ldap_add

add a note User Contributed Notes

erwann at zeflip dot com
03-Oct-2006 12:20


I was looking at creating a user in Active Directory, and it kept erroring with "Object Class Violation".



I then realised looking at an existing record that all the attributes had to be arrays:



<?

   $info["cn"]= array("John Jones");

   $info["sn"]=array("Jones");

   $info["mail"]=array("jonj@example.com");

   $info["objectclass"]=array("person");



   // add data to directory

   $r=ldap_add($ds, "cn=John Jones, o=My Company, c=US", $info);

?>

chad dot smith at 50marketing dot com
30-Sep-2005 05:56


I took spam2004 at turniton dot dk example and made it a bit better.  Maybe my setup was a bit different but either way here is how I added a group in Microsoft Windows Server 2003.



<?php

// Connect using ldap_connect

// Bind using ldap_bind

// Set LDAP_OPT_PROTOCOL_VERSION to 3

$member_array = array();

$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com";

$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com";



$addgroup_ad["cn"] = "testgroup";

$addgroup_ad["samaccountname"] = "testgroup";

$addgroup_ad["objectClass"] = "Group";

$addgroup_ad["description"] = "Yep just a test.";

$addgroup_ad["member"] = $member_array;

$base_dn = "cn=testgroup,cn=Users,DC=yourdomain,DC=com";

ldap_add($ldap_conn,$base_dn,$addgroup_ad);

// This is it.

?>



Take care and good luck,

Chad R. Smith

theiderich AT laweekly dot com
16-Jul-2005 01:19


When adding/editing attributes for a user, keep in mind that the 'memberof' attribute is a special case.  The memberOf attribute is not an accessible attribute of the user schema. To add someone to a group, you have to add the user in the group, and not the group in the user. You can do this by accessing the group attribute 'member':



<?php



$group_name = "CN=MyGroup,OU=Groups,DC=example,DC=com";

$group_info['member'] = $dn; // User's DN is added to group's 'member' array

ldap_mod_add($connect,$group_name,$group_info);



?>

micattack+phpnet at gmail dot com
02-May-2005 09:32


When getting the dreaded invalid syntax, it helps turning on debugging in ldap. Looking at /var/log/ldap, gets you things like



May  2 13:51:21 tux slapd[12985]: conn=4934 op=1 RESULT tag=105 err=21 text=phpgwtz: value #0 invalid per syntax

May  2 13:52:02 tux slapd[12697]: No objectClass for entry (uid=1, ou=adressen, dc=...

hp at syntomax dot com
29-Oct-2004 09:31


Another fun thing: ldap_add() doesn't like arrays with empty members: so 

array (

      [cn] = "name"

      [key] = ""

      [anotherkey] = "value"

)

will yield a syntax error!



solve this with a simple peice of code:



foreach ($originalobject as $key => $value){

        if ($value != ""){

                $object[$key] = $value;

        }

}



where $originalobject is the uncecked array and $object is the one without empty members.

amcnabb
22-Oct-2004 05:37


Be careful with types.  PHP switches automatically between strings and numbers, but LDAP doesn't, and PHP will send whatever is most convenient for PHP, not LDAP, unless you specify a type.



If you inadvertently send a number as a string, you will get an error: "ldap_add(): Add: Invalid syntax in [filename] on line LINENUM."



Observe this example which makes an array to send to LDAP to create a POSIX group.  Note that $new_groupid, which is technically a string, must be typecast with (int).



         $new_ldap_group['cn'] = $groupname;

         $new_ldap_group['objectclass'][0] = 'posixgroup';

         $new_ldap_group['objectclass'][1] = 'top';

         $new_ldap_group['gidnumber'] = (int) $new_groupid;

spam2004 at turniton dot dk
04-Oct-2004 07:06


To add a group in Windows AD..

$object_name="testgroup2";

$members[]="CN=THU,ou=Users,dc=addomain,dc=domain,dc=dk";

$members[]="CN=testgroup2,ou=Groups,dc=addomain,dc=domain,dc=dk";

$addgroup_ad['cn']="$object_name";

$addgroup_ad['objectClass'][0] = "top";

$addgroup_ad['objectClass'][1] ="group";

$addgroup_ad['descripton']=$object_description;

$addgroup_ad['member']=$members;

$addgroup_ad["sAMAccountName"] =$object_name;



// notice param 2 (dn) will probably be different

$dn="cn=".$object_name.",ou=Groups,dc=addomain,dc=domain,dc=dk";

ldap_add($ldapc,$dn,$addgroup_ad);

ondrej dot duchon at t-systems dot cz
14-Jan-2004 10:49


IF you need use national characters (iso 8859-2,8 etc.) it's good way to use  ldap_set_option.

It was hard job to find where is a bug ;-))). I hope that helps somebody.



 ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

ondrej dot duchon at t-systems dot cz
14-Jan-2004 08:58


jharnett at artschool dot com:

For active user in AD u must change "useraccountcontrol" to 512, 512 = enabled, 514 = disabled

Andrew (a.whyte at cqu.edu.au)
25-Sep-2003 10:49


In reference to the questions about Account Enabling, you can use the table found at Microsoft's Support site to help with these attributes.



