Create User in Active Directory [#455948]

I'm trying to create users in Active Directory whenever somebody creates an account, so I can integrate with Windows Media Services authentication, but I can't get a user account created. I've used this module with OpenLDAP successfully on another site, but this is my first shot at AD. I can authenticate users if they are in AD, so I know that much is working. I also know that the user deletion is working (the hard way, deleted an admin user I didn't want to during testing), which should imply that the user I'm using to make the changes has adequate permissions.

My current settings for provisioning are:

Enable: yes
Custom Username: yes
Username Template: %f.%l (This shouldn't matter, right?)
Disable drupal user creation: yes (this just means you have to go through the Provisioning screen, not the normal user management screen, right?)
Enable Debugging: Yes!

Registration and Authentication: All good, nothing to screw up

Attributes:

My current setup is this:
#objectClass: top
#objectClass: person
#objectClass: inetOrgPerson
#uid: !uid
#mail: !mail
#givenName: !first_name
#sn: !last_name
#cn: !first_name !last_name
#userPassword: !pass

#objectClass: organizationalPerson
#objectClass: person
#objectClass: top
#objectClass: user
cn: !first_name !last_name
#objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=liveracecam,DC=com
#accountExpires: 9223372036854775807
#badPasswordTime: 0
#badPwdCount: 0
#codePage: 0
countryCode: 0
displayName: !uid
givenName: !first_name
#lastLogoff: 0
#lastLogon: 0
#logonCount: 0
memberOf: CN=Stream Publishers,CN=Users,DC=liveracecam,DC=com
name: !uid
sAMAccountName: !uid
sn: !last_name
userPrincipalName: !mail

Which was based on an LDIF dump of an existing user and the stock settings; I've been removing attributes trying to fix this. I'm pretty sure this is where the problem lies; I try to go through /admin/user/accounts/new and create users, the LDIF looks nice, but it doesn't create the user. Does anybody have a working AD provisioning set of attributes or any tips for me? Thanks!

Comment	File	Size	Author
#6	ldap_provisioning.JPG	115.59 KB	deven_

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

Charlie Sibbach CreditAttribution: Charlie Sibbach commented 8 May 2009 at 15:18

I hate to bribe people for support, but if anybody can help me get this working (via phone or email or directly on the server), I will happily paypal them $50. My client is the pushy type and wants this done yesterday, I got handed the project after the due date was already passed.

Comment #2

Charlie Sibbach CreditAttribution: Charlie Sibbach commented 9 May 2009 at 04:29

This offer has gone up- anybody who can help me make this work, name your price. Hell, can anybody say whether or not you CAN provision a user via LDAP in AD?

But in all seriousness, if you can help me make this work, email me, and I will make it worth it! I'm just running into time constraints, so I need help real soon now!

Comment #3

miglius CreditAttribution: miglius commented 9 May 2009 at 17:57

I don't have a AD at my hands so cannot troubleshoot it.

I think that the problem is in the LDIF file you're sending to AD. Try exporting existing user from the AD to LDIF, then delete that user in the AD and try recreate it from the LDIF file. If it works you will now which attributes are needed.

I'm not a AD expert, but maybe it can be run in debug mode and show the error when the user is not created? Maybe some mandatory attribute is missing or some attributes should be unique?

Comment #4

V4p3r CreditAttribution: V4p3r commented 15 April 2010 at 17:51

Any luck with the provisioning of user accounts in AD through drupal? I too am looking for this solution. I got the LDAP integration module working last night and can successfully authenticate my current users in AD, but i'd like the drupal registration form to also create the user in AD. I mean, I could really do away with drupal's user database all together and just use drupal to manage/create users in AD.

Anything at all?

Comment #5

deven_ CreditAttribution: deven_ commented 23 June 2010 at 08:21

I have obtained initial success in getting user creation. The default Basic LDAP Attributes which appear soon after installing ldap_provisioning work very well with two changes:

1) Replace the uid: !uid with sAMAccountName: !uid and
2) Replace the objectClass: inetOrgPerson with objectClass: user

The default attributes are written considering OpenLDAP as the LDAP Server. MS Active Directory has different attribute names than those mentioned.
I still am not able to synchronise the password of the newly created user. Can anybody help me?

Comment #6

deven_ CreditAttribution: deven_ commented 23 June 2010 at 08:54

File	Size
ldap_provisioning.JPG	115.59 KB

I think I missed out the screen shot. Trying again to upload.

Comment #7

bryan kennedy CreditAttribution: bryan kennedy commented 20 July 2010 at 21:35

Title:

Create User in AD

» Create User in Active Directory

This issue isn't exactly a duplicate, but there are some other problems with Active Directory implementation over in this issue:

LDAP User Password in Active Directory does not allow user to log in
http://drupal.org/node/835530

Comment #8

deven_ CreditAttribution: deven_ commented 21 July 2010 at 10:50

Dear bryan kennedy,

You are absolutely right. This issue is a sibling of the one you have mentioned. Upon further investigating, I found something and I have posted my findings at http://drupal.org/node/835530. Re-posting the same here below:

adldap (http://adldap.sourceforge.net) is a product written in PHP which allows to create users in Active Directory, change their password... etc. It requires SSL connection to Active Directory. Please read at http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl about the same.

Regards