Hi,
On Thursday, 28. September 2006 19:34, Giuoco, Aaron wrote:
> I am trying to add groups to a user account on a Windows 2003 Active
> Directory server. Every time I run my code, I get the following error
> message:
>
> ERROR: 0000209A: SvcErr: DSID-031A0DD5, problem 5003 (WILL_NOT_PERFORM),
> data 0
>
> Below is the code that triggers this message:
>
> ----Begin Code----
> my $message = $ldap->modify($entry->dn(), add => { memberOf =>
> $groupsArray });
> if ($message->is_error()) {
> return "ERROR: " . $message->error() . "\n";
> } else {
> return 1;
> }
> ----End Code----
>
> The $ldap object is valid and the user object ($entry) is also valid. I
> tested both of them earlier in the script. $groupsArray is a reference
> to an array containing the DNs of the groups I am trying to add to this
> user account.
>
> Just to test, I also created a foreach() and tried to add each group DN
> one at a time. It fails when trying to add the first group. It looks
> like it won't let me modify the memberOf property for some reason, but
> that doesn't make since to me as I am connecting as a Domain Admin.
>
> Any idea as to what I'm doing wrong? Thanks in advance.
You did nothing wrong.
AFAICT the code is OK and perl-ldap is working O.K. as well.
It is just that AD does not support this operation.
IIRC ADS keeps referential integrity. I.e. if you add a user to a group,
the user's memberOf attribute will be updated accordingly.
Try it the other way 'round: add the user's DN
to the member attribute of the groups and check the memberOf attribute
afterwards.
Regards
PEter
