python-ldap 和 Microsoft Active Directory：连接和删除用户

Question

python-ldap newb 在这里。我正在尝试使用以下示例代码来做到这一点：

import ldap

## first you must bind so we're doing a simple bind first
try:
l = ldap.open("valid ip")
l.set_option(ldap.OPT_REFERRALS, 0)

l.protocol_version = ldap.VERSION3  
# Pass in a valid username and password to get 
# privileged directory access.
# If you leave them as empty strings or pass an invalid value
# you will still bind to the server but with limited privileges.

username = "cn=administrator, o=joe.local"
password  = "password"

# Any errors will throw an ldap.LDAPError exception 
# or related exception so you can ignore the result
l.simple_bind(username, password)
      except ldap.LDAPError, e:
print e
# handle error however you like


      # The next lines will also need to be changed to support your requirements and directory
      deleteDN = "uid=hihihi, ou=LoginUsers,o=joe.local"
      try:
# you can safely ignore the results returned as an exception 
# will be raised if the delete doesn't work.
l.delete_s(deleteDN)
      except ldap.LDAPError, e:
print e
## handle error however you like

我收到各种错误：

使用虚拟机的 IP：

{'info': '000004DC: LdapErr: DSID-0C0909A2, comment: In order to perform this op
eration a successful bind must be completed on the connection., data 0, v1db1',
'desc': 'Operations error'}

使用 localhost 或 127.0.0.1 ：

{'desc': "Can't contact LDAP server"}
{'desc': "Can't contact LDAP server"}

我查看了以下 S.O.没有分辨率的帖子：

Python-ldap authenication Python-ldap microsoft

Answer 1

根据the documentation，ldap.open 已被弃用。您应该尝试ldap.initialize，就像您提供的两个链接一样。另外，请确保您的专有名称中没有空格："cn=administrator, o=joe.local"。

如果这不能解决问题，请务必说明该错误来自哪一行。

Answer 2

你用的是什么版本的python？？？。代码很旧。 现在打开是初始化，不要使用simple_bind，使用simple_bind_s。

如果要在AD中进行删除、修改密码等操作，必须先配置TLS连接。 http://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/

这是一个成功的连接。

import ldap

LDAP_SERVER_EMG = "ldaps://192.168.0.250"
BIND_DN = "Administrador@emgS.local"
BIND_PASS = "xxxXXXxxxXXXxxx"
USER_BASE = "dc=emgS,dc=local"
try:
   ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, 0)
   lcon_emg = ldap.initialize(LDAP_SERVER_EMG)
   lcon_emg.simple_bind_s(BIND_DN, BIND_PASS)
except ldap.LDAPError, e:
   print e

然后您可以删除和更改用户密码。

lcon_emg.passwd_s，没用。您需要简单地更改 de unicodepwd 属性来更改 Active Directory 中的用户密码。

#firs is a good practice to create a dict of all atributes of the user
ad_u = {
        'objectClass': ['top', 'person', 'organizationalPerson', 'user'],  
        'cn': 'User gecos or name',
       'displayName': 'User gecos or name',
       'User Gecos or Name',
       'distinguishedName': 'user distin name',
       'givenName': 'First name i guest',
       'sAMAccountName': 'user_login_name',
       'sn': 'middle name i guest',
        #USER PRIVILEGE, SEE THE DOCUMENTATION OF AD FOR MORE INFORMATION, BECAUSE I DON'T REMEMBER :)
       'userAccountControl': '514',
        #user_login_name, with domain extension
       'userPrincipalName': '%s@emg.local' % 'user_login_name',
       'mail': 'user_login_name@emaildomainorwhatever',
       'employeeID': 'unique_user_number'
       }
mods = ldap.modlist.addModlist(ad_u)

try:
   lcon_emg.add_s(ad_u.get('distinguishedName'),
                  mods)
except Exception, e:
   response.update({'error_ad': 'ActiveD: Error to add user %s' % str(e)})
else:
   response.update({'success_ad': 'ActiveD: Success add user'})

#HERE YOU MAKE THE utf-16-le encode password
unicode_pass = unicode('\"' + kwargs.get('cclara') + '\"', 'iso-8859-1')
password_value = unicode_pass.encode('utf-16-le')
#just change the atribute in the entry you just create
add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]

# 512 will set user account to enabled
#change the user to enabled
mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', '512')]

try:
    lcon_emg.modify_s(ad_u.get('distinguishedName'), add_pass)
except ldap.LDAPError, error_message:
    response.update({'error_ad_clave': 'ActiveD: Error to gen the pass %s' % str(error_message)})
else:
    response.update({'success_ad_clave': 'ActiveD: Success gen pass'})

try:
    lcon_emg.modify_s(ad_u.get('distinguishedName'), mod_acct)
except ldap.LDAPError, error_message:
    response.update({'error_ad_hab': 'Error to enable user %s' % str(error_message)})
else:
    response.update({'success_ad_hab': 'SUccess enable user'})
lcon_emg.unbind_s()

如果您想稍后更改密码。

pad = ('"%s"' % password).encode("utf-16-le")

try:
   mod_attrs = [(ldap.MOD_REPLACE, 'unicodePwd', pad),
                (ldap.MOD_REPLACE,'unicodePwd',pad)]
   lcon_emg.modify_s(rdnad, mod_attrs)
except Exception, e:
     response.update({'error_ad': 'No se pudo cambiar la clave %s' % str(e)})
else:
     response.update({'success_ad': 'Cambio exito en Active Directory'})

希望这个回答对你有帮助