In "Querying and Updating AD, Part 1," February 2003, http://www.winscriptingsolutions.com, InstantDoc ID 27569, I described how to install and use the Net::LDAP modules to query Active Directory (AD) according to search criteria and retrieve attributes of matching objects. In Part 2, I describe the various Net::LDAP methods available to add, delete, modify, rename, and move objects in AD.
Adding Objects
Using Net::LDAP to add objects is straightforward. For example, Listing 1 contains code that adds the John Doe contact object. Callout A in Listing 1 shows the parameters that you need to modify to get the code to work in your environment. For the $dc variable, you specify the domain controller (DC) against which to perform the add operation. You set the $user and $passwd variables to the username and password, respectively, with which you want to connect to the specified DC. The $parent_dn variable needs to contain the distinguished name (DN) of the parent container in which you want to put the John Doe contact object. The code after callout A in Listing 1 connects to the specified DC and uses the specified credentials to bind with it.
The code at callout B in Listing 1 calls the add() method. The first parameter is the DN of the new object you're adding. The second parameter, attrs, points to an array reference that contains the attributes that you're assigning to the new object. You must include any mandatory parameters (e.g., objectClass) that don't have a default value, or the add method will fail. For example, if you want to add a user object, you would at a minimum have to specify user for the objectClass parameter and a person's username for the sAMAccountName parameter.
The add() method returns a Net::LDAP::Message object, which has a code() method that lets you determine whether an error occurred. When the Net::LDAP::Message object's code() method returns a value of 0, you've successfully added the contact object. If the code() method returns any other value, an error occurred and the error() method displays an error message.
Listing 1 adds only one object to AD. You can extend the code to add thousands of objects if necessary. You can even use the Perl Database Interface (DBI) modules to query a database and populate AD with the retrieved information. You can find the DBI modules on the Comprehensive Perl Archive Network (CPAN) Web site (http://www.perl.com/CPAN-local/modules/by-module/DBI).
Deleting Objects
Using Net::LDAP to delete objects is even easier than adding them. All you need to do is pass the DN of the object you want to delete to the Net::LDAP object's delete() method. For example, Listing 2 contains code that deletes all the contact objects in the ou=Contacts,dc=mycorp,dc=com organizational unit (OU).
The code at callout A in Listing 2 shows the parameters you need to customize. The code at callout B in Listing 2 searches for the objects to delete. In Part 1, I discussed how to use the search() method, including how to set each parameter. In this case, you set the base parameter to the DN of the container that holds the objects you want to delete. Because you want to delete all objects in that container but not the container itself, you set the scope parameter to 'one', which omits the base DN from the search by searching for objects one level down from the base DN. The filter parameter contains the search filter that looks for contacts objects. The attrs parameter contains an array reference to a single attribute, 'cn'. The search() method returns the matching objects as an array of Net::LDAP::Entry objects.
The code at callout C in Listing 2 uses the Net::LDAP::Entry object's dn() method to retrieve the DN for each matching object so that the delete() method can delete the object. The code() method checks the result to see whether an error occurred and prints an appropriate message.
In some cases, instead of deleting each object in the OU, you might want to delete the parent OU and all its children in one operation. Unfortunately, you can't perform this type of delete operation with a simple delete command. You must use an extension to Lightweight Directory Access Protocol (LDAP) called a control to inform the server to delete a particular container and all its children. Using the Net::LDAP controls is beyond the scope of this article and will be the topic of a future article. If you want to learn about controls in the meantime, you can read the online documentation on the perl-ldap Web site (http://perl-ldap.sourceforge.net).
Modifying Objects
Net::LDAP provides quite a bit of flexibility when you need to modify an object's attributes. You can add, delete, or replace values on an individual basis or perform all your value modifications in one call.
Like the add() and delete() methods, the modify() method's first parameter is the DN of the object you want to modify. The second parameter is a named option that specifies the type of modification to perform. The modify() method has several options from which to choose:
The add option. You use the add option to add or set a value for an attribute that previously didn't have a value. You also use the add option to add a new value to a multivalued attribute. The add option expects a reference to a hash. The hash key contains the attribute's name; the hash value contains the attribute's value. For example, to add the mail attribute and give it the value jdoe@mycorp.com, you use code such as
$ldap->modify($dn, add =>
{ mail => 'jdoe@mycorp.com' } );
Prev. page
[1]
2
next page 
