Change photo on AD user account from Linux shell
You need a photo, with a suitable small size, probably 100x100 or smaller. I heard a size limit, 10KB, but my reference photo was 2KB. Install openldap- clients , or the appropriate package to get ldapmodify command. You will need the reference photo, which I will call input.jpg.
$ file input.jpg
input.jpg: JPEG image data, JFIF standard 1.01
Convert it with base64 with no wrapping.
$ base64 -w0 < input.jpg > photo.ldif
And now, add the ldif commands to the photo.ldif file:
dn: CN=Example user,OU=Users,DC=example,DC=com
changetype: modify
add: thumbnailPhoto
thumbnailPhoto: /9j/BASE64CONTENTHERE,ONONELINE
Observe that there is a blank line after the attribute being modified. If you're using kerberos auth, make sure you have a ticket with kinit $LDAPUSER. Run the ldapmodif command!
ldapmodify -v -f photo.ldif -H ldaps://example.com -O maxssf=0 -Y gssapi
To use simple binding, you would want a command more like this:
ldapmodify -v -f photo.ldif -H ldaps://example.com -O maxssf=0 -x -W -D 'CN=Example user,OU=Users,DC=example,DC=com'
This works because in Active Directory a user has the permissions (NTACLs) to update certain attributes for himself.
References
Original research Refresher on ldif syntax: https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to- make-changes-to-an-openldap-system
Comments