Project

General

Profile

Actions

Task #1116

open

Cannot set password when creating user in AD

Added by Petr Michal over 6 years ago. Updated over 6 years ago.

Status:
Needs feedback
Priority:
Normal
Assignee:
Peter Štrunc
Category:
-
Target version:
-
Start date:
05/31/2018
Due date:
% Done:

90%

Estimated time:
Owner:

Description

On a current project, we are not able to set user password when it is created.
It is possible to solve the situation by project processor, but we need a general solution in the connector.

Please change connector behavior when a password is entered in Create action.
In this case, we probably need to create user without password and then send an update containing only the password.

Actions #1

Updated by Alena Peterová over 6 years ago

Please note the importance of the attribute UserAccountControl: https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx
This attribute holds, if the account is enabled, password required, etc.
The old AD connector from OpenICF set this attribute automatically - IdM sent "__ENABLE__", "__PASSWORD_EXPIRED__" etc. and the connector computed the value of UserAccountControl.

Actions #2

Updated by Alena Peterová over 6 years ago

Alena Peterová wrote:

Please note the importance of the attribute UserAccountControl: https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

Behaviour of the old AD connector for inspiration:
  • if the connector gets the value of "userAccountControl", it uses this value
  • the value is also updated according to additional attributes:
    • \__ENABLE__: for setting ACCOUNTDISABLE flag. Default value of the flag is false (accounts are enabled by default)
    • \__PASSWORD__: after changing the password it sets the flag PASSWD_NOTREQD = false
    • PasswordNeverExpires: for setting DONT_EXPIRE_PASSWORD flag

Also there is an interesting note about the attribute \__PASSWORD_EXPIRED__ (in LDAP this is pwdLastSet=0 and means "user must change password after logon"):
"Encountered problems when processing change password at the same time as setting expired. It would be set to expired, but the change would clear that. So we must ensure that expired comes last."

Please note that the old connector does Create operation in two steps - first it creates only simple account, then it sets all other attributes and also password.

Actions #3

Updated by Patrik Stloukal over 6 years ago

so i fixed this issue: i remove pwd and userAccountControl from create method (because UAC cannot be enabled, when AD account does not have pwd), so after identity in AD is created, update with pwd and UAC is called. In this memthod I set UAC to 512 (normal enabled account ) as default.

there is one issue. when there is exception in update (- mistake in password policies or UAC -) there will be newly created account in AD, but idm does not know about it and retry of this provisioning will drop on already existing exception. this should not happen often and only, when AD system is being set up. i firstly add in catch deleting of this new user in AD, but i found out, that it could be dangerous, so any ideas what is better in this case?

Actions #4

Updated by Alena Peterová over 6 years ago

Patrik Stloukal wrote:

so i fixed this issue: i remove pwd and userAccountControl from create method (because UAC cannot be enabled, when AD account does not have pwd), so after identity in AD is created, update with pwd and UAC is called. In this memthod I set UAC to 512 (normal enabled account ) as default.

Is there some option to disable user accounts by the connector? If not, we will need some attribute "__ENABLE__" or "__DISABLE__" which will set UAC accordingly.

there is one issue. when there is exception in update (- mistake in password policies or UAC -) there will be newly created account in AD, but idm does not know about it and retry of this provisioning will drop on already existing exception. this should not happen often and only, when AD system is being set up. i firstly add in catch deleting of this new user in AD, but i found out, that it could be dangerous, so any ideas what is better in this case?

I see the only option to make it configurable (deleting of the incomplete new user). It's dangerous to delete new users, when AD creates home directories for new users. Otherwise it is safe. So the administrator has to decide...

Actions #5

Updated by Patrik Stloukal over 6 years ago

  • Status changed from New to Needs feedback
  • Assignee changed from Patrik Stloukal to Peter Štrunc
  • % Done changed from 0 to 90

there is ENABLE attribute, it is working with true/false - it will enable/disable account. I look closely and userAccountControl has priority over ENABLE.

i removed deleting users, not only it is dangerous, but due to connector configuration. i had issue with uid in connector's configuration and provisioning's mapping of identificator, and because of that with retry of failed provisioning, idm could not find user in AD, so started create process and then exception... but with corect settings of system, this situation should not happen...

so if you would creating user with bad password (wrong generating policies) it could occur exception with updating pwd and after re-try this failed provisioning, it will no longer be create but update process and in this process there is no generating pwd... so after this you should manually change pwd on this user to AD and then normal provisioning of this user (because of userAccountControl -> to enable this account).... but even this situation is unlikely... it could only occur in situation when you forgot to set generating policies or have some mistake in this and if you use userAccountControl and set there bad number...

i think this is the good way, if you have some pointers, we can discuss and change some parts :D

commits: https://git.bcvsolutions.eu/modules/adbundle-connector/commit/d7d4ebdd92795e085866e4aa8ad494b083c40643
https://git.bcvsolutions.eu/modules/adbundle-connector/commit/684034b450c2e5e229251891e4f66a577cf7cd17

Actions

Also available in: Atom PDF