none
LdapsError cannot add passwd

    Question

  • Hi

    # Windows Server 2016

    I am trying to add users to WindwosAD using LDAP. However, trying to register a password using LDAPS will fail.

    port:636

    - - - - - - - - attributes - - - - - - - - -

    objectclass: ['top','user'],
    SamAccountName: user_id,
    pwdlastset: '-1',
    unicodePwd: base64.encodeb64('"P@ssw0rd"'.encode('utf-16le'))

    - - - - - - - - - - - - - - - - - - - - - - - - 

    error response

    #<OpenStruct extended_response=nil, code=53, error_message="0000001F: SvcErr: DSID-031A1262, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000", matched_dn="", message="Unwilling to perform">

    and can't find any problems when i look 


    • Edited by lomycisw Friday, March 17, 2017 5:33 AM
    Friday, March 17, 2017 2:24 AM

Answers

  • Hi,
    Based on my research of the similar error, the possible cause include:
    1. SSL is not used in LDAP connection, however, AD enforces SSL connection.
    2. Password policies restriction in the AD environment
    3. Lack of user right to register a password using LDAPS.
    You could have a try to start troubleshooting for this error.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by lomycisw Thursday, March 23, 2017 12:14 AM
    Friday, March 17, 2017 6:52 AM
    Moderator
  • Hi Jiang

    Thank you reply

    This problem was sloved!! 

    I  mistook the password registration.

    LDAP method usually internally encode to base64..

    • Proposed as answer by Wendy JiangModerator Wednesday, March 22, 2017 8:46 AM
    • Marked as answer by lomycisw Thursday, March 23, 2017 12:14 AM
    Wednesday, March 22, 2017 4:18 AM

All replies

  • Hi,
    Based on my research of the similar error, the possible cause include:
    1. SSL is not used in LDAP connection, however, AD enforces SSL connection.
    2. Password policies restriction in the AD environment
    3. Lack of user right to register a password using LDAPS.
    You could have a try to start troubleshooting for this error.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by lomycisw Thursday, March 23, 2017 12:14 AM
    Friday, March 17, 2017 6:52 AM
    Moderator
  • > #<OpenStruct extended_response=nil, code=53, error_message="0000001F: SvcErr: DSID-031A1262, problem 5003 (WILL_NOT_PERFORM), data 0\n\u0000", matched_dn="", message="Unwilling to perform">
     
    It seems you are providing some characters AD does not like... Seel the winldap.h error :)
     
    # for decimal 53 / hex 0x35 :
      NO_MORE_IRP_STACK_LOCATIONS                                   bugcodes.h
      MSG_DN_CERT_DENIED_WITH_INFO                                  certlog.mc
    # Certificate Services denied request %1 because %2.  The
    # request was for %3.  Additional information: %4
      CR_INVALID_PROPERTY                                           cfgmgr32.h
      POLICY_ERRV_PRE_EMPTED                                        lpmapi.h
      NRC_OSRESNOTAV                                                nb30.h
    # /* required OS resources exhausted            */
      NMERR_NO_HANDLES                                              netmon.h
      OLE_ERROR_UPDATE,                                             ole.h
    # erorr while trying to update            */
      ERROR_BAD_NETPATH                                             winerror.h
    # The network path was not found.
      LDAP_UNWILLING_TO_PERFORM                                     winldap.h
    # for hex 0x53 / decimal 83 :
      NO_BOOT_DEVICE                                                bugcodes.h
      MSG_E_LOADING_KRA_CERTS                                       certlog.mc
    # Certificate Services encountered an error loading key
    # recovery certificates.  Requests to archive private keys
    # will not be accepted.  %1
      NMERR_NO_TRANSMITS_PENDING                                    netmon.h
      ERROR_FAIL_I24                                                winerror.h
    # Fail on INT 24.
      LDAP_ENCODING_ERROR                                           winldap.h
    # 14 matches found for "53"
     
    Friday, March 17, 2017 8:43 AM
  • > unicodePwd: base64.encodeb64('"P@ssw0rd"'.encode('utf-16le'))
     
    BTW: You cannot set unicodePwd directly - you need to call/invoke SetPassword on the user account.
     
    Friday, March 17, 2017 8:47 AM
  • Hi Jiang

    Thank you reply

    This problem was sloved!! 

    I  mistook the password registration.

    LDAP method usually internally encode to base64..

    • Proposed as answer by Wendy JiangModerator Wednesday, March 22, 2017 8:46 AM
    • Marked as answer by lomycisw Thursday, March 23, 2017 12:14 AM
    Wednesday, March 22, 2017 4:18 AM
  • Thank you reply

    setPassword does not respond in Windows ad ...

    Now I used unicodePwd attribute.

    Wednesday, March 22, 2017 4:22 AM
  • Hi,
    Appreciate for your great share and update, and I am glad that the problem is solved, could you please help to mark them as answers? Because it will be greatly helpful to others who have the same question.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 22, 2017 8:47 AM
    Moderator