You are correct that '2' is the Account Disabled flag, but there are others, which allow you to detect/set password force expiry and the like.



Hope this URL is usefull for that:



http://support.microsoft.com/default.aspx?scid=kb;en-us;305144



Cheers.

John Van Atta
20-May-2003 09:52


In response to jharnett's question about accounts disabled by default from ldap_add, we have found a solution. 



The attribute userAccountControl contains a value that includes whether the account is disabled or enabled. The default for us is 546; when we changed that to 544 the account became enabled. Changing whatever value is in userAccountControl by 2 seems to enable or disable the account.



The following code worked for us to create a new user with an enabled account:



$adduserAD["userAccountControl"] = "544";



We just added this element to the above example's array.

Axel D. (FRANCE)
05-Mar-2003 12:26


Try this script if you don't know how to add an user in the AD Win2K.

To have more informations about the attributes, open the adsiedit console in the Support Tools for Win2K.



$adduserAD["cn"][0] = 

$adduserAD["instancetype"][0] = 

$adduserAD["samaccountname"][0] = 

$adduserAD["objectclass"][0] = "top";

$adduserAD["objectclass"][1] = "person";

$adduserAD["objectclass"][2] = "organizationalPerson";

$adduserAD["objectclass"][3] = "user";

$adduserAD["displayname"][0] = 

$adduserAD["name"][0] = 

$adduserAD["givenname"][0] = 

$adduserAD["sn"][0] = 

$adduserAD["company"][0] =

$adduserAD["department"][0] = 

$adduserAD["title"][0] = 

$adduserAD["description"][0] = 

$adduserAD["mail"][0] = 

$adduserAD["initials"][0] = 

$adduserAD["samaccountname"][0] = 

$adduserAD["userprincipalname"][0] = 

$adduserAD["profilepath"][0] =

$adduserAD["manager"][0] = ***Use DistinguishedName***



if (!($ldap = ldap_connect("localhost"))) { 

     die ("Could not connect to LDAP server"); 

}

if (!($res = @ldap_bind($ldap, "user@pc.com", $password))) { 

     die ("Could not bind to the LDAP account"); 

}

if (!(ldap_add($ldap, "CN=New User,OU=OU Users,DC=pc,DC=com", $adduserAD))){

     echo "There is a problem to create the account

     echo "Please contact your administrator !";

     exit;

}

ldap_unbind($ldap);

jharnett at artschool dot com
23-Oct-2002 05:43


For some wacky reason, when the new account is added using ldap_add(), the account is set to "inactive".

And from what I can see there is no modifiable attribute to "re-enable" that user. I suppose by default, if the specific flags are not set the default values are used. Anyone that has a fix for this, please post, I'm pulling out what little hair I have left.

del at babel dot com dot au
24-Jun-2002 12:55


If you need to add an attribute that is binary encoded (eg: userCertificate), then you need to add the ";binary" specification at the end of the field name.



eg:



$info["userCertificate;binary"] = $myBinaryCert;

$ldap_add ...



Del

titus dot stahl at experts4 dot com
30-Aug-2001 09:53


Note that you cannot use base64 encoding, you have to use utf-8 encoding for special chars instead.

akohlsmith at mixdown dot org
13-Sep-1999 07:48


ldap_add() will only honour the $entry["attribute"][x]="value" *if there are multiple values for the attribute*.  If there is only one attribute value, it *MUST* be entered as $entry["attribute"]="value" or ldap_add() sets the value for the attribute to be "Array" instead of what you put into $entry["attribute"][0].





Here is a little routine I wrote up to do this automatically.  when you're parsing the input, just use multi_add():





function multi_add($attribute, $value)


{


 global $entry;                                // the LDAP entry you're gonna add





 if(isset($entry[$attribute]))


   if(is_array($entry[$attribute]))


     $entry[$attribute][count($entry[$attribute])] = $value;


   else


     {


     $tmp = $entry[$attribute];


     unset($entry[$attribute]);


     $entry[$attribute][0] = $tmp;


     $entry[$attribute][1] = $value;


     }


 else


   $entry[$attribute] = $value;


}





multi_add() checks to see if there is already a value for the attribute.  if not, it adds it as $entry[$attribute]=$value.  If there is already a value for the attribute, it converts the attribute to an array and adds the multiple values correctly.





How to use it:





switch($form_data_name)


      {


      case 'phone': multi_add("telephoneNumber", $form_data_value); break;


      case 'fax': multi_add("facsimileTelephoneNumber", $form_data_value); break;


      case 'email': multi_add("mail", $form_data_value); break;


      ...


      }





In the system I designed the form has pulldowns with names ctype1, ctype2, ctype3, etc. and the values are "fax, mail, phone...".  The actual contact data (phone number, fax, email, etc) is contact1, contact2, contact3, etc.  The user pulls down what the contact type is (phone, email) and then enters the data (number, address, etc.)





I use variable variables to fill the entry and skip blanks.  Makes for a very clean form entry system.  email me if you're interested in it, as I think I'm outgrowing the size of note allowed here.  :-)

add a note

ldap_add

Description