Creating an Active Directory group using Net::LDAP

Discussion in 'Perl Misc' started by A. Farber, Mar 13, 2009.

  1. A. Farber

    A. Farber Guest

    Hello,

    sorry for the partly offtopic question, but can anyone
    please share a code for creating a new group in AD?
    I'm taking http://techtasks.com/code/viewbookcode/1616
    as a base and I think I'm missing something minor:

    use constant ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP => 4;
    use constant ADS_GROUP_TYPE_GLOBAL_GROUP => 2;
    use constant ADS_GROUP_TYPE_LOCAL_GROUP => 4;
    use constant ADS_GROUP_TYPE_SECURITY_ENABLED => -2147483648;
    use constant ADS_GROUP_TYPE_UNIVERSAL_GROUP => 8;
    ......
    my $result = $ldap->add($dn, attrs => [
    samAccountName => $Name,
    groupType => ADS_GROUP_TYPE_LOCAL_GROUP |
    ADS_GROUP_TYPE_SECURITY_ENABLED,
    description => '',
    ] );

    This gives me:
    00000057: LdapErr: DSID-0C090B38, comment: Error in attribute
    conversion operation, data 0, vece

    I've asked at perl-LDAP list yesterday, but no reply yet.

    Thank you
    Alex

    PS: My full code is listed below:

    #!/usr/bin/perl -wT

    use strict;
    use POSIX qw(strftime);
    use Net::NIS;
    use Net::LDAPS;

    use constant ROOTDN => 'OU=NIS
    Groups,DC=internal,DC=mycompany,DC=com';
    use constant DOMAIN => 'internal.mycompany.com';
    use constant SERVER => [ map { "ablwdc0$_." . DOMAIN } 1..5 ];
    use constant ADMIN => 'XXXX';
    use constant ADMPW => 'XXXX';

    use constant ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP => 4;
    use constant ADS_GROUP_TYPE_GLOBAL_GROUP => 2;
    use constant ADS_GROUP_TYPE_LOCAL_GROUP => 4;
    use constant ADS_GROUP_TYPE_SECURITY_ENABLED => -2147483648;
    use constant ADS_GROUP_TYPE_UNIVERSAL_GROUP => 8;

    my $rot13;
    ($rot13 = ADMPW) =~ y/A-Za-z/N-ZA-Mn-za-m/;

    my $ldap = Net::LDAPS->new(SERVER) or
    die('Can not connect to LDAP server');
    $ldap->bind(ADMIN . '@' . DOMAIN, password => $rot13) or
    die('Can not bind to LDAP server as ' . ADMIN);

    tie my %passwd, 'Net::NIS', 'group.byname' or
    die "Cannot tie to group YP map: $yperr\n";

    while (my ($key, $value) = each %passwd) {
    my ($Name, $GidNumber, $PosixMember) = (split ':', $value)[0,
    2, 3];
    my $members = defined $PosixMember ? [ split ',',
    $PosixMember ] : [];
    my $dn = "cn=$Name," . ROOTDN;

    my $result = $ldap->add($dn, attrs => [
    msSFU30Name => $Name,
    msSFU30GidNumber => $GidNumber,
    msSFU30NisDomain => 'internal',
    #msSFU30PosixMember => $members,
    #objectCategory => 'Group',
    #objectClass => [ qw(top person organizationalPerson
    group) ],
    samAccountName => $Name,
    groupType => ADS_GROUP_TYPE_LOCAL_GROUP |
    ADS_GROUP_TYPE_SECURITY_ENABLED,
    description => '',
    ] );

    $result->code && print STDERR 'Failed to add group: ', $result-
    >error, "\n";

    }

    $ldap->unbind();
    A. Farber, Mar 13, 2009
    #1
    1. Advertising

  2. A. Farber

    A. Farber Guest

    On Mar 13, 10:01 am, "A. Farber" <> wrote:
    > use constant ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP => 1;
    > use constant ADS_GROUP_TYPE_GLOBAL_GROUP       => 2;
    > use constant ADS_GROUP_TYPE_LOCAL_GROUP        => 4;
    > use constant ADS_GROUP_TYPE_SECURITY_ENABLED   => -2147483648;
    > use constant ADS_GROUP_TYPE_UNIVERSAL_GROUP    => 8;
    > .....
    >         my $result = $ldap->add($dn, attrs => [
    >                 samAccountName => $Name,
    >                 groupType => ADS_GROUP_TYPE_LOCAL_GROUP|
    > ADS_GROUP_TYPE_SECURITY_ENABLED,
    >                 description => '',
    >         ] );
    >


    Ok, I was missing 'cn':

    use constant USERDN => 'CN=%s,OU=Imported,OU=User
    Accounts,DC=internal,DC=mycompany,DC=com';
    ......
    # first create the group
    my $result = $ldap->add($dn, attrs => [
    cn => $Name,
    msSFU30Name => $Name,
    msSFU30GidNumber => $GidNumber,
    msSFU30NisDomain => 'internal',
    objectClass => [ qw(top group) ],
    samAccountName => $Name,
    groupType => ADS_GROUP_TYPE_GLOBAL_GROUP |
    ADS_GROUP_TYPE_SECURITY_ENABLED,
    description => "NIS group $Name",
    ] );

    if ($result->code) {
    print STDERR 'Failed to create group: ', $result-
    >error, "\n";

    next;
    }

    # then try to add members (some might be missing under USERDN)
    my $members = defined $PosixMember ?
    [ map { sprintf USERDN, $_ } split ',',
    $PosixMember ] : [];
    print 'Adding members: ', Dumper($members), "\n";

    $result = $ldap->modify($dn, replace => {
    msSFU30PosixMember => $members,
    } );

    $result->code && print STDERR 'Failed to add members: ',
    $result->error, "\n";
    A. Farber, Mar 13, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Marty Underwood

    Active Directory using LDAP query

    Marty Underwood, Nov 27, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    615
    Marty Underwood
    Nov 27, 2003
  2. Akaketwa
    Replies:
    1
    Views:
    4,884
    impaler
    Sep 22, 2006
  3. Replies:
    0
    Views:
    355
  4. Patrick.O.Ige
    Replies:
    3
    Views:
    303
    Joe Kaplan \(MVP - ADSI\)
    Jan 25, 2006
  5. hharry

    active directory authentication using ldap

    hharry, Nov 9, 2007, in forum: ASP .Net Security
    Replies:
    1
    Views:
    240
    Joe Kaplan
    Nov 9, 2007
Loading...

Share This Page