Search code examples
jndi

JNDI Help regarding group group membership in Active Directory

I am trying to add a group to a different group in Active Directory using a JNDI program. On doing so, I get the following error

[LDAP: error code 53 - 00002142: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

The code snippet I am using is below

  1. Setting Group Attributes

Attributes attrs = new BasicAttributes(true);
attrs.put("objectClass","group")
attrs.put("description","A test group");

  1. Adding group to different group

try{
    ModificationItem member[] = new ModificationItem[1];
    member[0]= new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("member", groupDN)); 



ctx.modifyAttributes(grpDN,member);
 System.out.println("Added group to group: " + grpDN);




}catch (NamingException e) {
    System.err.println("Problem adding group to group: " + e);
    }

I am able to add User to groups using almost the same type of code (below).

  1. Setting User Attributes

// Create attributes to be associated with the new user
Attributes attrs = new BasicAttributes(true); 
attrs.put("objectClass","user");
attrs.put("samAccountName","Perry");
attrs.put("cn","Perry");



attrs.put("givenName","Perry");
attrs.put("sn","Perry");
attrs.put("displayName","Perry Peterson");
attrs.put("description","Research Engineer");



int UF_ACCOUNTDISABLE = 0x0002;
int UF_PASSWD_NOTREQD = 0x0020;
int UF_PASSWD_CANT_CHANGE = 0x0040;
int UF_NORMAL_ACCOUNT = 0x0200;
int UF_DONT_EXPIRE_PASSWD = 0x10000;
int UF_PASSWORD_EXPIRED = 0x800000;



attrs.put("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWD_NOTREQD + UF_PASSWORD_EXPIRED+ UF_ACCOUNTDISABLE));

  1. Adding User to Groups 

try{
    ModificationItem member[] = new ModificationItem[1];
    member[0]= new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("member", userDN)); 



ctx.modifyAttributes(groupDN,member);
System.out.println("Added user to group: " + groupName);
}catch (NamingException e){
    System.err.println("Problem adding user to group: " + e);




}

Does any one has idea about what I am doing wrong here or is there any attribute that has to be set for groups also as in the case of Users. I have a SSL connection between my JNDI client and the server and I am able to successfully reset User password (that will not be possible if SSL is not there)

I suspect this is happening because the group I have created earlier are not created properly

Regards

Perry

Solution

  • This is happening as the Groups are created as Security Groups by default and it is not possible to add Groups to Groups (in case of Security Groups)

    If you want to have nested groups, create groups as universal distribution and then only you will be able to add groups to groups

    This behavior is for Active Directory. I am not aware of Other directories.