ActiveDirectoryUser
This is a derivation of the LDAPDataSink which supports the creation of user objects in an Active Directory. This operation has some special constraints since Active Directory is not based on LDAP. The issue affects the password field to sync and the object classes.
Passwords are stored in the unicodePwd field. Pay attention to the following points:
- The
unicodePwdfield is not readable by any LDAP action. - If no special settings are used, writing operations can only be carried out using a 128-bit SSL encrypted connection.
- The password will be handled internally; the Active Directory generates the corresponding LM- and NT-hashes.
Finally, this is the reason why no hash value from other sources can be synced to the Active Directory. Only if cleartext passwords are used (or if one is able to transform the existing password to cleartext), Active Directory is able to handle and store it properly into the unicodePwd attribute.
Configuration
| Name | Type, usage constraints, defaults | Description |
|---|---|---|
| unicodePwd | required: paraVal default: none type: string | This attribute has to be provided as cleartext. |
| objectClass | required: paraList default: none type: list of strings | At least these object classes have to be synced: user, organizationalPerson, person, top |
| userAccountControl | required: paraVal default: none type: integer | This value will enable or disable the created user. 66048 = Enabled, password never expire.; 66050 = Disabled, password never expires. |
Example
Basic synchronization from LDAP to the Active Directory:
<dataFilter type="ELMappingFilter">
<dp:attrList name="objectClass">
<value>user</value>
<value>organizationalPerson</value>
<value>person</value>
<value>top</value>
</dp:attrList>
<dp:attrVal name="cn" value="#{in.ldapsrc.cn}" />
<dp:attrVal name="uid" value="#{in.ldapsrc.uid}" />
<dp:attrVal name="sn" value="#{in.ldapsrc.sn}" />
<dp:attrVal name="uidNumber" value="#{in.ldapsrc.uidNumber}" />
<dp:attrVal name="gidNumber" value="#{in.ldapsrc.gidNumber}" />
<dp:attrVal name="homeDirectory" value="#{in.ldapsrc.homeDirectory}" />
<!—unicodePwd - User will be enable in Windows-->
<dp:attrVal name="userAccountControl" value="66048" />
<dp:attrVal name="userPrincipalName" value="#{in.ldapsrc.uid}@adn.local" />
<!—unicodePwd - ldap src passwd has to be cleartext -->
<dp:attrVal name="unicodePwd" value="#{in.ldapsrc.userPassword}"/>
</dataFilter>