Prev
Next
Forums S3 Security

Looking to create users using SSIS and DirectoryServices (VB)

Sort:
You are not authorized to post a reply.
Author
Messages
EBassett
Basic Member
Posts: 6
Basic Member
7/15/2011 4:31 PM
    Has anyone successfully used SSIS and DirectoryServices (VB) to create user accounts?

    I have written similar code to create users in Active Directory, but I get errors when doing the same for Lawson Users. I can modify existing Lawson users but get an error when doing the add.

    The error is thrown on the newUser.CommitChanges() command. it is COMException (0x80072035) which when I look into states is because the password is not set, but if I try to set password first it throws a different error.

    Any help appreciated.

    This is a code snipet.

    Public Overrides Sub Input0_ProcessInputRow(ByVal Row As Input0Buffer)

    Dim dirEntry As New DirectoryEntry()

    Dim dirEntrySsop As New DirectoryEntry()

    dirEntry.Path = "LDAP://ServerName/ou=resources,o=lwsnrmdata,o=LawProd"

    dirEntrySsop.Path = "LDAP://ServerName/ou=resources,o=lwsnrmdata,o=SSOP"

    Dim adUsers As DirectoryEntries = dirEntry.Children

    Dim newUser As DirectoryEntry

    Dim deSearch As DirectorySearcher = New DirectorySearcher()

    'search if account exists

    deSearch.Filter = "(&(objectClass=zzlwsnobjPeople) (cn=" & Row.EMPLOYEE & "))" '(cn=25759))" (cn=" & Row.EMPLOYEE & "))"

    deSearch.SearchRoot = dirEntry

    Dim results As SearchResultCollection = deSearch.FindAll()

    If results.Count = 0 Then

    'add the new user

    newUser = adUsers.Add("cn=" & Row.EMPLOYEE, "zzlwsnobjPeople")

    newUser.Properties("cn").Value = Row.EMPLOYEE

    newUser.CommitChanges()

    newUser.Invoke("SetPassword", "")

    newUser.CommitChanges()

    Kwane McNeal
    Veteran Member
    Posts: 479
    Veteran Member
    7/15/2011 4:59 PM
      I'm taking a stab at this, since you didn't post the other error message (the one receive when you attempt a password set), but I don't believe your approach will work, without modification, since Lawson 'people' objects aren't proper LDAP users. The password attribute doesn't exist for a lawson 'people' object.

      Now I'm not on a system right now, such that I can view the schema, but take a peek at the schema and ensure that you are setting all the non-default 'properties' for the VB object 'newUser'

      My hunch is that when you try to set the password, VB is failing due to the 'password' attribute not being on the Lawson 'people' object, and when you don't set the password, VB is failing because it's definition of a user object requires there to be a non-null password attribute value.

      A bit more detail would help others in helping you more specifically:
      1) The other error message generated when attempting to set the password
      2) Does the first commitchanges() in your code snippit listed here succeed? (this would be the line three from the bottom)
      3) Ensure that your deSearch.Filter is correct.

      Kwane
      EBassett
      Basic Member
      Posts: 6
      Basic Member
      7/18/2011 2:14 PM
        I was able to look at the Schema, but I guess I am not sure what I should look at, to see if the attribute is defaulted or required. I will attach a full version of my code as I tried it setting many other attributes as well. The one thing I am not setting is the User attribute for the SSOP (under manage Identities in Lawson Security). That should be the attribute that ties it back to our other Active Directory server for single sign on. But I am not sure what to do to set it.

        Per the snippet the first commitchanges() Is the one that fails with COMException 0x80072035. If I comment out the first Commitchanges() so that it tried the SetPassword but it throws an InteropServices.COMException (0x80020006) on the invoke line, which like you stated may not be a settable attribute. Maybe the key is to set the identities first?

        The deSearch works because if I set it to a user that already exists, it will modify the user. I can change their name, or other attributes. See attached code.

        I am trying this based on some ldif scripts we had for a conversion to load the users onto a new server. I noticed that the scripts to manage identities were not part of the ldif file but in a separate xml file, so maybe I need to set that first. Not sure.

        Thank you.
        Attachments
        Kwane McNeal
        Veteran Member
        Posts: 479
        Veteran Member
        7/19/2011 2:03 PM
          I checked out your code, and did a little research, and my underlying hypothesis (that you were not filling all of the required attributes) is correct.

          I'll break this reply into two parts, one will be the general approach, and one will be specific to your request.

          The key is that the SchemaTemplate you chose on the directory 'Children' Add method, requires that you fill all the attributes needed. Since this is a 'custom' template, you need to first define it, and then ensure that the underlying objectClass requirements are met. After reviewing the error codes, the first means 'LDAP unwilling to perform', which makes perfect sense.

          The best approach is to take an LDAP browser (I prefer LDAPAdmin at SourceForge), and review both an existing object, and the schema requirements for all associated objectClasses. The key is you HAVE TO fulfill all the 'MUST' requirements. This is what I was alluding to in my prior posting.

          With that said, I'll address your specific issues.
          Your script makes a few assumptions that are not borne out in the review of the LDAP Schema, they are as follows:

          1) Lawson objects are users
          2) Lawson objects are defined by exactly one well defined objectClass
          3) Values from SSO (aka Identities) are stored as attributes on the main 'people' object

          To help you correct them in this post would be longer than most readers would bear, so feel free to contact me off-line.

          Kwane
          505-433-RSGI
          EBassett
          Basic Member
          Posts: 6
          Basic Member
          7/26/2011 2:35 PM
            This is my most recent attempt. Added more ObjectClasses, The SSO part of the code works, but the creating the user still causes issues. With the addition of the lwsnrmbootRMTopStruct objClasss it now throws a 0x80072014 - Did not satistfy one or more constraints.  I am referencing a ldif file that was used to migrate users to a new server. So I should be hitting all the constraints.

            dn: cn=10041,ou=resources,o=lwsnrmdata,o=lawprod9
            changetype: add
            objectclass: top
            objectclass: zzlwsnobjPeople
            objectclass: zzlwsnobjlwsnRMResource
            objectclass: lwsnrmbootRMTopStruct
            zzlwsnattrPortalAdmin: NO
            zzlwsnattrUTZOFFSET: 0
            zzlwsnattrAccess: N
            zzlwsnattrSLDTOBS: TRUE
            zzlwsnattrGroup: Employee
            zzlwsnattrGroup: Handbook1
            zzlwsnattrWKDAYEXPR: (d>0&&d<6)
            zzlwsnattrFirstName: Stephanie
            zzlwsnattrName: Stephanie St.Claire
            zzlwsnattrPortalRole: default.xml
            zzlwsnattrProductLine: PROD
            zzlwsnattrAllowJobQueue: Y
            zzlwsnattrWFUser: 0
            zzlwsnattrOLEDBC: ALLOW
            zzlwsnattrAddins: DENY
            zzlwsnattrSLDTFUNC: usLDT
            zzlwsnattrULDTOBS: TRUE
            zzlwsnattrULDTFUNC: usLDT
            cn: 10041
            zzlwsnattrCheckLS: NO
            zzlwsnattrLastName: St.Claire

            Attachments
            You are not authorized to post a reply.