phplaravelactive-directoryadldap

Adlap2 - update "Batch Modify: Insufficient access"

Using Adldap2 package (https://adldap2.github.io/Adldap2/#/) and to be more accurate laravel version (https://github.com/Adldap2/Adldap2-Laravel) and having some issues with add/update some attributes after creation.

To be more specific, I will try to do this

Create user

$user = Adldap::make()->user([
    'cn' => 'Vlad Test7',
    'samaccountname' => 'vlad_test7',
    'Company' => 'Company Name',
    'givenname' => 'Vlad',
]);

$user->objectclass = [
    'top',
    'person',
    'inetOrgPerson',
];

$user->save();

This will work. But after if I will try to set another attribute like department, doing it as below

$user->setAttribute('Department', 'Information Systems');
$user->save();

I will get this error message

ErrorException : ldap_modify_batch(): Batch Modify: Insufficient access at PATH_TO_PROJECT_ROOT\vendor\adldap2\adldap2\src\Connections\Ldap.php:386

I asked system admin about provided accounts permissions, and he told me that I have full access within OU for test user, that they have been created for me.

I suppose, that possibly can be something wrong with my config files, I have there as admin told me.

Here how config file (ldap.php) looks like

'hosts' => explode(' ', env('LDAP_HOSTS', 'corp-dc1.corp.acme.org corp-dc2.corp.acme.org')),
'port' => env('LDAP_PORT', 389),
'timeout' => env('LDAP_TIMEOUT', 5),
'base_dn' => env('LDAP_BASE_DN', 'dc=corp,dc=acme,dc=org'),
'username' => env('LDAP_USERNAME', 'username'),
'password' => env('LDAP_PASSWORD', 'secret'),

Based on my search result, possibly error message on update can be related with dn (distinguished name), as I have something like that as base_dn

base_dn=OU=TEST USER,OU=xxxxxx1,OU=xxxxxx2,OU=xxxxxx3,OU=xxxxxx3,DC=domain,DC=local

and when I'm creating a user, for new created user I'm getting new generated dn which is like below

dn=CN=Vlad Test7,OU=TEST USER,OU=xxxxxx1,OU=xxxxxx2,OU=xxxxxx3,OU=xxxxxx3,DC=domain,DC=local

not sure, is this correct or not? Thinking also about possibility, that I can't perform operations using generated distinguished names,when I'm creating a new record, at least impression is that I have added CN=Vlad Test7 to base_dn, which is causing the error.

Any suggestions or thoughts about this issue? Thanks

Solution

  • Answer is simple, it was a permission issue of the AD user, which I'm using here, as error message describes, insufficient access, so nothing related with coding here.