1

EDIT4: Got my application to write the user to the active directory, but the active directory complains when I try to enable the user

enter image description here

Previous messages

I'm trying to add a user to my local Active Directory (with AD LDS) by using Java (1.4) and LDAP. However, I keep getting the following error:

javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 0000207B : UpdErr: DSID-030511CF, problem 6002 (OBJ_CLASS_VIOLATION), data 0 ]; remaining > name 'CN=Test user,OU=Accounts,DC=PORTAL,DC=COMPANY,DC=BE'

My code:

public static void main(String[] args) {
        try {
            DirContext ctx = new InitialDirContext(X_Ldap.getEnvironment());
            user usr = new user("Test user", "FALSE");

            ctx.bind(
                    "CN=Test user,OU=Accounts,DC=PORTAL,DC=COMPANY,DC=BE",                      usr);

            // X_Ldap.checkIfUserExists("Test User");
            ctx.close();
        } catch (NamingException e) {
            e.printStackTrace();
        }
}

public class user implements DirContext {
    String type;

    /**
     * 
     * @param isDisabled
     *            TRUE or FALSE (literally)
     */
    public user(String username, String isDisabled) {
        String type = username;

        Attributes attr = new BasicAttributes(true);
        Attribute oc = new BasicAttribute("objectclass");
        oc.add("top");
        oc.add("person");
        oc.add("organizationalPerson");
        oc.add("user");
        Attribute memberOf = new BasicAttribute("memberOf");
        memberOf.add("CN=Users,CN=Roles,DC=PORTAL,DC=COMPANY,DC=BE");

        attr.put(oc);
        attr.put("msDS-UserAccountDisabled", isDisabled);
        attr.put(memberOf);

        attr.put("comment", username);
    }

    public String toString() {
            return type;
    }
}

edit I checked one of my user objects for mandatory attributes, but I'm not sure what i should fill in for all of them:

cn: Jane Doe -- Unicode string
instanceType: 0x4 = (WRITE) -- Integer
objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={EDBEACA1-6F60-413C-80F2-6C5CE265F22F} -- Distinguished Name
objectClass: top; person; organizationalPerson; user -- Object Identifier
objectSid: S-1-372665300-2234744891-519896106-1336725265-1748609191-3385095770 -- SID

EDIT2: My current code:

public class newuser {
    public static void main(String[] args) {

        String userName = "cn=Albert Einstein,ou=Accounts,DC=PORTAL,DC=COMPANY,DC=BE";
        // String groupName =
        // "cn=Users,cn=Roles,DC=PORTAL,DC=COMPANY,DC=BE";

        try {

            // Create the initial directory context
            System.out.println("Creating initial directory context...");
            LdapContext ctx = new InitialLdapContext(X_Ldap.getEnvironment(),
                    null);

            // Create attributes to be associated with the new user
            Attributes attrs = new BasicAttributes(true);

            // some useful constants from lmaccess.h
            int UF_ACCOUNTDISABLE = 0x0002;
            int UF_PASSWD_NOTREQD = 0x0020;
            int UF_PASSWD_CANT_CHANGE = 0x0040;
            int UF_NORMAL_ACCOUNT = 0x0200;
            int UF_DONT_EXPIRE_PASSWD = 0x10000;
            int UF_PASSWORD_EXPIRED = 0x800000;


            attrs.put("objectClass", "user");
            attrs.put("cn", "Albert Einstein");

            // These are some optional (but useful) attributes
            attrs.put("givenName", "Albert");
            attrs.put("sn", "Einstein");
            attrs.put("displayName", "Albert Einstein");
            attrs.put("description", "Research Scientist");
            attrs.put("userPrincipalName", "AlbertE@antipodes.com");
            attrs.put("mail", "relativity@antipodes.com");
            attrs.put("telephoneNumber", "999 123 4567");
            String newQuotedPassword = "\"Pass123\"";
            byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16");
            attrs.put("unicodePwd", newUnicodePassword);
            attrs.put("msDS-User-Account-Control-Computed",
            Integer.toString(UF_NORMAL_ACCOUNT + UF_DONT_EXPIRE_PASSWD));

            // Create the context
            System.out.println("Creating context...");
            Context result = ctx.createSubcontext(userName, attrs);
            System.out.println("Created disabled account for: " + userName);

            ctx.close();

            System.out.println("Successfully created User: " + userName);

        } catch (NamingException e) {
            System.err.println("Problem creating object: " + e);
        }

        catch (IOException e) {
            System.err.println("Problem creating object: " + e);
        }


    }
}

Still have following problem:

String newQuotedPassword = "\"Pass123\"";
        byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16");
        attrs.put("unicodePwd", newUnicodePassword);

gives me the following exception:

Creating initial directory context... Problem creating object: java.io.UnsupportedEncodingException: UTF16LE

note: I disabled the requirement for SSL to change the password

EDIT 3: apparently the "User Account control" is not supported by AD LDS and is split up in a number of different attributes.

