Change photo on AD user account from Linux shell

You need a photo, with a suitable small size, probably 100×100 or smaller. I heard a size limit, 10KB, but my reference photo was 2KB.

Install openldap-clients, or the appropriate package to get ldapmodify command.

You will need the reference photo, which I will call input.jpg.

$ file input.jpg
input.jpg: JPEG image data, JFIF standard 1.01

Convert it with base64 with no wrapping.

$ base64 -w0 < input.jpg > photo.ldif

And now, add the ldif commands to the photo.ldif file:

dn: CN=Example user,OU=Users,DC=example,DC=com
changetype: modify
add: thumbnailPhoto
thumbnailPhoto: /9j/BASE64CONTENTHERE,ONONELINE

Observe that there is a blank line after the attribute being modified.

If you’re using kerberos auth, make sure you have a ticket with kinit $LDAPUSER. Run the ldapmodif command!

ldapmodify -v -f photo.ldif -H ldaps://example.com -O maxssf=0 -Y gssapi

To use simple binding, you would want a command more like this:

ldapmodify -v -f photo.ldif -H ldaps://example.com -O maxssf=0 -x -W -D 'CN=Example user,OU=Users,DC=example,DC=com'

This works because in Active Directory a user has the permissions (NTACLs) to update certain attributes for himself.

References

Original research
Refresher on ldif syntax: https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.