Le 13/05/2017 à 06:03, Marti Markov a écrit :
Hey all,
I’m in the process of syncing users from OpenLDAP to AD. I’m having
trouble creating the user without forcing them to change the password
(as I want them to only be able to change it in OpenLDAP and sync the
new password to AD).
I’m trying to set the pwdLastSet to the current timestamp:
<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>AD.unixTimestampToADTime(Math.round((new Date()).getTime() /
1000))</string>
</createValues>
</dataset>
Unfortunately I’m getting this error:
May 13 05:58:00 - ERROR - Error while adding entry cn=First
Last,OU=Agents2,OU=Personel,DC=domain,DC=com in directory
:javax.naming.NamingException: [LDAP: error code 80 - 00000057:
SysErr: DSID-031A1291, problem 22 (Invalid argument), data 0
I have also tried with getting the current timestamp and hardcoding it
in and it results in the same problem
Just a note I haven’t set up the unicodePwd part yet if that makes a
difference.
Hello Marti,
if you don't provide the password at user creation, the user will be
automatically disabled in AD. You need to use SSL (LDAPS) to be able to
set unicodePwd attribute.
You don't need to set pwdLastSet if you create the password and don't
want to reset it at first connection. Note that you also need to set
userAccountControl attribute.
The following tutorial will give you most of required information:
https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
