Add User To Group in Active Directory using JNDI

  • Thread starter Thread starter zieg
  • Start date Start date
Z

zieg

Hi all!

I am new to Active directory and have Problems adding a new User to a
Distribution-Group in MS Active Direcory.

I created a custom group called "GR1" via the Windows GUI
Now i want to add/remove users to this group using java/jndi

I read that the "memberOf" attribute of the user can not be changed
instead you have to change the "member" attribute of the group the
user should be added. But when i try to modify the "member" attribute
of the group i get the following Exception:

javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
NameErr: DSID-031001B8, problem 2001 (NO_OBJECT), data 0, best match
of: '' ]; remaining name 'CN=GR1,CN=Users'

When i try to change the "description" attribute of the group with the
same code it works fine.

Here is the code i use



import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;

public class Test2 {

public static void main( String[] args )
{
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
NamingEnumeration ne;

try {
String SRV = args[0];
String USER = args[1];
String PWD = args[2];

String UserDN = "CN=TestUser,CN=Users";
String GroupDN = "CN=GR1,CN=Users";

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, SRV);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, USER);
env.put(Context.SECURITY_CREDENTIALS, PWD);

// create initial context
DirContext ctx = new InitialDirContext(env);



ModificationItem[] mods = new ModificationItem[1];
// mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
BasicAttribute("description", "foobar")); // works fine
// mods[0] = new
ModificationItem(DirContext.ADD_ATTRIBUTE,new
BasicAttribute("member",UserDN)); // does not work
mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE,new
BasicAttribute("member", UserDN)); // does not work

// try to set the member attribute
try {
ctx.modifyAttributes(GroupDN, mods);
} catch (NamingException e) {
e.printStackTrace();
}



// List the attributes of the group "GR1"
String[] attrIDs = null;
Attributes matchAttrs = new BasicAttributes(true);
//ignore case
matchAttrs.put(new BasicAttribute("cn", "GR1"));
SearchResult sr =
(SearchResult)ctx.search("CN=Users",matchAttrs,attrIDs).next();
Attributes userAttrs = sr.getAttributes();

for (NamingEnumeration ae = userAttrs.getAll();
ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.print(attr.getID());
for (NamingEnumeration e = attr.getAll(); e.hasMore();
System.out.println(" \"" + e.next().toString() + "\" "));
}

ctx.close();

} catch (NamingException e) {
e.printStackTrace();
}
}
}

Thanks a lot
Michael
 
I don't know anything about Java but are you sure anything is working, the DNs
you have aren't valid AD DNs, they need the domain portion on them...

I.E: your group name should be something like cn=gr1,cn=users,dc=domain,dc=com

ditto for the user dn.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Hi all!

I am new to Active directory and have Problems adding a new User to a
Distribution-Group in MS Active Direcory.

I created a custom group called "GR1" via the Windows GUI
Now i want to add/remove users to this group using java/jndi

I read that the "memberOf" attribute of the user can not be changed
instead you have to change the "member" attribute of the group the
user should be added. But when i try to modify the "member" attribute
of the group i get the following Exception:

javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
NameErr: DSID-031001B8, problem 2001 (NO_OBJECT), data 0, best match
of: '' ]; remaining name 'CN=GR1,CN=Users'

When i try to change the "description" attribute of the group with the
same code it works fine.

Here is the code i use



import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;

public class Test2 {

public static void main( String[] args )
{
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
NamingEnumeration ne;

try {
String SRV = args[0];
String USER = args[1];
String PWD = args[2];

String UserDN = "CN=TestUser,CN=Users";
String GroupDN = "CN=GR1,CN=Users";

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, SRV);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, USER);
env.put(Context.SECURITY_CREDENTIALS, PWD);

// create initial context
DirContext ctx = new InitialDirContext(env);



ModificationItem[] mods = new ModificationItem[1];
// mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
BasicAttribute("description", "foobar")); // works fine
// mods[0] = new
ModificationItem(DirContext.ADD_ATTRIBUTE,new
BasicAttribute("member",UserDN)); // does not work
mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE,new
BasicAttribute("member", UserDN)); // does not work

// try to set the member attribute
try {
ctx.modifyAttributes(GroupDN, mods);
} catch (NamingException e) {
e.printStackTrace();
}



// List the attributes of the group "GR1"
String[] attrIDs = null;
Attributes matchAttrs = new BasicAttributes(true);
//ignore case
matchAttrs.put(new BasicAttribute("cn", "GR1"));
SearchResult sr =
(SearchResult)ctx.search("CN=Users",matchAttrs,attrIDs).next();
Attributes userAttrs = sr.getAttributes();

for (NamingEnumeration ae = userAttrs.getAll();
ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.print(attr.getID());
for (NamingEnumeration e = attr.getAll(); e.hasMore();
System.out.println(" \"" + e.next().toString() + "\" "));
}

ctx.close();

} catch (NamingException e) {
e.printStackTrace();
}
}
}

Thanks a lot
Michael
Click to expand...
 
Hello Joe, thanks for your reply

My problem is, with the code i posted i can change the description
attribute of the group but not the member attribute (only by
commenting out the specific lines of the code)

Im passing the domain-indormation through the arguments when starting
the program. The starting point for the class is then the domain (eg.
"DC=TESTSERVICE,DC=COM") and i dont have to specify it any more (think
they get autocompleted or something like this).

of course i tried to specify the domain but then its the same problem
:(
change description works - change members doesnt work

Michael

Joe Richards said:
I don't know anything about Java but are you sure anything is working, the DNs
you have aren't valid AD DNs, they need the domain portion on them...

I.E: your group name should be something like cn=gr1,cn=users,dc=domain,dc=com

ditto for the user dn.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Hi all!

I am new to Active directory and have Problems adding a new User to a
Distribution-Group in MS Active Direcory.

I created a custom group called "GR1" via the Windows GUI
Now i want to add/remove users to this group using java/jndi

I read that the "memberOf" attribute of the user can not be changed
instead you have to change the "member" attribute of the group the
user should be added. But when i try to modify the "member" attribute
of the group i get the following Exception:

javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
NameErr: DSID-031001B8, problem 2001 (NO_OBJECT), data 0, best match
of: '' ]; remaining name 'CN=GR1,CN=Users'

When i try to change the "description" attribute of the group with the
same code it works fine.

Here is the code i use



import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;

public class Test2 {

public static void main( String[] args )
{
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
NamingEnumeration ne;

try {
String SRV = args[0];
String USER = args[1];
String PWD = args[2];

String UserDN = "CN=TestUser,CN=Users";
String GroupDN = "CN=GR1,CN=Users";

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, SRV);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, USER);
env.put(Context.SECURITY_CREDENTIALS, PWD);

// create initial context
DirContext ctx = new InitialDirContext(env);



ModificationItem[] mods = new ModificationItem[1];
// mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
BasicAttribute("description", "foobar")); // works fine
// mods[0] = new
ModificationItem(DirContext.ADD_ATTRIBUTE,new
BasicAttribute("member",UserDN)); // does not work
mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE,new
BasicAttribute("member", UserDN)); // does not work

// try to set the member attribute
try {
ctx.modifyAttributes(GroupDN, mods);
} catch (NamingException e) {
e.printStackTrace();
}



// List the attributes of the group "GR1"
String[] attrIDs = null;
Attributes matchAttrs = new BasicAttributes(true);
//ignore case
matchAttrs.put(new BasicAttribute("cn", "GR1"));
SearchResult sr =
(SearchResult)ctx.search("CN=Users",matchAttrs,attrIDs).next();
Attributes userAttrs = sr.getAttributes();

for (NamingEnumeration ae = userAttrs.getAll();
ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.print(attr.getID());
for (NamingEnumeration e = attr.getAll(); e.hasMore();
System.out.println(" \"" + e.next().toString() + "\" "));
}

ctx.close();

} catch (NamingException e) {
e.printStackTrace();
}
}
}

Thanks a lot
Michael
Click to expand...
Click to expand...
 
Hi,

Again I'm no Java/JNDI expert but I do know that when working with
multivalue attributes like member in VBScript you have to use PutEx along
with the appropriate flag (clear/update/add/delete) as opposed to a simple
Put operation for ordinary attributes. Is it possible that JNDI requires
something similar?

AndyC

zieg said:
Hello Joe, thanks for your reply

My problem is, with the code i posted i can change the description
attribute of the group but not the member attribute (only by
commenting out the specific lines of the code)

Im passing the domain-indormation through the arguments when starting
the program. The starting point for the class is then the domain (eg.
"DC=TESTSERVICE,DC=COM") and i dont have to specify it any more (think
they get autocompleted or something like this).

of course i tried to specify the domain but then its the same problem
:(
change description works - change members doesnt work

Michael

"Joe Richards [MVP]" <[email protected]> wrote in message
I don't know anything about Java but are you sure anything is working, the DNs
you have aren't valid AD DNs, they need the domain portion on them...

I.E: your group name should be something like cn=gr1,cn=users,dc=domain,dc=com

ditto for the user dn.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Hi all!

I am new to Active directory and have Problems adding a new User to a
Distribution-Group in MS Active Direcory.

I created a custom group called "GR1" via the Windows GUI
Now i want to add/remove users to this group using java/jndi

I read that the "memberOf" attribute of the user can not be changed
instead you have to change the "member" attribute of the group the
user should be added. But when i try to modify the "member" attribute
of the group i get the following Exception:

javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
NameErr: DSID-031001B8, problem 2001 (NO_OBJECT), data 0, best match
of: '' ]; remaining name 'CN=GR1,CN=Users'

When i try to change the "description" attribute of the group with the
same code it works fine.

