The delete option. You use the delete option to remove specific values associated with an attribute or all values associated with an attribute. The delete option expects either a reference to a hash containing specific key-value pairs to delete (similar to the add option) or a reference to an array of attributes for which you want to delete all values. For example, to delete all the values associated with the mail and displayname attributes, you use code such as
$ldap->modify($dn, delete =>
[ 'mail', 'displayname' ] );
The replace option. You use the replace option to change an attribute's existing value with the specified value. The replace option uses the same parameters as the add option. So, for example, if you entered the wrong email address when you added the mail attribute, you can change it to the correct email address with code such as
$ldap->modify($dn, replace =>
{ mail => 'joe@mycorp.com'});
The changes option. You use the changes option to group a set of add, delete, or replace options together in one call. The changes option expects a reference to an array that contains pairs of option names and values. For example, to delete the value associated with the mail attribute and to add the givenname and sn attributes, whose values are John and Doe, respectively, you use code such as
$ldap->modify($dn,
changes => [
add => [ givenname => "John" ],
add => [ sn => "Doe"],
delete => [ 'mail' ] ] );
Web Listing 1 (http://www.winscriptingsolutions.com, InstantDoc ID 37717) uses the options I just described to modify a user object. Like the add() and delete() methods, the modify() method returns a Net::LDAP::Message object, whose code() method you can use to determine whether an error occurred.
Renaming and Moving Objects
To have complete control over manipulating objects in AD, you need the ability to rename and move objects. Luckily, Net::LDAP provides the moddn() method, which lets you perform both functions. As with the other three methods I've described so far, the moddn() method's first parameter is the DN of the object you want to rename or move. The second parameter can consist of one or more of the following options:
The newrdn and deleteoldrdn options. In AD, you identify objects by their DN, which includes a relative distinguished name (RDN). The RDN specifies the object's name. Take, for example, an object with a DN of cn=jdoe,cn=users,dc=mycorp,dc=com. In this case, the RDN is jdoe. You use the newrdn option to assign a new RDN to an object. The newrdn value must include not only the object's name (e.g., jsmith) but also the identifier (e.g., cn=).
Listing 3 contains code that renames the user object cn=jdoe,cn=users,dc=mycorp,dc=com to cn=jsmith,cn=users,dc=mycorp,dc=com. Callout A in Listing 3 highlights the code that includes the newrdn option. This code also includes the deleteoldrdn option. By setting the deleteoldrdn option to 1 (i.e., true), you're deleting the object that has the old RDN. If you don't include the deleteoldrdn option or you set the option to 0 (i.e., false), the old object being renamed or moved will still remain. In nearly all situations, you'll want to set deleteoldrdn to 1.
The newsuperior option. You use the newsuperior option to move an object to a different parent container. You set this option to the DN of the new parent container. For example, Listing 4 contains code that moves all user objects whose department attribute is equal to Sales to the Sales OU. As callout A in Listing 4 shows, the $old_parent variable specifies the parent container in which to search for the objects and $new_parent specifies the parent container to which you want to move the objects. Callout B in Listing 4 highlights the code that searches $old_parent for all user objects with a department attribute equal to Sales. The code at callout C in Listing 4 uses a foreach statement to move each of those objects to $new_parent.
You Have Everything You Need
In this two-part article, I covered how to use the Net::LDAP modules to manipulate objects in AD. With these Perl modules, you can perform every object manipulation function you need to manage the data in AD.