我要修改AD用户userAccountControl和密码。用户已在AD中创建。该用户在AD中使用python-ldap模块创建,状态为"Disabled",没有密码。
AD被托管在win2k8R2上。
当我使用python -ldap脚本更改uac和密码时,它会抛出以下错误:
ldap://192.168.254.1:389
(97, [])
Traceback (most recent call last):
File "C:workspaceutilssrcu.py", line 16, in <module>
l.modify_s(dn, mod_attrs)
File "C:Python26libsite-packagesldapldapobject.py", line 336, in modify_s
return self.result(msgid,all=1,timeout=self.timeout)
File "C:Python26libsite-packagesldapldapobject.py", line 436, in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
File "C:Python26libsite-packagesldapldapobject.py", line 440, in result2
res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
File "C:Python26libsite-packagesldapldapobject.py", line 446, in result3
ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
File "C:Python26libsite-packagesldapldapobject.py", line 96, in _ldap_call
result = func(*args,**kwargs)
ldap.UNWILLING_TO_PERFORM: {'info': '00002077: SvcErr: DSID-031903A4, problem 5003 (WILL_NOT_PERFORM), data 0n', 'desc': 'Server is unwilling to perform'}
import ldap
host = "192.168.254.1"
ip = "ldap://%s:%d"%(host, 389)
l = ldap.initialize(ip)
newUser = "vishalworld"
dn = "cn=%s,%s"%(newUser, "cn=Users,DC=example,DC=com")
print l.simple_bind_s("administrator",password)
pwd = '"abcdefgh"'.encode("utf-16-le")
mod_attrs = [
(ldap.MOD_REPLACE, "lockoutTime", 0),
(ldap.MOD_REPLACE, "unicodePwd", pwd),
]
l.modify_s(dn, mod_attrs)
首先,您需要添加tls支持到您的AD.http://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/这是一个教程,解释如何创建证书
则需要使用tls对AD进行认证。这样的
import ldap
LDAP_SERVER_EMG = "ldaps://192.168.0.250"
BIND_DN = "Administrador@emgS.local"
BIND_PASS = "xxxXXXxxxXXXxxx"
USER_BASE = "dc=emgS,dc=local"
try:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, 0)
lcon_emg = ldap.initialize(LDAP_SERVER_EMG)
lcon_emg.simple_bind_s(BIND_DN, BIND_PASS)
except ldap.LDAPError, e:
print e
ad_u = {
'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
'cn': 'test',
'displayName': 'test',
'distinguishedName': 'CN=test,DC=emgS,dc=local',
'givenName': 'test test',
'sAMAccountName': 'test',
'sn': 'test',
'userAccountControl': '514',
'userPrincipalName': 'test@emgS.local',
'mail': mail_user,
#732 is test in 3ll1t3
'employeeID': '732'
}
mods = ldap.modlist.addModlist(ad_u)
try:
lcon_emg.add_s(ad_u.get('distinguishedName'),
mods)
except Exception, e:
response.update({'error_ad': 'ActiveD: Error %s' % str(e)})
else:
response.update({'success_ad': 'ActiveD: F4ck y34h'})
#then you can put a password for the user
unicode_pass = unicode('"' + "my super secret password :)" + '"', 'iso-8859-1')
password_value = unicode_pass.encode('utf-16-le')
add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
# 512 will set user account to enabled
mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', '512')]
try:
lcon_emg.modify_s(ad_u.get('distinguishedName'), add_pass)
except ldap.LDAPError, error_message:
response.update({'error_ad_clave': 'ActiveD: Error %s' % str(error_message)})
else:
response.update({'success_ad_clave': 'ActiveD: Yeah'})
try:
lcon_emg.modify_s(ad_u.get('distinguishedName'), mod_acct)
except ldap.LDAPError, error_message:
response.update({'error_ad_hab': 'Error %s' % str(error_message)})
else:
response.update({'success_ad_hab': 'Success'})
lcon_emg.unbind_s()
和TA TA!!