1

I have this code:

function makeUser() {
    $info['cn'] = "Test User";
    $info['sn'] = "User";
    $info['mail'] = "test@localhost";
    $info['objectclass'][0] = "Person";
    $info['objectclass'][1] = "User";

    $info['userpassword'] = "{MD5}".base64_encode(pack("H*",md5('Password1!')));
    $info['useraccountcontrol'] = 512;

    var_dump(ldap_add($this->connection, "CN=Test User,OU=Users,DC=domain,DC=local", $info));
}

Which gives me this error:

Warning: ldap_add() [function.ldap-add]: Add: Server is unwilling to perform

When I leave out the $info['useraccountcontrol'] = 512; part, It adds the account, but it is disabled..

I get this from the logging on both servers:

Internal event: The LDAP server returned an error.

Additional Data Error value: 0000052D: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0

I work on:

  • Windows Server 2008 Active Directory (not R2) & Windows Server 2003
  • PHP 5.3.5
  • Normal LDAP connection, not LDAPS since I've given up on trying to get that work..

How can I get it like so, that the user is not disabled and does not have to change password when first logging in?

Improve this question
3
  • What does the LDAP server say in its logs about why it rejected your action? Commented Jul 17, 2011 at 20:46
  • Hmm, I can't seem to find the logs anywhere.. Commented Jul 17, 2011 at 20:51
  • Now after enabling logging: problem 5003.. Commented Jul 17, 2011 at 21:07

2 Answers 2

Reset to default
5

I had this problem too (even connecting over LDAPS). When I did it in three steps (first add the account, then set the password, then enable the account), it worked.

It may be that you can combine the first two or last two steps, but I didn't test this.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

As far Active-directory is concerned the password is not in 'userpassword' but in 'unicodePwd', you've got an example in this other Stckoverflow question. And I think that you need to use LDAPS.

Improve this answer

2 Comments

It's indeed about using LDAPS, but setting up SSL was not a option. Figured a way around it by using the Windows COM function that sets the passwords and re-enables the account for me.
You can add an answer whith the COM solution. I think you will have success, because the question regulary come back.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.