creating users in AD via LDAP with TDI
Vladislav Tatarincev 23 March 2012 00:08:30
I am working now on creating users in Active Directory, users are pulled from Domino Directory with the help of Tivoli Directory integrator. Then Syncronization of accound happens between AD and Domino.I decided to share some things that may save some time to people who want to use LDAP to create objects in AD. AD - [ад] in Russian means hell :) I spent SOME time on this, hope my post can save some time for you :)
If you want' to create a REAL USER you have to configure LDAP connector in SSL mode. It is very important to use SSL,
so don't even try to create user, unless you have SSL on AD side.
Searching internet for solution I found a very gooooood step by step guide how to create SSL on Microsoft side, then how to import it to TDI.
When you import key into TDI, be sure you import into right keystore (I was lucky from second try), and After Import to stay on safe side, restart TDI Config Editor.
Password Synchronization between Microsoft Active Directories using Tivoli Directory Integrator
http://www-304.ibm.com/software/brandcatalog/ismlibrary/details?catalog.label=1TW10DI0J#
Also very good Eddie Hartman port on SSL and TDI. http://www.tdiingoutloud.com/2012/02/certificate-chain-chain-chaining-error.html
When creating a dumb user account try to set COMPEX password, because "password123" will not comply with AD policy, which by default now is quite high.
I have modified some snipped found on internet to generate user password for my users.
put this code inside UserPassword field
var chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz";
var string_length = 12;
var randomstring = '';
for (var i=0; i
randomstring +chars.substring(rnum,rnum+1);
}
//we add to password number or special char
chars = "0123456789!@#$%^&*()";
string_length = 2;
for (var i=0; i
randomstring +chars.substring(rnum,rnum+1);
}
// password = randomstring
work["userPassword"]=randomstring
return randomstring
I found that adding next snippet is valuable in AddOnlyError or any other Error hooks. This will give you exact error name, no need to enable Detailed Log in Assembly line.
task.logmsg("something went wrong.... " +work.FullName + " Skipping.");
task.logmsg("**** Error *****" + error.message);
task.dumpEntry(error);
//task.dumpEntry(work);
system.skipEntry()
some issues I have found with LDAP return codes:
LDAP: error code 80 - 00000523: SysErr: DSID-031A1202 -
may mean you are creating user with "NOT ALLOWED format"
After SOME investigation, found that could be for some system users like admin or ROBOT
if CN is composed as
cn = FIRSTNAME + " "+LASTNAME
then CN will be "
LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
Seems to be caused by UserAccountControl
- Comments [0]