I get an OBJECT_CLASS_VIOLATION when trying to add an attribute. Modifying an existing attribute works just fine (even this same attribute, if I add it from AD first, then mod it).
First I kinit as a domain admin, then:
import ldap, ldap.sasl
l = ldap.initialize('ldap://TEST.DOM.DE')
auth_tokens = ldap.sasl.gssapi('')
l.sasl_interactive_bind_s('', auth_tokens)
l.add_s('CN=dmulder,CN=Users,DC=test,DC=dom,DC=de', [('gecos', ['something'])])
Which returns this error:
ldap.OBJECT_CLASS_VIOLATION: {'info': '0000207B: UpdErr: DSID-0305124B, problem 6002 (OBJ_CLASS_VIOLATION), data 0\n', 'desc': 'Object class violation'}
This command is successful though, if I create the attribute ahead of time within ADUC:
l.modify_s('CN=dmulder,CN=Users,DC=test,DC=dom,DC=de', [(1, 'gecos', None), (0, 'gecos', ['something'])])
And the add command does work with ldapmodify:
> ldapmodify -x -h TEST.DOM.DE -D Administrator@TEST.DOM.DE
dn:CN=dmulder,CN=Users,DC=test,DC=dom,DC=de
changetype: modify
add: gecos
gecos: something
modifying entry "CN=dmulder,CN=Users,DC=test,DC=dom,DC=de"
Any idea what I'm doing wrong here?
l.add_s is used to add an object, not an attribute.
In this case you are attempting to create a new object, and you are missing multiple required attributes for object creation. You ought to be using
l.modify_s('CN=dmulder,CN=Users,DC=test,DC=dom,DC=de', [(0, 'gecos', 'something')])
to just add a new attribute to the object.
To clarify:
When the attribute isn't already set, this syntax is wrong:
l.modify_s('CN=dmulder,CN=Users,DC=test,DC=dom,DC=de', [(1, 'gidNumber', None), (0, 'gidNumber', ['1000'])])
The above syntax (without a previous value) is correct.