Here are my findings. Keywords for Google and for those who, like me,
did not find useful references: create user domain ldap active
directory ad linux rpcclient net ads rpc account enable enabled login
bind.
Background: we're migrating users from AD to OpenLDAP; for a period
the two have to coexist, because AD authenticates logins, OpenLDAP
authenticates mail. My aim is to provide a single user
creation/password setting interface for both in the form of a CGI.
This rules out using Windows GUI tools.
The problem was creating a user from Linux. `net ads user add'
wouldn't work, then I tried `net rpc user add' (thanks to Andrew
Bartlett for suggesting it) and it worked.
$ net rpc user add foobar -S pdcname -Uadmin%adminpassword
Two things left: password and (as I discovered later)
userAccountControl.
`net rpc password' did not work, `net ads password' did (go figure).
$ net ads password foobar secret -S pdcname -Uadminname%adminpassword
Also doing that with ldapmodify works:
$ cat >changepwd.ldif
dn: CN=foobar,CN=Users,DC=yoursite,DC=com
changetype: modify
replace: unicodePwd
$ cleartext2unicodepwd secret >>changepwd.ldif
$ cat changepwd.ldif
dn: CN=foobar,CN=Users,DC=yoursite,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::IgBzAGUAYwByAGUAdAAiAA= $ kinit adminname
Password for adminname@SITE.COM:
$ ldapmodify -H ldap://activedirectory.site.com -D \
cn=adminname,cn=users,dc=site,dc=com -f changepwd.ldif
`kinit adminname' was necessary because otherwise AD won't let set
password over an unencrypted channel. Another option is LDAP over
SSL, if you can get it to work (we couldn't).
For the cleartext2unicodepwd script, see below.
Last thing, userAccountControl. This attribute is a mask with the
following possible values:
ADS_UF_ACCOUNTDISABLE = 0x0002 Disable user account
ADS_UF_PASSWD_NOTREQD = 0x0020 No password is required
ADS_UF_NORMAL_ACCOUNT = 0x0200 Typical user account
The previously created user got a value of `546' (i.e. 0x0222). I set
it to `512' (0x0200):
$ cat >uac.ldif
dn: CN=foobar,CN=Users,DC=yoursite,DC=com
changetype: modify
replace: userAccountControl
userAccountControl: 512
...ldapmodify as above.
Done. Last thing to understand will be why users created with Windows
tools get a userAccountControl value of 66048, but things work nicely
already.
This is the `cleartext2unicodepwd' script:
#!/usr/bin/env ruby
require "base64"
def cleartext2unicode(cleartextpwd)
quotepwd = '"' + cleartextpwd + '"'
unicodepwd = quotepwd.split('').join("\0") + "\0"
return Base64.encode64(unicodepwd)
end
if ARGV.length == 1
cleartextpwd = ARGV.shift
puts "unicodePwd::" + cleartext2unicode(cleartextpwd)
end
Cheers
Massimiliano
