On Thu, Nov 13, 2008 at 5:00 PM, Bill Meecham
Ok, the story is that they're just accessing the Contacts entries....and now that I asked that question, I got more details... They are trying to script it. Every new contact is getting the default email address, they want to delete that and they want complete maintenance access to custom attribute 1 and can't figure that out.
Okay, so we are talking about Contact Objects in Active Directory, not
about the Exchange Information Store.
Active Directory consists of multiple technologies, the core of which
is a standard LDAP server.
A quick google search showed that you can use the standard LDAP Unix
API on the i.
There are newer docs about this topic, but this is what i quick google
search sput out.
Then, all you need are proper credentials - someone needs to create an
account with the proper permissions.
DO NOT USE A DOMAIN ADMINISTRATOR ACCOUNT
Sorry for the caps, but i see that mistake far to often. Assign
granular permissions to a single account that allows update of
extensionattribute1 and the email fields. Depending on what exactly
you want to achieve with the email fields, using a proper address
policy might be the easier way.
Use LDAP/SSL to access this, as the IBM i can't easily do secure
kerberos authentication. In this case, SSL will provide the same
security as using Kerberos auth.
Remember: Active Directory resides on Domain Controllers, not on
Exchange servers - so you need to connect to a DC.