John Arends wrote on 8/13/08 4:21 PM:
Thanks Graham. That fixed the problem and the script works now. I
actually am able to set the password during the account creation
process. I have seen some reports of people unable to do that.
I checked my comments in Net::LDAP::Class::User::AD and apparently I was seeing
some kind of security error thrown when I tried to set unicodePwd on the initial
user add(). I presume there is an optional Active Directory config setting that
might control that, and that my particular AD server had it set, but that's just
a guess. In any case, Net::LDAP::Class does it in 2 batched steps: add() the
user, then update() the unicodePwd and set userAccountControl to 512.
Another curiosity that may interest someone is that it appears I can not
modify a user and add a group to memberOf for that user.
However, I can modify a group and add that user to the group. So it
works one way, but not the other.
That is correct. AD stores the group memberships in the group and uses an
internal link to return memberOf for each user. So you must add the user to the
group, not vice versa.
The big curiosity now is figuring out how to set the accountExpires
property. Apparently its value is the number of 100 nanosecond intervals
since January 1 1601. If the account has no expiration date, then it
gets set automatically to '9223372036854775807'
I had to solve this problem recently in the other direction. Here's my code:
# convert windows time to unix time
# thanks to http://quark.humbug.org.au/blog/?p=27
my $pwdLastSet = ( $ad_user->pwdLastSet / 10000000 ) - 11644524000;
Presumably you could do the reverse to get the windows time from an epoch value.
I would suggest using DateTime to make sure you get the accurate epoch value for
a date in the future.
E.g.:
my $win_time = ( $datetime_in_future->epoch * 10000000 ) + 11644524000;
--
Peter Karman . http://peknet.com/ . [EMAIL PROTECTED]
