Ah ha. Thanks everyone for the detailed responses. I just love it when I get
things syntaxically correct but functionally wrong.
:-/
AG
________________________________
From: Glenn Lamb [mailto:glennlamb@xxxxxxxxxxxx]
Sent: Thu 9/28/2006 1:12 PM
To: Giuoco, Aaron
Cc: perl-ldap@xxxxxxxx
Subject: Re: Adding groups to a user account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AD doesn't keep track of group membership on the user object. It
does a little sleight-of-hand in the background when you query a
user object to show you what groups it's it. However, there's no
actual attribute on the user for that. This can most easily be
demonstrated if you have a multi-domain forest. If a user is in
a group in another domain, looking at memberOf on that user will
not list those groups.
To add a user to a group in AD you need to modify the member attribute
on the group object. If you have the LDAP object of the group in
$group and the user's DN in $userDN, then
$ldap->modify($group->dn(), add => { member => [ $UserDN ] } );
will work.
On Sep 28, 2006, at 10:34 AM, Giuoco, Aaron wrote:
> Hi all,
>
> I am trying to add groups to a user account on a Windows 2003 Active
> Directory server. Every time I run my code, I get the following error
> message:
>
> ERROR: 0000209A: SvcErr: DSID-031A0DD5, problem 5003
> (WILL_NOT_PERFORM),
> data 0
>
> Below is the code that triggers this message:
>
> ----Begin Code----
> my $message = $ldap->modify($entry->dn(), add => { memberOf =>
> $groupsArray });
> if ($message->is_error()) {
> return "ERROR: " . $message->error() . "\n";
> } else {
> return 1;
> }
> ----End Code----
>
> The $ldap object is valid and the user object ($entry) is also
> valid. I
> tested both of them earlier in the script. $groupsArray is a
> reference
> to an array containing the DNs of the groups I am trying to add to
> this
> user account.
>
> Just to test, I also created a foreach() and tried to add each
> group DN
> one at a time. It fails when trying to add the first group. It looks
> like it won't let me modify the memberOf property for some reason, but
> that doesn't make since to me as I am connecting as a Domain Admin.
>
> Any idea as to what I'm doing wrong? Thanks in advance.
>
> ___________________________
> Aaron Giuoco
> Systems Admin
> Atlantia Offshore Limited
> e: agiuoco@xxxxxxxxxxxx
> ph: 281-899-4385
- --
Glenn Lamb
Systems Administrator
glennlamb@xxxxxxxxxxxx
http://www.stanford.edu/~glamb/gpg.txt
CE4B 7186 D8FD 317F 8364 12CD 02BB ED17 F3E8 555C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
iD8DBQFFHBCHArvtF/PoVVwRAorAAKDRpk2+KnJrBblmjD21UeuRVYDwsACgmcb7
MLCIFqU5LTAZeE1x2tN9Jz8=
=TYS5
-----END PGP SIGNATURE-----
|
Try Searching:
servers, voip, java, networking, microsoft ...
|
|
|
| 
