服务器不愿意在Active Directory

时间:2017-03-07 09:51:34

标签: python active-directory ldap openldap python-ldap

我尝试在LDAP中创建用户帐户。用于连接LDAP的示例代码

    conn = ldap.initialize(bind_url)  # Connect LDAP service
    conn.set_option(ldap.OPT_REFERRALS, 0)
    conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
    conn.set_option(ldap.OPT_DEBUG_LEVEL, 255)
    conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
    conn.protocol_version = ldap.VERSION3 # Default version for LDAP protocol used
    conn.set_option(ldap.OPT_REFERRALS, 0)
    ldap_user = "CN=%s,%s" % (bind_username, base_dn)
    conn.simple_bind_s(ldap_user, bind_password) # Authentication occurs

我可以连接到LDAP并在禁用模式下创建用户(UserAccountControl == 514)。当我尝试设置密码或启用帐户时。会出现错误,如

“{'info':'0000001F:SvcErr:DSID-031A12D2,问题5003(WILL_NOT_PERFORM),数据0 \ n','desc':'服务器不愿意执行'}”

我在python-ldap库中使用。以下是我添加和启用用户帐户的示例代码

    user_attrs['objectclass'] = ['top', 'person', 'organizationalPerson', 'user']
    user_attrs['cn'] = username
    user_attrs['givenName'] = username
    user_attrs['sn'] = username
    user_attrs['displayName'] = username
    user_attrs['userAccountControl'] = '514'
    user_attrs['mail'] = str(user["email"])
    user_attrs['department'] = str(user["department"])
    user_ldif = modlist.addModlist(user_attrs)

    add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password])]
    # 512 will set user account to enabled
    mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', '512')]
    # Add the new user account
    try:
        ldap_connection.add_s(user_dn, user_ldif)
    except ldap.LDAPError, error_message:
        print "Error adding new user: %s" % error_message
        return False

    # Add the password
    try:
        ldap_connection.modify_s(user_dn, add_pass)
    except ldap.LDAPError, error_message:
        print "Error setting password: %s" % error_message
        return False

   # Change the account back to enabled
    try:
        ldap_connection.modify_s(user_dn, mod_acct)
    except ldap.LDAPError, error_message:
        print "Error enabling user: %s" % error_message
        return False
    print "User created %s" % username

如果有任何解决方案或修复,请告诉我。

我在ubuntu中的ldap.conf:

TLS_CACERT /etc/ssl/certs/ca-certificates.crt

1 个答案:

答案 0 :(得分:0)

我发现以下博文在这方面非常有帮助。 http://marcitland.blogspot.com/2011/02/python-active-directory-linux.html

看起来你需要的是:

unicode_pass = unicode('\"' + password + '\"', UNICODE_STANDARD)
password_value = unicode_pass.encode(UNICODE_ENCODING)
add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]