StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to modify userAccountControl in ActiveDirectory from RubyOnRails3 with Ruby1.9.2 and roryO's net-ldap - gem?
text
Body
copied!<p>what I want to do is to en-/disable an Active Directory Useraccount. In Active Directory that information is stored in a bit-register in an attribute called userAccessControl as a HEX-Value. In our Windows 2008 Server R1, that is 0x10200 for an enabled account with the option that a users password never expires, or 0x10202 for a disabled account with the option that a users password never expires.</p> <p>Now to just touch the flag for the enabled/disabled information, I wrote the following method... </p> <pre><code>def set_account_active_flag(activate) success = false get_aduser if @aduser.nil? puts "#####################################" unless @uac.nil? || @uac.blank? tmpuac = @uac.to_i tmpuac = activate ? tmpuac & 2 == 0 ? tmpuac | 2 : tmpuac : tmpuac & 2 == 2 ? tmpuac ^ 2 : tmpuac ldap_con = self.class.initialize_ldap_con # success = ldap_con.replace_attribute ldap_encode(@dn), :userAccountControl, tmpuac success = ldap_con.replace_attribute ldap_encode(@dn), :userAccountControl, ldap_encode(tmpuac.to_s) else puts ">>>>>\nuserAccessControl-Register is not available\n<<<<<" end rescue Net::LDAP::LdapError => e puts "NET::LDAP::LdapError\n#{e}" ensure puts "-------------------------------------" puts "LDAP operation failed (#{ldap_con.get_operation_result.code}):" puts "-------------------------------------" puts ldap_con.get_operation_result.message puts "#####################################" return success end </code></pre> <p>ok... internals: </p> <ul> <li>get_aduser is just a method that loads a set of ad-attributes (['dn','userPrincipalName', 'givenname','sn', 'mail', 'memberof', 'userAccountControl']) and stores them into instance-variables of the user trying to login (@dn, @user_principal_name, @first_name, @last_name, @groups, @uac)</li> </ul> <p>That part works like a charm. @uac (returened as a string), I can transform to an integer</p> <pre><code>x = @uac.to_i </code></pre> <p>and then use that as a bit-register to check and modify flags</p> <pre><code>x & 2 # => 0 if unset, => 1 if set x |= 2 # sets the flag x ^= 2 # unsets the flag </code></pre> <p>That working I thought it as easy as to just write back that value to my Active Directory.</p> <p>There comes my Problem: So far I tried to write back the new userAccountControl value as <strong>integer</strong> and as <strong>string</strong>, but both attempts fail, although the operation-result-message in both cases is {Code:0, Message:'Success'}</p> <p>Trying to write back the new userAccessControl value as <strong>integer</strong> raises NET::LDAP::LdapError</p> <pre><code>##################################### NET::LDAP::LdapError response missing or invalid ------------------------------------- LDAP operation failed (0): ------------------------------------- Success ##################################### => false </code></pre> <p>Trying to write back the new userAccessControl value as <strong>string</strong> does not raise an error but still results in false</p> <pre><code>##################################### ------------------------------------- LDAP operation failed (0): ------------------------------------- Success ##################################### => false </code></pre> <p>So I wonder, 'What am I doing wrong?'</p> <p>Does anybody know how to write back userAccessControl to ActiveDirectory?</p> <p>Do I have to transform the new userAccessControl-Value using something like that awkward algorithm needed to write back a user-password?</p> <p>Thanks a lot in advance for any useful hint or even a solution.</p> <p>best regards,</p> <p>Ingo Gambin</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload