none
Error when trying to add a user entry to Active Directory via LDAP interface

    Question

  • I'm attempting to add a user entry to an Active Directory server here via the LDAP interface from a Linux host using OpenLDAP tools (ldapadd or ldapmodify).  Here's a bare-bones example of what I'm trying to add to Active Directory:

    DN: CN=John Smith,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu
    objectClass: user
    CN: John Smith
    sn: John
    givenName: Smith
    displayName: John Smith
    sAMAccountName: jsmith
    userPrincipalName: jsmith@ad.cs.wisc.edu
    altSecurityIdentities: Kerberos:jsmith@CS.WISC.EDU

    The Active Directory domain is "ad.cs.wisc.edu" in this case.  I am binding to Active Directory via LDAP+SSL (port 636) as user Administrator.  I can successfully bind to Active Directory and search for entries, but adding errors produces the following error:

    ldapadd -x -H ldaps://bunyan.ad.cs.wisc.edu -D "CN=Administrator,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu" -w ADMINISTRATOR_PW -f /tmp/jsmith.ldif -v
    ldap_initialize( ldaps://bunyan.ad.cs.wisc.edu )
    add objectClass:
            user
    add CN:
            John Smith
    add sn:
            John
    add givenName:
            Smith
    add displayName:
            John Smith
    add sAMAccountName:
            jsmith
    add userPrincipalName:
            jsmith@ad.cs.wisc.edu
    adding new entry "CN=John Smith,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu"
    modify complete
    ldapadd: No such attribute (16)
            additional info: 00000057: LdapErr: DSID-0C090C3E, comment: Error in attribute conversion operation, data 0, v1db1

    The "additional info" is logged on event log on the Active Directory server as well as being returned when trying to run ldapadd. 

    Any suggestions from Active Directory gurus out there?  Am I missing some required fields as demanded by AD schema, or is this a permission issue? 

    John

     

     

    Thursday, April 28, 2011 7:04 PM

Answers

  • Looks like my LDIF file had some trailing spaces at the end of some lines.  ldapadd/ldapmodify (or the LDAP service on our Active Directory server) apparently doesn't like that.  Once those trailing space were removed, the LDIF loads just fine.

    Thank you to those who looked into this and offered suggestions.

    John

     

    Thursday, April 28, 2011 10:30 PM

All replies

  • When creating user objects, the only mandatory attributes you must assign are cn and sAMAccountName (besides the objectClass and either the DN or parent container). I don't see verification that altSecurityIdenitities was updated. The message about "Error in attribute conversion operation" does not indicate permissions is the problem. "No such attribute" doesn't make sense. The altSecurityIdentities attribute is multi-valued, unlike any of the others you reference. I wonder if a different syntax is required for multi-valued attributes. Does it work if you do not assign a value to this attribute?

     


    Richard Mueller - MVP Directory Services
    Thursday, April 28, 2011 8:07 PM
  • Howdie!
     
    On 28.04.2011 21:04, jperkins71 wrote:
    > add objectClass:
    > user
     
    Can you use the full objectClass notation here? Just to check?
    CN=User,CN=Schema,CN=Configuration,DC=... though I don't think this is
    the issue.
     
    Can you post the LDIF file contents?
     
    Florian
     

    The views and opinions expressed in my postings do NOT correlate with the ones of my friends, family or my employer.
    Thursday, April 28, 2011 8:14 PM
  • One LDIF entry I tried is posted above.

    Here's a larger LDIF entry I attempted:

    dn: CN=John Smith,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: John Smith
    sn: Smith
    givenName: John
    distinguishedName: CN=John Smith,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu
    instanceType: 4
    displayName: John Smith
    name: John Smith
    userAccountControl: 512
    badPwdCount: 0
    codePage: 0
    countryCode: 0
    badPasswordJohne: 0
    lastLogoff: 0
    lastLogon: 0
    primaryGroupID: 513
    logonCount: 3
    sAMAccountName: jsmith
    sAMAccountType: 805306368
    userPrincipalName: jsmith@ad.cs.wisc.edu
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=cs,DC=wisc,DC=edu
    altSecurityIdentities: Kerberos:jsmith@cs.wisc.edu

    John

     

    Thursday, April 28, 2011 8:49 PM
  • I tried omitting the altSecurityIdenties, using the following as LDIF input:

    DN: CN=John Smith,CN=Users,DC=ad,DC=cs,DC=wisc,DC=edu
    objectClass: user
    CN: John Smith
    sn: John
    givenName: Smith
    displayName: John Smith
    sAMAccountName: jsmith
    userPrincipalName: jsmith@ad.cs.wisc.edu

    Same error.  :(

    John

     

    Thursday, April 28, 2011 8:52 PM
  • Looks like my LDIF file had some trailing spaces at the end of some lines.  ldapadd/ldapmodify (or the LDAP service on our Active Directory server) apparently doesn't like that.  Once those trailing space were removed, the LDIF loads just fine.

    Thank you to those who looked into this and offered suggestions.

    John

     

    Thursday, April 28, 2011 10:30 PM
  • In addition to the trailing spcaes, we encountered an error when we attempted to pass a string.empty as a middle name.  AD threw same error.  We had to make the middle name "Nothing" if no middle name in order to create a user.
    Friday, April 29, 2016 6:07 PM