I've just installed the Active Directory plugins 1.0.2 and I am trying to script an AD user creation using Orchestrator 4.2.0. I am using Windows 2008 R2 as my Active Directory server.
I get that error when I use port 3286 (using GC) :
"Unable to create a new user: InternalError: Failed to create user account...[LDAP: error code 53 - 00002035: LdapErr: DSID-0C090BF4, comment: Operation not allowed through GC port, data 0, v1db0 ] (Workflow: NewUsers / Create User (item7)#6)"
I get that error when I use port 389 (default port) :
"Unable to create a new user: InternalError: Failed to create user account...[LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0] (Workflow:NewUsers / Create User (item7)#3)(Workflow: NewUsers / Create User (item7)#6)"
Configuration on the server side looks good. I am using the same information as the LDAP configuration (without the copy checkbox) and I am using an Administrator as the user (until I can fix this error).
This is the script line that cause the error :
userOU.createUser(accountName,domainName,displayName);
where accountName, domainName and displayName are string and userOU is a valid OU selected using the GUI.
Anyone has any idea how to fix this?
thanks,
Phil
Quite possible on the password restrictions as Joerg points out... if that is the case, you must configure the AD plug-in to use SSL - in order to do so, you will need to import a Domain Controller Authentication certificate to vCO. That certificate will allow vCO to establish secure connection to your domain controller to create new user accounts with passwords
Good Luck!
Hi!
For Troubleshooting such issues see this article: http://www.vcoportal.de/2011/07/troubleshooting-ldap-erros-in-vco/
In your case the error code 53 means: "Unwilling to perform".
To get some ideas of the root cause: http://stackoverflow.com/questions/1073643/adding-ldap-entries-using-jndi
Some guesses: Password restrictions, or no password set for the new user, but required by AD; DomainName in wrong notation ...
Cheers,
Joerg
Quite possible on the password restrictions as Joerg points out... if that is the case, you must configure the AD plug-in to use SSL - in order to do so, you will need to import a Domain Controller Authentication certificate to vCO. That certificate will allow vCO to establish secure connection to your domain controller to create new user accounts with passwords
Good Luck!
The Active directory plugin must be configured to use SSL (ldaps protocol ) in order to be able to add/remove users.
Not sure if you already saw following document http://communities.vmware.com/docs/DOC-21481.
There were some issues wuth the 1.0.2 GA version of the plugin that got resolved. I will recomend you to use the 1.0.2-683 version.
Thanks guys, seems like I needed the Certificate configured.