.NET Framework - System.DirectoryServices - Constraint violation

Asked By Peter Bradley

01-Mar-07 09:58 AM

I'm trying to use System.DirectoryServices to update Active Directory from a
Web Service.  When I try to commit the changes, I get the following error
message:


My code is like this:


*** method signature and stuff ***

try
{

*** Some other code *** (assignments etc)

// Connect to the Art and Design school directory entry
DirectoryEntry de = new
DirectoryEntry("LDAP://oursever.our.domain:389/OU=Art and
Design,OU=Student,OU=Development,OU=User
Accounts,DC=internal,DC=uwic,DC=ac,DC=uk", "AnAdminUser", "apwd");

// Get the children of the directory entry and then add to the Children
collection
DirectoryEntries users = null;    // The Children Collection
DirectoryEntry user;                 // The user to Add()
if (de != null)
users = de.Children;            // Throws COMException on failure
else
throw new Exception("The Directory Entry is null");

// Add the new child, passing in the
user = users.Add("CN=asurname aforename(dv04002701)", "user");

user.Properties["distinguishedName"].Add("CN=asurname
aforename(dv04002701),OU=Art and Design,OU=Student,OU=User Accounts);

user.Properties["cn"].Add("asurname aforename(dv04002701)");
user.Properties["description"].Add(aString);
user.Properties["title"].Add(aString);
user.Properties["givenName"].Add(aForename);
user.Properties["displayName"].Add(aSurname + ", " + aForename);
user.Properties["company"].Add(anEmailAddress);
user.Properties["mail"].Add("dv04002701");
user.Properties["name"].Add(aSurname.ToLower() + " " + aForename.ToLower() +
user.Properties["userPassword"].Add(aPassword);
//user.Properties["accountDisabled"].Add(false);    // Gives error "The
specified directory service attribute or value does not exist." if included
//user.Properties["passwordExpired"].Add(false);   // Gives error "The
specified directory service attribute or value does not exist." if included
user.Properties["objectCategory"].Add(anObjectCategory);
user.Properties["objectClass"].Add(anObjectClass);
user.Properties["sAMAccountName"].Add("dv04002701");
user.Properties["instanceType"].Add(4);

user.CommitChanges();
}
catch (COMException ce)
{
string m = ce.Message; // For debug only
throw RaiseException("GetException", "WSSoapException", ce.Message,
}
catch (Exception ex)
{
string m = ex.Message; // For debug only
throw RaiseException("GetException", "WSSoapException", ex.Message,
}


According to ADSI Edit, the following fields are mandatory:

- cn
- instanceType
- objectCategory
- objectClass
- sAMAccountName

The user I give has full permissions on Active Directory.

The exception is thrown on the call to CommitChanges().

Putting CommitChanges immediately after the call to Add() gives the same
error.  Calling RefreshCache() on the DirecoryEntry (de) immediately after
the call to Add() returns with no error.

Can anyone help?



Peter

01-Mar-07 02:16 PM

Remove all this:

user.Properties["userPassword"].Add(aPassword);
//user.Properties["accountDisabled"].Add(false);    // Gives error "The
specified directory service attribute or value does not exist." if included
//user.Properties["passwordExpired"].Add(false);   // Gives error "The
specified directory service attribute or value does not exist." if included
user.Properties["objectCategory"].Add(anObjectCategory);
user.Properties["objectClass"].Add(anObjectClass);
user.Properties["instanceType"].Add(4);

These properties can't be set like this.
The password can only be set by calling the SetPassword method, using
user.Invoke("SetPassword", password );
but you can only do this after the user has been comitted.
accountDisabled can only be set by means of the userAccountControl property, something like
this will do:
user.Properties["userAccountControl"].Add(ADS_UF_NORMAL_ACCOUNT|ADS_UF_PASSWD_CANT_CHANGE);

search MSDN for the values of ADS_UF_XXXXX, or add a reference to activeds.tlb to your
project.
all other properties are added automatically and are tied to the "user" type object.

Willy.

02-Mar-07 03:03 AM

Many thanks for that Willy.

In actual fact I managed to get it to work without removing any of those.
The spec was wrong.  The objectCategory, according to the spec, was to be
set to "Person".  In fact it needed to be set to

The objectCategory, objectClass and instanceType properties all appear to
have been set correctly.

However you may well be correct about the setting of the password and the
other things.  I notice the account is disabled in AD.

Cheers


Peter

02-Mar-07 07:24 AM

That's correct, but you don't have to set it, it's set automatically when you add the "user"
object type to the container (as user is a person after all).


Yep, you can't set some attributes like this, some can be set through the
refer to the ADSI docs for details .

Willy.

02-Mar-07 11:35 AM

Thanks Willy.  I've got there in the end.  Certainly the accounts are now
enabled when created, and I'm pretty sure that a password has been created.
The only thing I don't appear to be able to do is to set the
userAccountControl property directly at all.  I notice that the
documentation says, "This value is set by the system".  It seems to set it
to 544 (rather than the 531 the user wanted), but I notice that a lot of
live accounts already on the system have this value (544), too.

So I'm letting my users check over the accounts I've created to see if
they're happy with them.

(Another problem solved by indirection)



Peter

02-Mar-07 12:48 PM

Weird, what the user wanted (544) means: normal user, account disabled, account locked-out
and logon script enabled.
what you have set is: normal account and password not required.

Don't know how you tried to set userAccountControl, but IMO you got it wrong.
Mind to post some code?

Willy.