Ah ha. Thanks everyone for the detailed responses. I just love it when I get things syntaxically correct but functionally wrong. :-/ AG
________________________________ From: Glenn Lamb [mailto:[EMAIL PROTECTED] Sent: Thu 9/28/2006 1:12 PM To: Giuoco, Aaron Cc: perl-ldap@perl.org Subject: Re: Adding groups to a user account -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AD doesn't keep track of group membership on the user object. It does a little sleight-of-hand in the background when you query a user object to show you what groups it's it. However, there's no actual attribute on the user for that. This can most easily be demonstrated if you have a multi-domain forest. If a user is in a group in another domain, looking at memberOf on that user will not list those groups. To add a user to a group in AD you need to modify the member attribute on the group object. If you have the LDAP object of the group in $group and the user's DN in $userDN, then $ldap->modify($group->dn(), add => { member => [ $UserDN ] } ); will work. On Sep 28, 2006, at 10:34 AM, Giuoco, Aaron wrote: > Hi all, > > I am trying to add groups to a user account on a Windows 2003 Active > Directory server. Every time I run my code, I get the following error > message: > > ERROR: 0000209A: SvcErr: DSID-031A0DD5, problem 5003 > (WILL_NOT_PERFORM), > data 0 > > Below is the code that triggers this message: > > ----Begin Code---- > my $message = $ldap->modify($entry->dn(), add => { memberOf => > $groupsArray }); > if ($message->is_error()) { > return "ERROR: " . $message->error() . "\n"; > } else { > return 1; > } > ----End Code---- > > The $ldap object is valid and the user object ($entry) is also > valid. I > tested both of them earlier in the script. $groupsArray is a > reference > to an array containing the DNs of the groups I am trying to add to > this > user account. > > Just to test, I also created a foreach() and tried to add each > group DN > one at a time. It fails when trying to add the first group. It looks > like it won't let me modify the memberOf property for some reason, but > that doesn't make since to me as I am connecting as a Domain Admin. > > Any idea as to what I'm doing wrong? Thanks in advance. > > ___________________________ > Aaron Giuoco > Systems Admin > Atlantia Offshore Limited > e: [EMAIL PROTECTED] > ph: 281-899-4385 - -- Glenn Lamb Systems Administrator [EMAIL PROTECTED] http://www.stanford.edu/~glamb/gpg.txt CE4B 7186 D8FD 317F 8364 12CD 02BB ED17 F3E8 555C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) iD8DBQFFHBCHArvtF/PoVVwRAorAAKDRpk2+KnJrBblmjD21UeuRVYDwsACgmcb7 MLCIFqU5LTAZeE1x2tN9Jz8= =TYS5 -----END PGP SIGNATURE-----
