基本上尝试使用LDAP python重置用户密码。我在这里经历过各种帖子,但没有运气:(。
尝试使用:
a) modify_s() - 每次都返回“没有这样的对象”。尝试使用不同的用户DN。
{'info':“0000208D:NameErr:DSID-0310020A,问题2001(NO_OBJECT),数据0,最佳匹配:\ n \ t'DC = mydomain,DC = com'\ n”,'匹配' :'DC = mydomain,DC = com','desc':'没有这样的对象'}
以下是代码段:
def changePassword(userEmail, oldPassword, newPassword):
try:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap_client = ldap.initialize("ldap://127.0.01.1:389")
ldap_client.set_option(ldap.OPT_REFERRALS, 0)
ldap_client.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
ldap_client.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
ldap_client.set_option( ldap.OPT_X_TLS_DEMAND, True )
ldap_client.set_option( ldap.OPT_DEBUG_LEVEL, 255 )
ldap_client.simple_bind_s(ADMIN_EMAIL, ADMIN_PASSWORD)
# Set AD password
#unicode_pass = unicode('\"' + newPassword + '\"', "iso-8859-1")
unicode_pass = newPassword
password_value = unicode_pass.encode("utf-16-le")
add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value]),( ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
# Replace password
try:
user_dn = 'CN=%s,DC=mydomain,DC=com' % username
ldap_client.modify_s(user_dn, add_pass)
print "Active Directory password for", username, \
"was set successfully!"
except ldap.LDAPError, e:
sys.stderr.write('Error setting AD password for: ' + username + '\n')
sys.stderr.write('Message: ' + str(e) + '\n')
ldap_client.unbind_s()
return 'SOME_PROBLEM'
ldap_client.unbind_s()
return 'AUTHENTICATED'
except ldap.INVALID_CREDENTIALS:
ldap_client.unbind()
return 'INVALID_CREDENTIALS'
except ldap.SERVER_DOWN:
return 'SERVER_UNAVAILABLE'
b) passwd(userEmail, oldPassword, newPassword) 。它执行得很好,但密码没有更新。
需要帮助确定问题。
参考链接: Python+LDAP+SSL
python-ldap and Microsoft Active Directory: connect and delete user
how to set lockoutTime and password of a user of Active Directory
How can I change password for domain user(windows Active Directory) using Python?
https://groups.google.com/forum/#!topic/macromedia.coldfusion.security/Rq7xx15OeBs
http://www.grotan.com/ldap/python-ldap-samples.html#add
http://marcitland.blogspot.in/2011/02/python-active-directory-linux.html
https://snipt.net/Fotinakis/change-active-directory-password-via-ldap-modify-call/
答案 0 :(得分:1)
我觉得以下程序对你有用.. windows active目录使用密码属性作为unicode方法 https://technet.microsoft.com/en-us/magazine/ff848710.aspx
import ldap
import ldap.modlist as modlist
import base64
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
l = ldap.initialize('ldaps://exam.local')
l.simple_bind_s('Administrator@exam.local', 'p@ssw0rd1')
dn="cn=map6,ou=Police,dc=exam,dc=local"
new_password='p@ssw0rd3'
unicode_pass = unicode('\"' + new_password + '\"', 'iso-8859-1')
print (unicode_pass)
password_value = unicode_pass.encode('utf-16-le')
add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
print (password_value)
l.modify_s(dn, add_pass)
l.modify_s(dn, add_pass)
l.unbind_s()
答案 1 :(得分:0)
我可以看到您 user_dn 未正确设置。仔细检查并确保Directory Server中确实存在完整DN。检查您的用户名变量是否已正确解析(无新行或制表符)并验证基本DN。
sys.stderr.write('Error setting AD password for: ' + username + '\n')
sys.stderr.write('DN: ' + user_dn + '\n')
sys.stderr.write('Message: ' + str(e) + '\n')
错误信息很明显,AD无法找到它想要修改的对象(DN)**(NO_OBJECT)
{'info': "0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT),
data 0, best match of:\n\t'DC=mydomain,DC=com'\n", 'matched':
'DC=mydomain,DC=com', 'desc': 'No such object'}
答案 2 :(得分:0)
我遇到了同样的问题,并决定询问服务器故障。 The answer I got帮助我找出代码中的错误。概括起来,有两种更新AD密码的方法:一种用于普通用户更新自己的密码,另一种用于管理员(或具有足够访问权限的帐户)为另一用户重置密码。
方法1:用户更新自己的密码
ad_server = "ldaps://ad.xxx_domain.com"
ad_dn = "CN={0},OU=Users,OU=AF,DC=xxx_domain,DC=com"
username = 'my_username'
old_pwd = 'the_old_pa55word'
new_pwd = 'the_new_pa55word'
cert = os.path.join('/path', "to", 'server_cert.cer')
# LDAP connection initialization
l = ldap.initialize(ad_server)
# Set LDAP protocol version used
l.protocol_version = ldap.VERSION3
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
# Force libldap to create a new SSL context (must be last TLS option!)
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
# Bind
l.simple_bind_s(ad_dn.format(username), old_pwd)
# Now, perform the password update
oldpwd_utf16 = '"{0}"'.format(old_pwd).encode('utf-16-le')
newpwd_utf16 = '"{0}"'.format(new_pwd).encode('utf-16-le')
mod_list = [
(ldap.MOD_DELETE, "unicodePwd", oldpwd_utf16),
(ldap.MOD_ADD, "unicodePwd", newpwd_utf16),
]
l.modify_s(ad_dn.format(username), mod_list)
方法2:管理员帐户更新常规用户的密码
ad_server = "ldaps://ad.xxx_domain.com"
ad_dn = "CN={0},OU=Users,OU=AF,DC=xxx_domain,DC=com"
admin_username = "i_am_the_admin"
admin_password = "admin123"
username = 'my_username'
new_pwd = 'the_new_complicated_password'
cert = os.path.join('/path', "to", 'server_cert.cer')
# LDAP connection initialization
l = ldap.initialize(ad_server)
# Set LDAP protocol version used
l.protocol_version = ldap.VERSION3
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
# Force libldap to create a new SSL context (must be last TLS option!)
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
# Bind (as admin user)
l.simple_bind_s(ad_dn.format(admin_username), admin_password)
# Now, perform the password update
newpwd_utf16 = '"{0}"'.format(new_pwd).encode('utf-16-le')
mod_list = [
(ldap.MOD_REPLACE, "unicodePwd", newpwd_utf16),
]
l.modify_s(ad_dn.format(username), mod_list)
请注意,第二种方法需要与其他帐户绑定(具有足够的权限),但允许设置新密码而无需重新键入旧密码。