rebind ActiveDirectory

[eunever32]

Hello

I have a requirement to update the members of an ActiveDirectory
workgroup using the Java API

The application currently reads from the ActiveDirectory but we have a
new requirement to write to it. (currently this is
done from Microsoft Console)

From sun website: http://java.sun.com/products/jndi/tutorial/objects/storing/index.html:
Windows Active Directory: Context.rebind() and DirContext.rebind() do
not work against Active Directory because these methods work by
reading the attributes of the entry to be updated, removing the entry,
and then adding a new entry that contains the modified attributes.
Active Directory returns some attributes that cannot be set by the
user, causing the final addition step to fail. The workaround for this
problem is to use DirContext.getAttributes() to obtain and save the
attributes that you want to keep. Then, remove the entry and add it
back with the saved attributes (and any others that you want to add)
using DirContext.bind().


This would suggest we need to
1. remove the workgroup
2. bind the workgroup with new attributes

Given the large number of users using ActiveDirectory for
authentication during day it would seem unreasonable to delete the
workgroup (could result in unexpected behaviour for someone trying to
log in)
Also removing the workgroup would require more privileges that just
updating the members

So it seems unrealistic to try to use the Java API to update the
workgroups

Would others agree ?

Regards

 

[Owen Jacobson]

Hello

I have a requirement to update the members of an ActiveDirectory
workgroup using the Java API

The application currently reads from the ActiveDirectory but we have a
new requirement to write to it. (currently this is
done from Microsoft Console)

From sun website:http://java.sun.com/products/jndi/tutorial/objects/storing/index.html:
Windows Active Directory: Context.rebind() and DirContext.rebind() do
not work against Active Directory because these methods work by
reading the attributes of the entry to be updated, removing the entry,
and then adding a new entry that contains the modified attributes.
Active Directory returns some attributes that cannot be set by the
user, causing the final addition step to fail. The workaround for this
problem is to use DirContext.getAttributes() to obtain and save the
attributes that you want to keep. Then, remove the entry and add it
back with the saved attributes (and any others that you want to add)
using DirContext.bind().

This would suggest we need to
1. remove the workgroup
2. bind the workgroup with new attributes

Given the large number of users using ActiveDirectory for
authentication during day it would seem unreasonable to delete the
workgroup (could result in unexpected behaviour for someone trying to
log in)
Also removing the workgroup would require more privileges that just
updating the members

So it seems unrealistic to try to use the Java API to update the
workgroups

Would others agree ?

Reading between the lines a bit, it looks like you actually *can't*
duplicate an entry in AD using JNDI. The approach Sun recommends will
still fail to copy the attributes that "can't be set by the user".

Depending on how AD's ACLs work, you may be able to use rebind() or
the copy-delete-bind approach if you bind to the directory with
credentials that have directory admin privs. Try it with a dummy
workgroup first, obviously. Other than that, you may have to use AD-
specific APIs, which may or may not exist for Java yet.

-o