Creating an Active Directory group using Net::LDAP

[A. Farber]

Hello,

sorry for the partly offtopic question, but can anyone
please share a code for creating a new group in AD?
I'm taking http://techtasks.com/code/viewbookcode/1616
as a base and I think I'm missing something minor:

use constant ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP => 4;
use constant ADS_GROUP_TYPE_GLOBAL_GROUP => 2;
use constant ADS_GROUP_TYPE_LOCAL_GROUP => 4;
use constant ADS_GROUP_TYPE_SECURITY_ENABLED => -2147483648;
use constant ADS_GROUP_TYPE_UNIVERSAL_GROUP => 8;
......
my $result = $ldap->add($dn, attrs => [
samAccountName => $Name,
groupType => ADS_GROUP_TYPE_LOCAL_GROUP |
ADS_GROUP_TYPE_SECURITY_ENABLED,
description => '',
] );

This gives me:
00000057: LdapErr: DSID-0C090B38, comment: Error in attribute
conversion operation, data 0, vece

I've asked at perl-LDAP list yesterday, but no reply yet.

Thank you
Alex

PS: My full code is listed below:

#!/usr/bin/perl -wT

use strict;
use POSIX qw(strftime);
use Net::NIS;
use Net::LDAPS;

use constant ROOTDN => 'OU=NIS
Groups,DC=internal,DC=mycompany,DC=com';
use constant DOMAIN => 'internal.mycompany.com';
use constant SERVER => [ map { "ablwdc0$_." . DOMAIN } 1..5 ];
use constant ADMIN => 'XXXX';
use constant ADMPW => 'XXXX';

use constant ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP => 4;
use constant ADS_GROUP_TYPE_GLOBAL_GROUP => 2;
use constant ADS_GROUP_TYPE_LOCAL_GROUP => 4;
use constant ADS_GROUP_TYPE_SECURITY_ENABLED => -2147483648;
use constant ADS_GROUP_TYPE_UNIVERSAL_GROUP => 8;

my $rot13;
($rot13 = ADMPW) =~ y/A-Za-z/N-ZA-Mn-za-m/;

my $ldap = Net::LDAPS->new(SERVER) or
die('Can not connect to LDAP server');
$ldap->bind(ADMIN . '@' . DOMAIN, password => $rot13) or
die('Can not bind to LDAP server as ' . ADMIN);

tie my %passwd, 'Net::NIS', 'group.byname' or
die "Cannot tie to group YP map: $yperr\n";

while (my ($key, $value) = each %passwd) {
my ($Name, $GidNumber, $PosixMember) = (split ':', $value)[0,
2, 3];
my $members = defined $PosixMember ? [ split ',',
$PosixMember ] : [];
my $dn = "cn=$Name," . ROOTDN;

my $result = $ldap->add($dn, attrs => [
msSFU30Name => $Name,
msSFU30GidNumber => $GidNumber,
msSFU30NisDomain => 'internal',
#msSFU30PosixMember => $members,
#objectCategory => 'Group',
#objectClass => [ qw(top person organizationalPerson
group) ],
samAccountName => $Name,
groupType => ADS_GROUP_TYPE_LOCAL_GROUP |
ADS_GROUP_TYPE_SECURITY_ENABLED,
description => '',
] );

$result->code && print STDERR 'Failed to add group: ', $result-

error, "\n";

}

$ldap->unbind();

 

[A. Farber]

use constant ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP => 1;
use constant ADS_GROUP_TYPE_GLOBAL_GROUP       => 2;
use constant ADS_GROUP_TYPE_LOCAL_GROUP        => 4;
use constant ADS_GROUP_TYPE_SECURITY_ENABLED   => -2147483648;
use constant ADS_GROUP_TYPE_UNIVERSAL_GROUP    => 8;
.....
        my $result = $ldap->add($dn, attrs => [
                samAccountName => $Name,
                groupType => ADS_GROUP_TYPE_LOCAL_GROUP|
ADS_GROUP_TYPE_SECURITY_ENABLED,
                description => '',
        ] );

Ok, I was missing 'cn':

use constant USERDN => 'CN=%s,OU=Imported,OU=User
Accounts,DC=internal,DC=mycompany,DC=com';
......
# first create the group
my $result = $ldap->add($dn, attrs => [
cn => $Name,
msSFU30Name => $Name,
msSFU30GidNumber => $GidNumber,
msSFU30NisDomain => 'internal',
objectClass => [ qw(top group) ],
samAccountName => $Name,
groupType => ADS_GROUP_TYPE_GLOBAL_GROUP |
ADS_GROUP_TYPE_SECURITY_ENABLED,
description => "NIS group $Name",
] );

if ($result->code) {
print STDERR 'Failed to create group: ', $result-

error, "\n";

next;
}

# then try to add members (some might be missing under USERDN)
my $members = defined $PosixMember ?
[ map { sprintf USERDN, $_ } split ',',
$PosixMember ] : [];
print 'Adding members: ', Dumper($members), "\n";

$result = $ldap->modify($dn, replace => {
msSFU30PosixMember => $members,
} );

$result->code && print STDERR 'Failed to add members: ',
$result->error, "\n";