Search code examples
powershellldap

Error while adding user through LDAP using powershell

I am trying to add a user to an LDAP server. I am getting the next error:

Exception calling "SendRequest" with "1" argument(s): "The type is not defined."
At line:11 char:1
+ $response = $connection.SendRequest($request)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryOperationException

This is my code:

$credential = New-Object -TypeName System.Net.NetworkCredential -ArgumentList ($ldapUser, $ldapPass)
$directoryIdentifier = New-Object -TypeName System.DirectoryServices.Protocols.LdapDirectoryIdentifier -ArgumentList ($ldapServer, $ldapPort)
$connection = New-Object -TypeName System.DirectoryServices.Protocols.LdapConnection -ArgumentList ($directoryIdentifier, $credential, [DirectoryServices.Protocols.AuthType]::Basic)
$connection.SessionOptions.ProtocolVersion = 3
$connection.Bind()



$request = New-Object -TypeName System.DirectoryServices.Protocols.AddRequest
$request.DistinguishedName = "uid=Test_Thomas,ou=Users,ou=DE,ou=saria,dc=ext,dc=saria,dc=com"
$request.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "objectclass", @("top","organizationalPerson","person","inetorgperson"))) | Out-Null
$request.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "cn", $ExistingFrontlineWorkers[1].cn)) | Out-Null
$request.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "sn", $ExistingFrontlineWorkers[1].sn)) | Out-Null
$request.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "mail", $ExistingFrontlineWorkers[1].mail)) | Out-Null
$request.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "uid", "Test_Thomas")) | Out-Null
$request.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "uidNumber", "1000")) | Out-Null
$request.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "gidNumber", "1000")) | Out-Null
$request.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "homeDirectory", "")) | Out-Null
$response = $connection.SendRequest($request)

There isn´t a problem with the connection because I can search.

Solution

  • You have DirectoryOperationException meaning that LDAP service (server) is unwilling to perform this request.

    For example, if your LDAP service is ActiveDirectory, you MUST create user with userAccountControl disabled flag (or to set password instead), you MUST set user's distinguished name as CN=Test_Thomas instead of uid=Test_Thomas, etc...

    If you use PS5+, you can use ::new() instead of new-object like this.

    Warning: this code is not tested.

    $request = [System.DirectoryServices.Protocols.AddRequest]::new(
    'CN=username,OU=Users,DC=contoso,DC=com',
    @(
        [System.DirectoryServices.Protocols.DirectoryAttribute]::new('samaccountname', 'username')
        # ref https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
        # Create account disabled as it has no password yet
        [System.DirectoryServices.Protocols.DirectoryAttribute]::new('userAccountControl', 514) 
        [System.DirectoryServices.Protocols.DirectoryAttribute]::new('userPrincipalName', 'username@contoso.com') 
        [System.DirectoryServices.Protocols.DirectoryAttribute]::new('displayName', 'username') 
        [System.DirectoryServices.Protocols.DirectoryAttribute]::new('objectClass', @('top', 'person', 'organizationalPerson', 'user')) 
        [System.DirectoryServices.Protocols.DirectoryAttribute]::new('objectCategory', 'CN=Person,CN=Schema,CN=Configuration,DC=contoso,DC=com') 
        [System.DirectoryServices.Protocols.DirectoryAttribute]::new('distinguishedName', 'CN=username,OU=Users,DC=contoso,DC=com') 
        [System.DirectoryServices.Protocols.DirectoryAttribute]::new('instanceType', 4) 
    )
)

    Read more or search examples

    http://pig.made-it.com/pig-adusers.html

    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adod/1fd2c193-fc70-4f90-a8c8-f1ca2de4e5ac

    https://gist.github.com/leosouzadias/0f5acd0b70e86f811e25a8fd327db7dc

    https://github.com/zorn96/ms_active_directory/blob/main/ms_active_directory/core/ad_session.py#L338