Re: perl module for AD administration

I suppose I didn't explain myself very well. Sorry.

I'm needing something that will allow me to access/add/edit MS Exchange and MS Communicator and uniquely AD fields (e.g. nTSecurityDescriptor). From what I've seen, Net::LDAP can't do that...I'm able to perform basic LDAP administration, but I'm wanting something that will go the next step to create/edit the Exchange and Communicator accounts associated with the LDAP user as well. So far, the only module I've been able to find that looks like it can do that is Win32::OLE which only runs on Windows systems, not linux. I suppose I COULD add a new IIS server specifically for this, but I already have an existing web app running on an Apache server that I would like to incorporate under the same login session along with all our other intranet functions, creating a seamless end user experience.

Is there something out there that will work for me?

Comment on Re: perl module for AD administration

Replies are listed 'Best First'.
Re^2: perl module for AD administration by NetWallah (Canon) on Jul 15, 2010 at 04:54 UTC
You should give Net::Ldap a chance. nTSecurityDescriptor is in the attribute and class schema, in the AD - all of which is accessible via LDAP, provided you know the DN, and provide credentials with sufficient access. If you can get to it using ADSIEDIT, you should be able to access it using LDAP. Syntactic sugar causes cancer of the semicolon. --Alan Perlis	[reply]
Re^3: perl module for AD administration by ksublondie (Friar) on Jul 15, 2010 at 17:44 UTC
If I can access ntSecurityDescriptor, that would be great. However: my $ldap_session=Net::LDAP->new($ldaphost) or die "error connecting to + LDAP $ldaphost: $@\n"; my $mesg=$ldap_session->bind($ldapuser, password=>$ldappassword) or di +e "error binding: $@\n"; my $temp=$ldap_session->search( base=>$base, filter=>"(distinguishedName=$user)", attrs=> [ '*' ] ) or die "error searching tree:$@\n"; my $tempuser = $temp->entry(0); $data->{securityflag}=$tempuser->get_value('nTSecurityDescriptor')?$te +mpuser->get_value('nTSecurityDescriptor'):'none'; my @attributes=$tempuser->attributes; $data->{values}=''; foreach(@attributes){ $data->{values}=$data->{values}.'<br>'.$_.'='.$tempuser->get_valu +e($_); } [download] $data->{securityflag} displays 'none' and nowhere in $data->{values} shows nTSecurityDescriptor. I am seeing a few Exchange fields, but I haven't played with them enough to know if they actually edit Exchange or simply reference Exchange settings. However, I don't see anything that looks related to Communicator. Here are the fields returned: objectClass cn sn c l st title postalCode physicalDeliveryOfficeName telephoneNumber facsimileTelephoneNumber userCertificate givenName initials distinguishedName instanceType whenCreated whenChanged displayName uSNCreated info memberOf uSNChanged co department company proxyAddresses streetAddress displayNamePrintable name objectGUID userAccountControl badPwdCount codePage countryCode homeDirectory homeDrive badPasswordTime lastLogoff lastLogon logonHours pwdLastSet primaryGroupID userParameters objectSid adminCount accountExpires logonCount sAMAccountName sAMAccountType showInAddressBook legacyExchangeDN userPrincipalName lockoutTime objectCategory msNPAllowDialin dSCorePropagationData lastLogonTimestamp mail manager mobile pager msRTCSIP-PrimaryUserAddress ciscoEcsbuTransferId msExchRecordedName mailNickname publicDelegatesBL ciscoEcsbuAmisDisableOutbound msRTCSIP-UserEnabled msExchPoliciesIncluded ciscoEcsbuUMLocationObjectId msRTCSIP-ArchivingEnabled msExchRecipientDisplayType mDBUseDefaults ciscoEcsbuDtmfId msRTCSIP-PrimaryHomeServer ciscoEcsbuObjectType ciscoEcsbuListInUMDirectory msExchMailboxGuid msExchUserCulture msExchMailboxSecurityDescriptor msExchUserAccountControl msRTCSIP-OptionFlags msExchRecipientTypeDetails msExchVersion msExchMobileMailboxFlags homeMTA homeMDB msExchHomeServerName ciscoEcsbuUnityAttributes [download] (values not displayed for security reasons)	[reply] [d/l] [select]
Re^4: perl module for AD administration by NetWallah (Canon) on Jul 16, 2010 at 05:36 UTC
The ntSecurityDescriptor is a complex attribute, and I have not had a chance to play with it. Leads from the internet indicate that you need to do something like this (VB): Const SE_DACL_PROTECTED = &H1000 Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl Set objUser = GetObject("LDAP://cn=TestUser,dc=MyDomain,dc=com") Wscript.Echo "User: " & objUser.sAMAccountName Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor") intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then Wscript.Echo "Allow inheritable permissions check box disabled" Else Wscript.Echo "Allow inheritable permissions check box enabled" End If [download] Here are some links for your persual: http://www.servernewsgroups.net/group/microsoft.public.windows.server.scripting/topic10521.aspx http://ldap.perl.org/FAQ.html See section titled "How do I create a Microsoft Exchange user." http://msdn.microsoft.com/en-us/magazine/cc188700.aspx Syntactic sugar causes cancer of the semicolon. --Alan Perlis	[reply] [d/l]