1

When i try to pass memberOf field in JS dict during creation of a member or even to edit it after via

const change = new Change({
    operation: 'replace',
    modification: {
        [field]: value
    }
});

return new Promise((resolve, reject) => {
    client.modify(dn, change, err => {
        client.destroy();
        if (err) {
            reject(err.message);
        }
        resolve();
    });
});

It simply throws an error

(node:5136) UnhandledPromiseRejectionWarning: 0000209A: SvcErr: DSID-031A107A, problem 5003 (WILL_NOT_PERFORM) , data 0

So, how do i change membership in AD?

As a side question, where can i find examples of using ldapjs and good docs? official site is kind of lackluster

amshegarh
  • 13
  • 1
  • 3

1 Answers1

3

You cannot change the memberOf attribute. It is a Linked Attribute (also called "back-link"). The value is calculated based on groups that have the user in its member attribute.

So to add a user (or any object really) to a group, you have to change the member attribute of the group.

The AD Users and Computers application doesn't make this clear, since it lets you add a person to groups on the "Member Of" tab of the user properties. But really, it's modifying the member attribute of the group in the background.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • This one is correct, although i figured it out already, whats more strange is that groups dont seem to have a member attribute (at least its not printed via console.log) – amshegarh Dec 05 '19 at 11:18
  • @larrybg Make sure you're looking at `member` on the group object, not the user object. – Gabriel Luci Mar 11 '22 at 16:33
  • @GabrielLuci I still don't get it how this would be possible with ldapjs, it needs user's dn when modifying... – larrybg Mar 11 '22 at 16:44
  • @larrybg Right. You would add (or remove) the user's DN from the `member` attribute of the group. Search Google for "ldapjs add user to group" – Gabriel Luci Mar 11 '22 at 16:50
  • @GabrielLuci oh, I see it's the other way around. I'll try that, thank you! – larrybg Mar 11 '22 at 17:18
  • @GabrielLuci, sorry one more question - do you know how to set a primary group for the user with ldapjs? – larrybg Mar 11 '22 at 22:13
  • @larrybg I can't tell you exactly how to do it in ldapjs, since I've never used it, but I describe how it's set in an article I wrote: [Active Directory: What Makes a Member a Member?](https://www.gabescode.com/active-directory/2018/06/07/what-makes-a-member.html#the-primary-group) – Gabriel Luci Mar 12 '22 at 03:15