import java.util.Hashtable;

import javax.naming.ldap.*;

import javax.naming.directory.*;

import javax.naming.*;

import javax.net.ssl.*;

import java.io.*;

public class NewUser{

     /**

      * @param args

      */

     public static void main (String[] args)

     {

          Hashtable env = new Hashtable();

          String adminName = "CN=Administrator,CN=Users,DC=antipodes,DC=com";

          String adminPassword = "XXXXXXX";

          String userName = "CN=Albert Einstein,OU=Research,DC=antipodes,DC=com";

          String groupName = "CN=All Research,OU=Research,DC=antipodes,DC=com";

          env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");

          //set security credentials, note using simple cleartext authentication

          env.put(Context.SECURITY_AUTHENTICATION,"simple");

          env.put(Context.SECURITY_PRINCIPAL,adminName);

          env.put(Context.SECURITY_CREDENTIALS,adminPassword);

          //connect to my domain controller

          env.put(Context.PROVIDER_URL, "ldap://mydc.antipodes.com:389");

          try {

               // Create the initial directory context

               LdapContext ctx = new InitialLdapContext(env,null);

               // Create attributes to be associated with the new user

               Attributes attrs = new BasicAttributes(true);

               //These are the mandatory attributes for a user object

               //Note that Win2K3 will automagically create a random

               //samAccountName if it is not present. (Win2K does not)

               attrs.put("objectClass","user");

               attrs.put("samAccountName","AlbertE");

               attrs.put("cn","Albert Einstein");

               //These are some optional (but useful) attributes

               attrs.put("giveName","Albert");

               attrs.put("sn","Einstein");

               attrs.put("displayName","Albert Einstein");

               attrs.put("description","Research Scientist");

               attrs.put("userPrincipalName","[email protected]");

               attrs.put("mail","[email protected]");

               attrs.put("telephoneNumber","999 123 4567");

               //some useful constants from lmaccess.h

               int UF_ACCOUNTDISABLE = 0x0002;

               int UF_PASSWD_NOTREQD = 0x0020;

               int UF_PASSWD_CANT_CHANGE = 0x0040;

               int UF_NORMAL_ACCOUNT = 0x0200;

               int UF_DONT_EXPIRE_PASSWD = 0x10000;

               int UF_PASSWORD_EXPIRED = 0x800000;

               //Note that you need to create the user object before you can

               //set the password. Therefore as the user is created with no

               //password, user AccountControl must be set to the following

               //otherwise the Win2K3 password filter will return error 53

               //unwilling to perform.

               attrs.put("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWD_NOTREQD + UF_PASSWORD_EXPIRED+ UF_ACCOUNTDISABLE));

               // Create the context

               Context result = ctx.createSubcontext(userName, attrs);

               System.out.println("Created disabled account for: " + userName);

               //now that we've created the user object, we can set the

               //password and change the userAccountControl

               //and because password can only be set using SSL/TLS

               //lets use StartTLS

               StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());

               tls.negotiate();

               //set password is a ldap modfy operation

               //and we'll update the userAccountControl

               //enabling the acount and force the user to update ther password

               //the first time they login

               ModificationItem[] mods = new ModificationItem[];

               //Replace the "unicdodePwd" attribute with a new value

               //Password must be both Unicode and a quoted string

               String newQuotedPassword = "\"Password2000\"";

               byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");

               mods[] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));

               mods[] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));

               // Perform the update

               ctx.modifyAttributes(userName, mods);

               System.out.println("Set password & updated userccountControl");

               //now add the user to a group.

               try{

                    ModificationItem member[] = new ModificationItem[];

                    member[]= new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("member", userName));

                    ctx.modifyAttributes(groupName,member);

                    System.out.println("Added user to group: " + groupName);

               }catch (NamingException e) {

                    System.err.println("Problem adding user to group: " + e);

               }

               //Could have put tls.close()  prior to the group modification

               //but it seems to screw up the connection  or context ?

               tls.close();

               ctx.close();

               System.out.println("Successfully created User: " + userName);

          }

          catch (NamingException e) {

               System.err.println("Problem creating object: " + e);

          }

          catch (IOException e) {

               System.err.println("Problem creating object: " + e);

          }

     }

}