How to enable a user in AD via LDAP?

Question

I'm trying to create an user in AD via Java/LDAP program and the user that is getting created is always disabled. When I tried to set the 'userAccountControl' t0 '512', it is giving me the following error:

javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0

1) I don't think it's an issue with SSL as I'm able to successfully connect through SSL port and do other operations like modify password etc.

2) I'm also doing the UTF-16 encoding and that is why I'm able to modify the password successfull

Hope to get a response soon.

Thanks , antony

Answer 1

When I saw this problem, it turned out my encoding wasn't quite right. You need to wrap the string password in quotes before encoding:

final byte[] adEncodedPassword = ("\"" + password + "\"").getBytes("UTF-16LE");

reference: http://encounteringidm.com/will_not_perform-error-from-ad-on-password-change-using-java/

Answer 2

The error you get (0000052D) corresponds to the following error message from winerror.h:

//
// MessageId: ERROR_PASSWORD_RESTRICTION
//
// MessageText:
//
//  Unable to update the password. The value provided for the new
//  password does not meet the length, complexity, or history
//  requirement of the domain.
//
#define ERROR_PASSWORD_RESTRICTION       1325L

From this we can draw the conclusion that your AD has password policy set, which is preventing the user from being created. You have the options here - first to try setting password via LDAP (this requires 128 bit SSL or TLS connection) and second to set the PASSWD_NOTREQD flag (32) in userAccountControl.