Andreas
  • 2,007
  • 5
  • 26
  • 37

4 Answers4

2

You perhaps can have a look to Using JAVA code with Active Directory especialy Creating new users & demystifying userAccountControl

For me you forgot the "CN" attribute.

JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • second linked helped me a bit further, but now I get the following error right before I create the context: Problem creating object: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=PORTAL,DC=COMPANY,DC=BE']; remaining name 'CN=Albert Einstein,CN=Accounts,DC=PORTAL,DC=COMPANY,DC=BE' – Andreas Mar 19 '12 at 14:12
  • 1
    What is CN=Accounts in your directory ? Can you discribe your hierachy? Can you post your code again. – JPBlanc Mar 19 '12 at 15:48
  • had already found it, CN had to be OU. Currently looking to get the password to work – Andreas Mar 19 '12 at 15:53
  • Not completely. Still have problems with the password, as well as the userAccountControl, which seems to be a different attribute in AD LDS. I'll update the code later – Andreas Mar 20 '12 at 13:57
  • apparently the "User Account control" is not supported by AD LDS and is split up in a number of different attributes. Now I just need to know how to solve the unsupported encoding exception. – Andreas Mar 21 '12 at 09:58
  • Sorry, bounty was meant for you, but seems like I misclicked and can't undo it >.> – Andreas Mar 21 '12 at 14:12
1

Check your schema documentation which which attributes are allowed and required for person, user, and organizationalPerson object classes. Ensure that the entry the code is trying to add has all the attributes that are required, and only attributes that are allowed or required.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
  • updated question with required attributes for object User; I know what I should add for CN and objectclass, but I'm not sure what I should doe with the other three. – Andreas Mar 19 '12 at 09:00
  • Are you sure that `memberOf` is an allowed attribute? In some directory servers, `memberOf` is a virtual attribute, that is, `memberOf` is generated upon request. – Terry Gardner Mar 19 '12 at 09:14
  • I tried running it with only object class and CN (which are required attributes), but still got the same error – Andreas Mar 19 '12 at 09:22
  • `cn` is the *only* required attribute for all of those objectClasses? – Terry Gardner Mar 19 '12 at 09:24
  • where can I find the attributes for these objectclasses? – Andreas Mar 19 '12 at 09:50
  • 1
    All but the most trivial LDAP Clients should consider reading the directory schema. The schema contains all information that is required to deal with objectClasses and attributes (which attributes are required or allowed), including matching rules and ordering rules (which must be used to make comparisons). The location of the schema should be defined in the the Root DSE as the `subSchema` attribute. For more information about the root DSE, see this [article](http://ff1959.wordpress.com/2011/04/11/the-root-dse-is-that-entry-with-zero-rdns-and-contains-information-about-the-directory-server/). – Terry Gardner Mar 19 '12 at 12:11
  • apparently the "User Account control" is not supported by AD LDS and is split up in a number of different attributes. Now I just need to know how to solve the unsupported encoding exception. – Andreas Mar 21 '12 at 09:58
1

Here are some know how which I learned during development of user account management application (ASP. NET) for Active Directory 2008:

  1. You should fill sAMAccountName or userPrincipalName

  2. Account remain disabled until you set password for it according to domain password policies

  3. Any password related operations need to be done using secure connection

  4. When creating account, open context of OU when you want to create user object.Then call method for add it

Read this document : http://msdn.microsoft.com/en-us/magazine/cc135979.aspx

(I know, is for .NET, but is it very very similar to Java LDAP api)

Hope this helps you

rkosegi
  • 14,165
  • 5
  • 50
  • 83
0

An object class schema violation means that there is one or more required attribute that is missing from the object that you are trying to create. So you need to look at the schemas for top, person, organizationalPerson, and user and ensure that you are setting all of the attributes that are required.

Craig Wohlfeil
  • 627
  • 9
  • 9
  • updated question with required attributes for object User; I know what I should add for CN and objectclass, but I'm not sure what I should doe with the other three. – Andreas Mar 19 '12 at 09:01