Ldap – Add AD entries using ldapadd failing with “unwilling to perform”

active-directoryldap

I'm trying to add entries to an Active Directory using ldapadd. Here's my ldif file:

DN: CN=John_Smith,CN=Users,DC=ad,DC=example,DC=net
objectClass: user 
CN: John_Smith
sn: John 
givenName: Smith 
displayName: John_Smith 
sAMAccountName: jsmith 
userPrincipalName: jsmith@example.net

I'm aware that if you attempt to modify/update or add a user password, Active Directory will require you to have a SSL connection to the server. However, this fails without me trying to update the user password. Here's the response:

adding new entry "CN=John_Smith,CN=Users,DC=example,DC=net"
ldap_add: Server is unwilling to perform (53)
        additional info: 00002035: LdapErr: DSID-0C090D64, comment: Operation not allowed through GC port, data 0, v2580

This active directory was deployed using AWS Directory Service wizard.

Best Answer

Do not use the global catalogue port for user creation. If your server requires a SSL connection, use the ldaps port which defaults to to 636.

Also, please ensure the new password complies with your password complexity policy and password history policy. The unwilling to perform error message is a common result of a conflict with the password policy.

Related Solutions

Ldap – How to add AD users to a “Domain Controller” running ADLDS

I can tell you how to do this (and I do below) but I first want to make a run at telling you about the cons.

The core issue is that AD domains are not the same thing as ADLDS. While the core code base is the same (ldap head, storage, replicator, ...) the protocol suite offered on top is different. And this is where it will get you. Many would say that if you're running your app on Windows, using pure LDAP binds as a form of auth is not ideal...using Windows APIs (ex: LogonUser) is a far better path. And this sort of dependency will always fail against LDS as it is only the LDAP core, not the rest of the protocol suite.

That said, many things do work the same. And so you can create users in LDS, so long as you import the user schema extension. This used to ship with the LDS product itself (ms-user.ldf or something like this) so search for *ldf files on your disk and you should find it kicking around. Even when you do this, however, not all tools will work. Tools like the one above might or might not, I honestly can't remember anymore. It will be a semi-random set. I predict you will never be fully satisfied.

This is not to say your dev effort can't be successful...I have done exactly what you are doing. You just will need to learn to live w/o the full toolset. LDP and adsiedit will soon become your friends.

Ssl – Cisco SSL VPN authenticating aginast AD via LDAP

This should work. If you are using sAMAccountName as your ldap-naming-attribute, it doesn't matter what the CN looks like. the sAMAccountName should be the same as the pre windows 2000 name in the properties page of the user.

This is a working LDAP server config from my ASA

aaa-server ldapserver (inside) host 1.2.3.4
 server-port 3268
 ldap-base-dn dc=domain,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=ldapuser,OU=someou,DC=domain,DC=com
 server-type microsoft

Best Answer

Related Solutions

Ldap – How to add AD users to a “Domain Controller” running ADLDS

Ssl – Cisco SSL VPN authenticating aginast AD via LDAP

Related Topic