Discussion:
[lsc-users] Error when trying to set pwdLastSet
Marti Markov
2017-05-13 04:03:11 UTC
Permalink
Hey all,

I’m in the process of syncing users from OpenLDAP to AD. I’m having trouble creating the user without forcing them to change the password (as I want them to only be able to change it in OpenLDAP and sync the new password to AD).

I’m trying to set the pwdLastSet to the current timestamp:

<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>AD.unixTimestampToADTime(Math.round((new Date()).getTime() / 1000))</string>
</createValues>
</dataset>

Unfortunately I’m getting this error:

May 13 05:58:00 - ERROR - Error while adding entry cn=First Last,OU=Agents2,OU=Personel,DC=domain,DC=com in directory :javax.naming.NamingException: [LDAP: error code 80 - 00000057: SysErr: DSID-031A1291, problem 22 (Invalid argument), data 0

I have also tried with getting the current timestamp and hardcoding it in and it results in the same problem

Just a note I haven’t set up the unicodePwd part yet if that makes a difference.
Clément OUDOT
2017-05-15 07:50:42 UTC
Permalink
Post by Marti Markov
Hey all,
I’m in the process of syncing users from OpenLDAP to AD. I’m having
trouble creating the user without forcing them to change the password
(as I want them to only be able to change it in OpenLDAP and sync the
new password to AD).
<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>AD.unixTimestampToADTime(Math.round((new Date()).getTime() / 1000))</string>
</createValues>
</dataset>
May 13 05:58:00 - ERROR - Error while adding entry cn=First
Last,OU=Agents2,OU=Personel,DC=domain,DC=com in directory
SysErr: DSID-031A1291, problem 22 (Invalid argument), data 0
I have also tried with getting the current timestamp and hardcoding it
in and it results in the same problem
Just a note I haven’t set up the unicodePwd part yet if that makes a difference.
Hello Marti,

if you don't provide the password at user creation, the user will be
automatically disabled in AD. You need to use SSL (LDAPS) to be able to
set unicodePwd attribute.

You don't need to set pwdLastSet if you create the password and don't
want to reset it at first connection. Note that you also need to set
userAccountControl attribute.

The following tutorial will give you most of required information:
https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot
Marti Markov
2017-05-15 19:37:55 UTC
Permalink
Hi Clement,


Thank you very much!!


That I guess was the missing piece from the puzzle. I’ll have to setup LDAPS now I guess.

Thanks again. :)
Post by Clément OUDOT
Post by Marti Markov
Hey all,
I’m in the process of syncing users from OpenLDAP to AD. I’m having trouble creating the user without forcing them to change the password (as I want them to only be able to change it in OpenLDAP and sync the new password to AD).
<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>AD.unixTimestampToADTime(Math.round((new Date()).getTime() / 1000))</string>
</createValues>
</dataset>
May 13 05:58:00 - ERROR - Error while adding entry cn=First Last,OU=Agents2,OU=Personel,DC=domain,DC=com in directory :javax.naming.NamingException: [LDAP: error code 80 - 00000057: SysErr: DSID-031A1291, problem 22 (Invalid argument), data 0
I have also tried with getting the current timestamp and hardcoding it in and it results in the same problem
Just a note I haven’t set up the unicodePwd part yet if that makes a difference.
Hello Marti,
if you don't provide the password at user creation, the user will be automatically disabled in AD. You need to use SSL (LDAPS) to be able to set unicodePwd attribute.
You don't need to set pwdLastSet if you create the password and don't want to reset it at first connection. Note that you also need to set userAccountControl attribute.
The following tutorial will give you most of required information: https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory <https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory>
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot <http://sflx.ca/coudot>
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
https://lists.lsc-project.org/cgi-bin/mailman/listinfo/lsc-users
Loading...