Add LDAP entry to Active Directory via ext / ldap
Using ext / ldap I am trying to add entries to Active Directory. So far I only use one structured objectClass, everything works as expected, but as soon as I try to add an entry with a second auxiliary objectClass, the server reports an error:
The server does not want to execute; 00002040: SvcErr: DSID-030F0AA0, problem 5003 (WILL_NOT_PERFORM), data 0
The following code works:
ldap_add($ldap, 'OU=Test,OU=Test,DC=domain,DC=example,DC=local', array(
'ou' => 'Test',
'objectClass' => 'organizationalUnit',
'l' => 'location'
));
It does not mean:
ldap_add($ldap, 'OU=Test,OU=Test,DC=domain,DC=example,DC=local', array(
'ou' => 'Test',
'associatedDomain' => 'domain',
'objectClass' => array('organizationalUnit', 'domainRelatedObject'),
'l' => 'location'
));
The same thing happens if I try to add an additional objectClass to an existing entry:
ldap_mod_add($ldap, 'OU=Test,OU=Test,DC=domain,DC=example,DC=local', array(
'associatedDomain' => 'domain',
'objectClass' => 'domainRelatedObject'
));
The corresponding error message is essentially the same
The server does not want to execute; 00002040: SvcErr: DSID-030508F8, problem 5003 (WILL_NOT_PERFORM), data 0
Like all other update and add operations, I think the problem must be related to the objectClass attribute.
Since I don't have enough experience with Active Directory (I'm used to OpenLDAP): Are there any known issues with objectClasses in Active Directory? Am I missing something? Are there any restrictions prohibiting adding, eg. domainRelatedObject
before organizationalUnit
? What's going on here, -)?
Just in case you're wondering: is domainRelatedObject
present in the Active Directory schema.
source to share
I just found that to add dynamic classes (per instance) the forest domain functional level must be 2003 .
source to share
You may not have permission to set the objectClass attribute. See if you can attach an additional class after creation, ADSI Edit . If you can't, fix the permissions first (check the Properties tab in the Advanced View of Security Settings)
I could bind this particular class right now to the organizationUnit object as a domain administrator; therefore it is possible in principle.
source to share