
- perform the same modification using apache directory studio.
One interesting thing I did notice, is that I can modify useraccountcontrol to 514 which is:
0x202 (ACCOUNTDISABLE|NORMAL_ACCOUNT)
So, it seems I can modify this attribute as long as it's remaining disabled, as soon as I try to change to enabled is when I see the error.