Okay, admittedly a long shot, but I'm trying to cobble something together
quickly using Perl and the Net::LDAP module to work with eDirectory. The
goal is to scan eDirectory for inactive accounts and then disable them,
using a script that runs via CRON on a Linux machine.

It starts out with this:

use Net::LDAP;

my $ldap = Net::LDAP->new('') or die "$@";
my $mesg = $ldap->bind($admin_id,password=>$admin_pwd)
or die "Unable to bind\n";

# perform a search for all user objects and look at the Logintime...

where $admin_id and $admin_pwd are the ID and password of a valid account
with Supervisor rights to the whole tree. The bind and search work fine; I
can read attributes and entries all day long. The problem comes in when I
try to disable an account:

sub Disable
my $this_entry = shift;

# To disable an account set the attribute 'loginDisabled' to TRUE

print $ldap->modify($this_entry,replace => { 'loginDisabled' => 'TRUE'


The Net::LDAP document says this should work, but I get the error message,
"The client does not have sufficient access to perform the requested
operation". Am I doing something stupid here, or is there a special trick
to having the account's rights recognized on an LDAP connection?

Any guidance would be appreciated. It's hard as heck to find any info
that's useful for quickie scripting (as opposed to Java, .Net, C, etc.).