Here is the code i use



import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;

public class Test2 {

public static void main( String[] args )
{
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
NamingEnumeration ne;

try {
String SRV = args[0];
String USER = args[1];
String PWD = args[2];

String UserDN = "CN=TestUser,CN=Users";
String GroupDN = "CN=GR1,CN=Users";

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, SRV);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, USER);
env.put(Context.SECURITY_CREDENTIALS, PWD);

// create initial context
DirContext ctx = new InitialDirContext(env);



ModificationItem[] mods = new ModificationItem[1];
// mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
BasicAttribute("description", "foobar")); // works fine
// mods[0] = new
ModificationItem(DirContext.ADD_ATTRIBUTE,new
BasicAttribute("member",UserDN)); // does not work
mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE,new
BasicAttribute("member", UserDN)); // does not work

// try to set the member attribute
try {
ctx.modifyAttributes(GroupDN, mods);
} catch (NamingException e) {
e.printStackTrace();
}



// List the attributes of the group "GR1"
String[] attrIDs = null;
Attributes matchAttrs = new BasicAttributes(true);
//ignore case
matchAttrs.put(new BasicAttribute("cn", "GR1"));
SearchResult sr =
(SearchResult)ctx.search("CN=Users",matchAttrs,attrIDs).next();
Attributes userAttrs = sr.getAttributes();

for (NamingEnumeration ae = userAttrs.getAll();
ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.print(attr.getID());
for (NamingEnumeration e = attr.getAll(); e.hasMore();
System.out.println(" \"" + e.next().toString() + "\" "));
}

ctx.close();

} catch (NamingException e) {
e.printStackTrace();
}
}
}

Thanks a lot
Michael
Click to expand...
Click to expand...
Click to expand...
 
Well what does it do when you go to add the user as a member, does it tack on
the default domain you are using? And if so, what happens in a multi-domain
environment when the ID could be from one of several domains? My guess is that
you have to specify the full DN of the user ID you want to add to the group.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Hello Joe, thanks for your reply

My problem is, with the code i posted i can change the description
attribute of the group but not the member attribute (only by
commenting out the specific lines of the code)

Im passing the domain-indormation through the arguments when starting
the program. The starting point for the class is then the domain (eg.
"DC=TESTSERVICE,DC=COM") and i dont have to specify it any more (think
they get autocompleted or something like this).

of course i tried to specify the domain but then its the same problem
:(
change description works - change members doesnt work

Michael

Joe Richards said:
I don't know anything about Java but are you sure anything is working, the DNs
you have aren't valid AD DNs, they need the domain portion on them...

I.E: your group name should be something like cn=gr1,cn=users,dc=domain,dc=com

ditto for the user dn.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Hi all!

I am new to Active directory and have Problems adding a new User to a
Distribution-Group in MS Active Direcory.

I created a custom group called "GR1" via the Windows GUI
Now i want to add/remove users to this group using java/jndi

I read that the "memberOf" attribute of the user can not be changed
instead you have to change the "member" attribute of the group the
user should be added. But when i try to modify the "member" attribute
of the group i get the following Exception:

javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
NameErr: DSID-031001B8, problem 2001 (NO_OBJECT), data 0, best match
of: '' ]; remaining name 'CN=GR1,CN=Users'

When i try to change the "description" attribute of the group with the
same code it works fine.

Here is the code i use



import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;

public class Test2 {

public static void main( String[] args )
{
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
NamingEnumeration ne;

try {
String SRV = args[0];
String USER = args[1];
String PWD = args[2];

String UserDN = "CN=TestUser,CN=Users";
String GroupDN = "CN=GR1,CN=Users";

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, SRV);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, USER);
env.put(Context.SECURITY_CREDENTIALS, PWD);

// create initial context
DirContext ctx = new InitialDirContext(env);



ModificationItem[] mods = new ModificationItem[1];
// mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE, new
BasicAttribute("description", "foobar")); // works fine
// mods[0] = new
ModificationItem(DirContext.ADD_ATTRIBUTE,new
BasicAttribute("member",UserDN)); // does not work
mods[0] = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE,new
BasicAttribute("member", UserDN)); // does not work

// try to set the member attribute
try {
ctx.modifyAttributes(GroupDN, mods);
} catch (NamingException e) {
e.printStackTrace();
}



// List the attributes of the group "GR1"
String[] attrIDs = null;
Attributes matchAttrs = new BasicAttributes(true);
//ignore case
matchAttrs.put(new BasicAttribute("cn", "GR1"));
SearchResult sr =
(SearchResult)ctx.search("CN=Users",matchAttrs,attrIDs).next();
Attributes userAttrs = sr.getAttributes();

for (NamingEnumeration ae = userAttrs.getAll();
ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.print(attr.getID());
for (NamingEnumeration e = attr.getAll(); e.hasMore();
System.out.println(" \"" + e.next().toString() + "\" "));
}

ctx.close();

} catch (NamingException e) {
e.printStackTrace();
}
}
}

Thanks a lot
Michael
Click to expand...
Click to expand...
Click to expand...
 
Your guess is right...

In my case i have to specify the complete DN information for the user
but have to specify the short form for the group DN, all other
combinations dont work...

The result looks something like this:

String UserDN = "CN=TestUser,CN=Users,DC=MYDOMAIN,DC=COM";
String GroupDN = "CN=GR1,CN=Users";

Thanks a lot
Michael
 
Back
Top