June 23, 2011, 5:56 p.m.
posted by trystan
Creating an inetOrgPerson User
You want to create an inetOrgPerson object, which is the standard LDAP object class to represent users.
Using a graphical user interface
Using a command-line interface
dn: <UserDN> changetype: add objectclass: inetorgperson sAMAccountName: <UserName> dn: <UserDN> changetype: modify add: userAccountControl userAccountControl: 512
Be sure to replace <UserDN> with the distinguished name of the user you want to add and <UserName> with the user's username. Then run the following command:
> admod -b "cn=inetOrgPerson,cn=Users,dc=rallencorp,dc=com" objectclass::inetOrgPerson sAMAccountName::InetOrg -add
' This code creates an inetOrgPerson object set objParent = GetObject("LDAP://<ParentDN>") set objUser = objParent.Create("inetorgperson", "cn=<UserName>") ' Taken from ADS_USER_FLAG_ENUM Const ADS_UF_NORMAL_ACCOUNT = 512 objUser.Put "sAMAccountName", "<UserName>" objUser.Put "userPrincipalName", "<UserUPN>" objUser.Put "givenName", "<UserFirstName>" objUser.Put "sn", "<UserLastName>" objUser.Put "displayName", "<UserFirstName> <UserLastName>" objUser.SetInfo objUser.SetPassword("<Password>") objUser.SetInfo objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT objUser.AccountDisabled = FALSE objUser.SetInfo
The inetOrgPerson object class was defined in RFC 2798.It is the closest thing in the LDAP world to a standard representation of a user, and most LDAP vendors support the inetOrgPerson class. Unfortunately, Microsoft did not support inetOrgPerson with the initial release of Active Directory. Even though they provided an add-on later to extend the schema to support it, the damage had been done. Most Active Directory implementations were already using the user object class and were unlikely to convert, which required vendors to build in support for the user class.
In Windows Server 2003 Active Directory, inetOrgPerson is supported natively. You can create inetOrgPerson objects for your users, who can use them to authenticate just as they would accounts of the user object class. If you haven't deployed Active Directory yet and you plan on integrating a lot of third-party LDAP-based applications that rely on inetOrgPerson, you may want to consider using it over user. You won't be losing any information or functionality because the inetOrgPerson class inherits directly from the user class. For this reason, the inetOrgPersonclass has even more attributes than the Microsoft user class.
The one potential downside is that some of the Microsoft tools, such as the DS utilities, do not support modifying inetOrgPerson objects.(You can, however, use AdMod to perform these modifications.)