Sunday, March 6, 2011

Add LDAP entry to Active Directory via ext/ldap

Using ext/ldap I'm trying to add entries to an Active Directory. As long as I only use one single structural objectClass everything works as expected, but as soon as I try to add an entry with a second auxiliary objectClass, the server reports an error:

Server is unwilling to perform; 00002040: SvcErr: DSID-030F0AA0, problem 5003 (WILL_NOT_PERFORM), data 0

The following code works:

ldap_add($ldap, 'OU=Test,OU=Test,DC=domain,DC=example,DC=local', array(
    'ou' => 'Test',
    'objectClass' => 'organizationalUnit',
    'l' => 'location'
));

This doesn't:

ldap_add($ldap, 'OU=Test,OU=Test,DC=domain,DC=example,DC=local', array(
    'ou' => 'Test',
    'associatedDomain' => 'domain',
    'objectClass' => array('organizationalUnit', 'domainRelatedObject'),
    'l' => 'location'
));

The same happens if I try to add an auxiliary objectClass to an existing entry:

ldap_mod_add($ldap, 'OU=Test,OU=Test,DC=domain,DC=example,DC=local', array(
    'associatedDomain' => 'domain',
    'objectClass' => 'domainRelatedObject'
));

The corresponding error message is essentially the same

Server is unwilling to perform; 00002040: SvcErr: DSID-030508F8, problem 5003 (WILL_NOT_PERFORM), data 0

As all other updating and adding operations work, I think the problem must be related to the objectClass attribute.

As I've not enough experience with Active Directories (I'm used to OpenLDAP): Are there any known issues with objectClasses in Active Directory? Am I missing something here? Are there any restrictions that disallow adding e.g. domainRelatedObject to an organizationalUnit? What the heck 's going on here ;-)?

Just in case you're wondering: the domainRelatedObject is present in the Active Directory schema.

From stackoverflow
  • You may not have permission to set the objectClass attribute. See whether you can attach the auxiliary class after creation, through ADSI Edit. If you can't, fix the permissions first (check the Properties tab in the Advanced view of Security settings)

    I could attach this specific class right now, onto a organizationalUnit object, as a domain admin; so in principle, this is possible.

    Stefan Gehrig : Neither ADSI Edit nor ldp.exe will allow me to add the auxiliary class. ADSI Edit says "Die angegebene Methode wird nicht unterstützt" ("The specified method is not supported"). ldp.exe says: "Error: Modify: Ausführung verweigert. [...]
    Stefan Gehrig : [...] <53> Server error: 00002040: SvcErr: DSID-030F0AA0, problem 5003 (WILL_NOT_PERFORM), data 0" This is the same even if I'm authenticated as a Domain Admin.
    Martin v. Löwis : Hmm. What's the server? I was using W2k3SP2, and it worked fine.
  • I just found that, in order to add dynamic (per-instance) aux classes, the forest functional level of the domain must be 2003.

    Stefan Gehrig : Hi Martin! Thanks a lot - that was the problem... I don't dare to think about the time I wasted on this one on the PHP side ;-)

0 comments:

Post a Comment