Creating LDAP Directory Objects
In order to create different objects you may just connect to the directory container in which the new objects shall be. There, you use the container operation create(). You have to pass the object class for the new object and its relative distinguished name (RDN). In addition, depending on the specific object class, mandatory attributes have to be set, otherwise the object can not be created appropriately or even cannot be created at all.
Examples for Active Directory and Exchange (for Exchange 2000 or later):
| Creating Organizational Units | |
| Creating Users | Creating Mail Users |
| Creating Contacts | Creating Local Groups |
| Creating Global Groups | Creating Universal Groups |
Examples for Novell eDirectory (NDS):
| Creating Organizational Units | Creating ZEN Application Objects |
| Creating Users | Creating Groups |
Creating Organizational Units
In order to create an Active Directory Organizational Unit, you have to connect to the directory container in which it shall be created. This can be either a domain object or another OU.
Creating Users
In order to create an Active Directory user, you have to utilize the object class 'user' and after that you have to set at least the attribute 'sAMAccountName' (Windows NT logon name):
By the way, the user is created as a deactivated user without password. Possible existing password standards (minimum password length or complexity requirements) are not considered. To activate the account at the same time, we have to set a flag in the attribute userAccountControl:
This will fail in many cases, because as before the account will be created with an empty password this way - and this should be illegal in most domains with appropriate password policies. However, it is difficult to assign a password when the account is not created yet. So we create him with a userAccountControl flag that allows a blank password for this user. This flag is removed again after setting a password:
More information about the relevant LDAP attributes or about the configuration of additional object properties can be found in 'Attributes for Active Directory User' here in the SelfADSI Tutorial.
Creating Mail Users
In order to create a mail-enabled user within an Exchange organization (Exchange 2000 upwards) the object class 'user' has to be used and then at least the attributes 'sAMAccountName' (Windows NT logon name), 'mailNickName' (Exchange alias), 'displayName' and 'homeMDB' (information store of the mailbox) have to be set.
The exact distinguished name of the information store has to be used which consists of the organization's name of the Exchange server, the name of the storage group and the database.
The mailbox of this user will not be displayed in the Exchange System Manager (ESM) as long as the first mail is delivered. By the way, the user is created as deactivated user without password. Possible existing password standards (minimum password length or complexity requirements) are not considered. To activate the account at the same time, we have to set a flag in the attribute userAccountControl:
This will fail in many cases, because as before the account will be created with an empty password this way - and this should be illegal in most domains with appropriate password policies. However, it is difficult to assign a password when the account is not created yet. So we create him with a userAccountControl flag that allows a blank password for this user. This flag is removed again after setting a password:
More information about the relevant LDAP attributes or about the configuration of additional object properties can be found in 'Attributes for Active Directory User' here in the SelfADSI Tutorial.
Creating Contacts
If you want to create a mail-enabled contact within an Exchange Organization (Exchange 2000 upward), the object class 'contact' will have to to be used and then at least the attributes 'mailNickName' (Exchange alias), ' displayName' and 'targetAddress' (external mail address) have to be set (this is the Windows NT logon name):
More information about the relevant LDAP attributes or the configuration of additional object properties can be found in the topic 'Attributes for Active Directory Contact' here in the SelfADSI Tutorial.
Creating Local Groups
If you want to create a local Active Directory group, the object class 'group' needs to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name) and 'groupType' (group area) have to be set:
In order to create a local distribution group within an Exchange organization (Exchange 2000 upwards), the object class 'group' has to be used and then at least the attributes 'sAMAccountName' (Windows NT logon name), 'mailNickName' (Exchange alias), 'displayName' and 'groupType' have to be set:
If you want the group becoming a security group that is able to get permissions as well as to receive mail, then the group type has to be set like this:
If you need further information concerning the relevant LDAP attributes
or the configuration of additional object properties can be found in the
topic 'Attributes for Active Directory Group' here in the SelfADSI
Tutorial.
Creating Global Groups
If wanting to create a local Active Directory group, the object class 'group' needs to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name) and 'groupType' (group area) have to be set:
In order to create a global distribution group within an Exchange Organization (Exchange 2000 upwards) ,the object class 'group' has to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name), 'mailNickName' (Exchange alias), 'displayName' and 'groupType' have to be set:
If you want the group becoming a security group that is able to get permissions as well as to receive mail, then the group type has to be set like this:
More information about the relevant LDAP attributes or the configuration
of additional object properties can be found in the topic 'Attributes
for Active Directory Group' here in the SelfADSI Tutorial.
Creating Universal Groups
If you want to create a universal Active Directory group, the object class 'group' has to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name) and 'groupType' (group area) have to be set:
In order to create a universal distribution group within an Exchange Organization (Exchange 2000 upwards), the object class 'group' has to be used and then at least the attributes 'sAMAccountName' (this is the downwards compatible Windows NT name), 'mailNickName' (Exchange alias), 'displayName' and 'groupType' have to be set:
If you want the group to become a security group that is able to get permissions as well as to receive mail, then the group type has to be set like this:
More information about the relevant LDAP attributes or the configuration
of additional object properties can be found in the topic 'Attributes
for Active Directory Group' here in the SelfADSI Tutorial.
Creating Organizational Units in the eDirectory
If you need to create an Organizational Unit within the eDirectory, you connect to the directory container in which the new objects shall be created in at first. This can be either an object of an organization, another OU, a locality object or a domain. No mandatory attributes need to be set.
Please note the difference between this case and the creation of objects in Active Directory environments: The attribute "objectClass" is set explicitly. This is not necessary in every eDirectory version, but to avoid errors, you should definitely set the objectclass of eDirectory objects in this way.
Creating User in the eDirectory
In order to create an eDirectory user, you have to use the object class 'inetOrgPerson' and then you have to set at least the attribute 'sn' (surname):
Please note the difference between this case and the creation of objects in Active Directory environments: The attribute "objectClass" is set explicitly. This is not necessary in every eDirectory version, but to avoid errors, you should definitely set the objectclass of eDirectory objects in this way.
Creating Groups in the eDirectory
For creating an eDirectory group, the object class 'group', 'groupOfNames' or as well 'groupOfUniqueNames' may be used. These are equal synonyms of the same object class. No mandatory attributes need to be set.
Please note the difference between this case and the creation of objects in Active Directory environments: The attribute "objectClass" is set explicitly. This is not necessary in every eDirectory version, but to avoid errors, you should definitely set the objectclass of eDirectory objects in this way.
Creating ZEN Application Objects in the eDirectory
For creating a ZEN Application Object the object class 'appApplication' has to be used and at least the attributes 'appCaption' and 'appPath' have to be set. This is the description of the applications and the call path of the respective program:
Please note that we have to use the entirely official put method here and can not simply set the attributes as object properties. Thus, the call app.appCaption = 'AppControl 1.0' would have caused a runtime error. The reason for this is that the attributes appCaption and appPath feature a type that is specific to providers and are no standard strings.
In our example I have set the path to the executable data file empty - for that purpose the string '47 NULL' has to be set as value.