[ Team LiB ] |
Recipe 6.3 Creating an inetOrgPerson User6.3.1 ProblemYou want to create an inetOrgPerson object, which is the standard LDAP object class to represent users. 6.3.2 Solution6.3.2.1 Using a graphical user interface
6.3.2.2 Using a command-line interfaceThe dsadd command does not support creating inetOrgPerson objects so we'll use ldifde instead. First, we need to create an LDIF file called create_inetorgperson.ldf with the following contents: dn: <UserDN> changetype: add objectclass: inetorgperson sAMAccountName: <UserName> userAccountControl: 512 Be sure to replace <UserDN> with the distinguished name of the user you want to add and <UserName> with the user's username. Then run the following command: > ldifde -i -f create_inetorgperson.ldf 6.3.2.3 Using VBScript' This code creates an inetOrgPerson object set objParent = GetObject("LDAP://<ParentDN>") set objUser = objParent.Create("inetorgperson", "cn=<UserName>") ' Taken from ADS_USER_FLAG_ENUM Const ADS_UF_NORMAL_ACCOUNT = 512 objUser.Put "sAMAccountName", "<UserName>" objUser.Put "userPrincipalName", "<UserUPN>" objUser.Put "givenName", "<UserFirstName>" objUser.Put "sn", "<UserLastName>" objUser.Put "displayName", "<UserFirstName> <UserLastName>" objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT objUser.SetInfo objUser.SetPassword("<Password>") objUser.AccountDisabled = FALSE objUser.SetInfo 6.3.3 DiscussionThe inetOrgPerson object class was defined in RFC 2798. It is the closest thing in the LDAP world to a standard representation of a user, and most LDAP vendors support the inetOrgPerson class. Unfortunately, Microsoft did not support inetOrgPerson with the initial release of Active Directory. Even though they provided an add-on later to extend the schema to support it, the damage had been done. Most Active Directory implementations were already using the user object class and were unlikely to convert. This required vendors to build in support for the user class.
In Windows Server 2003 Active Directory, inetOrgPerson is supported natively. You can create inetOrgPerson objects for your users, who can use them to authenticate just as they would accounts of the user object class. If you haven't deployed Active Directory yet and you plan on integrating a lot of third-party LDAP-based applications that rely on inetOrgPerson, you may want to consider using it over user. You won't be losing any information or functionality because the inetOrgPerson class inherits directly from the user class. For this reason, the inetOrgPerson class has even more attributes than the Microsoft user class. The one potential downside is that some of the Microsoft tools, such as the DS utilities, do not support modifying inetOrgPerson objects. 6.3.4 See AlsoRecipe 6.1 for creating a user and RFC 2798 (Definition of the inetOrgPerson LDAP Object Class) |
[ Team LiB ] |