如何設置鎖定Active Directory用戶的時間和密碼

Question

我想更改AD用戶的userAccountControl和密碼。用戶已在AD中創建。用戶使用AD中的python-ldap模塊創建，並處於「已禁用」狀態且沒有密碼。

AD託管在win2k8R2上。

當我改變它拋出以下錯誤pythion-LDAP腳本的UAC和密碼：

ldap://192.168.254.1:389 
(97, []) 
Traceback (most recent call last): 
    File "C:\workspace\utils\src\u.py", line 16, in <module> 
    l.modify_s(dn, mod_attrs) 
    File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 336, in modify_s 
    return self.result(msgid,all=1,timeout=self.timeout) 
    File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 436, in result 
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout) 
    File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 440, in result2 
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) 
    File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 446, in result3 
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) 
    File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 96, in _ldap_call 
    result = func(*args,**kwargs) 
ldap.UNWILLING_TO_PERFORM: {'info': '00002077: SvcErr: DSID-031903A4, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'} 


import ldap 

host = "192.168.254.1" 
ip = "ldap://%s:%d"%(host, 389) 
l = ldap.initialize(ip) 
newUser = "vishalworld" 
dn = "cn=%s,%s"%(newUser, "cn=Users,DC=example,DC=com") 
print l.simple_bind_s("administrator",password) 
pwd = '"abcdefgh"'.encode("utf-16-le") 
mod_attrs = [ 
       (ldap.MOD_REPLACE, "lockoutTime", 0), 
       (ldap.MOD_REPLACE, "unicodePwd", pwd), 
      ] 
l.modify_s(dn, mod_attrs) 

Answer 1

首先，你需要TLS支持添加到您的廣告。 http://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/這是一個教程來解釋如何創建證書

然後，您需要使用tls對AD進行身份驗證。這樣

import ldap 

LDAP_SERVER_EMG = "ldaps://192.168.0.250" 
BIND_DN = "Administrador@emgS.local" 
BIND_PASS = "xxxXXXxxxXXXxxx" 
USER_BASE = "dc=emgS,dc=local" 
try: 
    ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, 0) 
    lcon_emg = ldap.initialize(LDAP_SERVER_EMG) 
    lcon_emg.simple_bind_s(BIND_DN, BIND_PASS) 
except ldap.LDAPError, e: 
    print e 

然後你就可以添加用戶測試

ad_u = { 
      'objectClass': ['top', 'person', 'organizationalPerson', 'user'], 
      'cn': 'test', 
      'displayName': 'test', 
      'distinguishedName': 'CN=test,DC=emgS,dc=local', 
      'givenName': 'test test', 
      'sAMAccountName': 'test', 
      'sn': 'test', 
      'userAccountControl': '514', 
      'userPrincipalName': 'test@emgS.local', 
      'mail': mail_user, 
      #732 is test in 3ll1t3 
      'employeeID': '732' 
      } 
     mods = ldap.modlist.addModlist(ad_u) 

     try: 
      lcon_emg.add_s(ad_u.get('distinguishedName'), 
           mods) 
     except Exception, e: 
      response.update({'error_ad': 'ActiveD: Error %s' % str(e)}) 
     else: 
      response.update({'success_ad': 'ActiveD: F4ck y34h'}) 

    #then you can put a password for the user 
    unicode_pass = unicode('\"' + "my super secret password :)" + '\"', 'iso-8859-1') 
    password_value = unicode_pass.encode('utf-16-le') 
    add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])] 
    # 512 will set user account to enabled 
    mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', '512')] 

    try: 
     lcon_emg.modify_s(ad_u.get('distinguishedName'), add_pass) 
    except ldap.LDAPError, error_message: 
     response.update({'error_ad_clave': 'ActiveD: Error %s' % str(error_message)}) 
    else: 
     response.update({'success_ad_clave': 'ActiveD: Yeah'}) 

    try: 
     lcon_emg.modify_s(ad_u.get('distinguishedName'), mod_acct) 
    except ldap.LDAPError, error_message: 
     response.update({'error_ad_hab': 'Error %s' % str(error_message)}) 
    else: 
     response.update({'success_ad_hab': 'Success'}) 
     lcon_emg.unbind_s() 

和TA TA！