Skip to main content
Version: 2.17.x.x LTS

ActiveDirectoryUser

This is a derivation of the LDAPDataSink which supports the creation of user objects in an Active Directory. This operation has some special constraints since Active Directory is not based on LDAP. The issue affects the password field to sync and the object classes.

Passwords are stored in the unicodePwd field. Pay attention to the following points:

  • The unicodePwd field is not readable by any LDAP action.
  • If no special settings are used, writing operations can only be carried out using a 128-bit SSL encrypted connection.
  • The password will be handled internally; the Active Directory generates the corresponding LM- and NT-hashes.

Finally, this is the reason why no hash value from other sources can be synced to the Active Directory. Only if cleartext passwords are used (or if one is able to transform the existing password to cleartext), Active Directory is able to handle and store it properly into the unicodePwd attribute.

Configuration

NameType, usage constraints, defaultsDescription
unicodePwdrequired: paraVal
default: none
type: string
This attribute has to be provided as cleartext.
objectClassrequired: paraList
default: none
type: list of strings
At least these object classes have to be synced: user, organizationalPerson, person, top
userAccountControlrequired: paraVal
default: none
type: integer
This value will enable or disable the created user. 66048 = Enabled, password never expire.; 66050 = Disabled, password never expires.

Example

Basic synchronization from LDAP to the Active Directory:

<dataFilter type="ELMappingFilter">
<dp:attrList name="objectClass">
<value>user</value>
<value>organizationalPerson</value>
<value>person</value>
<value>top</value>
</dp:attrList>

<dp:attrVal name="cn" value="#{in.ldapsrc.cn}" />
<dp:attrVal name="uid" value="#{in.ldapsrc.uid}" />
<dp:attrVal name="sn" value="#{in.ldapsrc.sn}" />
<dp:attrVal name="uidNumber" value="#{in.ldapsrc.uidNumber}" />
<dp:attrVal name="gidNumber" value="#{in.ldapsrc.gidNumber}" />
<dp:attrVal name="homeDirectory" value="#{in.ldapsrc.homeDirectory}" />
<!—unicodePwd - User will be enable in Windows-->
<dp:attrVal name="userAccountControl" value="66048" />
<dp:attrVal name="userPrincipalName" value="#{in.ldapsrc.uid}@adn.local" />
<!—unicodePwd - ldap src passwd has to be cleartext -->
<dp:attrVal name="unicodePwd" value="#{in.ldapsrc.userPassword}"/>
</dataFilter>