# Invoker interface for Active Directory Any agent, trigger or mapping can use the invoker method for the ActiveDirectory agent. The invoker method is available in the dispatcherService class. The invoker method is not specific of the Active Directory agent. Many other connectors support this method. The expected arguments are: - Action - Object name - Parameters Here you have an example of a post-update trigger to create the home server for a user: ```Java map = new HashMap(); String server = "//"+source{"homeServer"}+"/"+source{"accountName"}; // Create folder f = dispatcherService.invoke("smb:mkdir", server, map); // Add administrator ACL map.put("user", "soffid_admin"); map.put("permission", "GENERIC_ALL"); map.put("flags", "CONTAINER_INHERIT_ACE OBJECT_INHERIT_ACE"); f = dispatcherService.invoke("smb:addacl", path, map); // Add user ACL map.put("user", source{"accountName"}); f = dispatcherService.invoke("smb:addacl", path, map); // Change folder ownership using a domain admin account map.put("_auth_user", "user1"); map.put("_auth_domain", "domain1"); map.put("_auth_password", "SuperSecret"); f = dispatcherService.invoke("smb:setOwner", path, map); ``` The example above uses the smb:mkdir action to create the folder, the smb:addacl to add a new access control list entry. Other commands allow the query and modification of Active Directory objects like users and groups. The list of allowed commands are:
**Command** **Object name** **Parameters** **Comments**
insert Object distinguished name Object attributes Creates a new active directory object
update Object distinguished name Object attributes Modifies an existing active directory object. Only the attributes present in the map will be updated
delete Object distinguished name - Removes an existing active directory object.
select Base distinguished name Object criteria attribute Search for any object with the values specified in the parameters map, starting in the specified base DN. The return value is a list of maps. Each element in the list is an Active Directory object
get Object distinguished name - Returns the object with the specified object DN. The return value is a list containing one or no maps. The map, if exists, contain the object attributes
smb:mkdir Shared file Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain Creates the shared folder. The shared folder name should follow the syntax //server/sharedFolder/Path or \\\\server\\\\sharedFolder\\Path It is recommended to use the first syntax because the second one requires the script to escape any backslash character, leading to a harder to read script
smb:exist Shared file Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain Returns a list with a single map. The map has the attribute exist with a boolean value indicating whether the file exists or not
smb:rmdir Shared file Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain Removes the full directory and any file or directory within
smb:rm Shared file Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain Removes the file or directory. The command will fail if the directory is not empty.
smb:getacl Shared file Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain Returns a list of maps representing each access control list entry for that file or folder. Each map has three values: - user: The user or group name. When the user or group is unknown, the user or group SID is used. - permission: A text string with the permissions granted with that ACE. The string contains one or more of these values concatenated: - FILE\_READ\_DATA - FILE\_WRITE\_DATA - FILE\_APPEND\_DATA - FILE\_EXECUTE - FILE\_LIST\_DIRECTORY - FILE\_ADD\_FILE - FILE\_ADD\_SUBDIRECTORY - FILE\_TRAVERSE - FILE\_DELETE\_CHILD - FILE\_READ\_ATTRIBUTES - FILE\_WRITE\_ATTRIBUTES - FILE\_READ\_EA - FILE\_WRITE\_EA - DELETE - READ\_CONTROL - WRITE\_DAC - WRITE\_OWNER - SYNCHRONIZE - ACCESS\_SYSTEM\_SECURITY - MAXIMUM\_ALLOWED - GENERIC\_ALL - GENERIC\_EXECUTE - GENERIC\_WRITE - GENERIC\_READ - flags: A text string with the inheritance flags for that ACE. The string contains one or more of these values concatenated: - CONTAINER\_INHERIT\_ACE - FAILED\_ACCESS\_ACE\_FLAG - INHERIT\_ONLY\_ACE - INHERITED\_ACE - NO\_PROPAGATE\_INHERIT\_ACE - OBJECT\_INHERIT\_ACE - SUCCESSFUL\_ACCESS\_ACE\_FLAG
smb:addacl Shared file Map with these three values: - user - permission - flags And optionally, these ones: - \_auth\_user - \_auth\_password - \_auth\_domain Adds an access control list with the specified permission and flags
smb:removeacl Shared file Map with these three values: - user - permission - flags And optionally, these ones: - \_auth\_user - \_auth\_password - \_auth\_domain Remove the access control list entry that matches the map. If the permission or flag is missing, the connector will remove any access control list entry for the specified user
smb:setowner Shared file Map with the value: - user And optionally, these ones: - \_auth\_user - \_auth\_password - \_auth\_domain Sets the directory owner to the one specified in the map
By default, actions are performed by the account used to configure the AD connector, but sometimes, another account must be used, mainly when dealing with NAS servers. In order to user custom credentials SMB commands accept three special parameters: \_auth\_user, \_auth\_password and \_auth\_domain. If this parameters are null, the agent user and password is used.