I've written a script (below) that runs on a Unix server and modifies AD attributes.
It works fine if the user I'm binding as is given Domain Admin privileges. The AD
admins don't want to give me that much power (and I really don't want it) but when
they back the privileges off to what they think should work I get "insufficient
access" errors:
update error: 00002098: SecErr: DSID-03150646, problem 4003 (INSUFF_ACCESS_RIGHTS),
data 0
The only thing that seems to work is Domain Admin. The AD admins claim that I am not
"presenting the security context correctly." I'm using simple bind. Is there
anything I can do differently? Would SASL help?
Thanks,
John
------------------------ modify_ad.pl --------------------------------
#!/usr/bin/perl -w
use Net::LDAP;
# usage: modify_ad.pl samaccountname=smithj postalcode=12345
$filter = $ARGV[0];
($attr,$new_value) = split(/=/,$ARGV[1],2);
$ad_conn = Net::LDAP->new("ad.test.com", port => "389")
or die("Can't connect to AD server");
$msg = $ad_conn->bind("cn=testupdates,cn=users,dc=ad,dc=test,dc=com",
password => "pwd", version => 3);
$msg->code && die("bind error: ".$msg->error);
$ad_entries = $ad_conn->search(base => "cn=users,dc=ad,dc=test,dc=com",
scope => "sub",
filter => $filter,
attrs => [ $attr ]);
$ad_entries->code && die("search error: ".$ad_entries->error);
if ($ad_entries->count == 0) {
print "Entry not found.\n";
} elsif ($ad_entries->count > 1) {
print "More than one entry found. Narrow the search to one entry.\n";
} else {
$ad_entry = $ad_entries->entry(0);
if ($new_value) {
$ad_entry->replace($attr => $new_value);
} else {
$ad_entry->delete($attr => [ ]);
}
$msg = $ad_entry->update($ad_conn);
if ($msg->code) {
print("update error: ",$msg->error,"\n");
} else {
print "Entry modified\n";
}
}
$ad_conn->unbind;
$ad_conn->disconnect;
The information transmitted is intended only for the person or entity to which it is
addressed and may contain confidential, proprietary, and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the sender and
delete the material from all computers. 117
