Active Directory user creation with python-ldap
Nello
So, I authenticate with an admin account and I use "add_s" to create
the user.
Anyway, by default users are disabled on creation, and I can not set
userAccountControl to swith off the flag ACCOUNTDISABLE, i.e. setting
userAccountControl with 512 (NORMAL_ACCOUNT) value. See page
http://support.microsoft.com/kb/305144 for a complete list of
userAccount flags.
If I try, the server respond:
ldap.UNWILLING_TO_PERFORM: {'info': '0000052D: SvcErr: DSID-031A0FC0,
problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is
unwilling to perform'}
Same thing if - as someone suggests - I create the user without a
password and try to set userAccountCreation later.
This is the code I use to create the account.
Any suggestions?
----------------------------
import ldap
import ldap.modlist as modlist
def addUser(username, firstname, surname, email, password):
"""Create a new user in Active Directory"""
ldap.set_option(ldap.OPT_REFERRALS, 0)
# Open a connection
l = ldap.initialize(AD_LDAP_URL)
# Bind/authenticate with a user with apropriate rights to add
objects
l.simple_bind_s(ADMIN_USER, ADMIN_PASSWORD)
# The dn of our new entry/object
dn="cn=%s,%s" % (username, AD_SEARCH_DN)
displayName = '%s %s [%s]' % (surname, firstname, username)
# A dict to help build the "body" of the object
attrs = {}
attrs['objectclass'] =
['top','person','organizationalPerson','user']
attrs['cn'] = str(username)
attrs['sAMAccountname'] = str(username)
attrs['userPassword'] = str(password)
attrs['givenName'] = str(firstname)
attrs['sn'] = str(surname)
attrs['displayName'] = str(displayName)
attrs['userPrincipalName'] = "%s...@mail.domain.it" % username
# Some flags for userAccountControl property
SCRIPT = 1
ACCOUNTDISABLE = 2
HOMEDIR_REQUIRED = 8
PASSWD_NOTREQD = 32
NORMAL_ACCOUNT = 512
DONT_EXPIRE_PASSWORD = 65536
TRUSTED_FOR_DELEGATION = 524288
PASSWORD_EXPIRED = 8388608
# this works!
attrs['userAccountControl'] = str(NORMAL_ACCOUNT + ACCOUNTDISABLE)
# this does not work :-(
attrs['userAccountControl'] = str(NORMAL_ACCOUNT)
# Convert our dict to nice syntax for the add-function using
modlist-module
ldif = modlist.addModlist(attrs)
l.add_s(dn,ldif)
Michael Ströder
> I need to create an Active Directory user using python-ldap library. So, I
> authenticate with an admin account and I use "add_s" to create the user.
This is possible. Which version of AD are you working with.
> Anyway, by default users are disabled on creation,
That's the correct way of doing this.
> and I can not set
> userAccountControl to swith off the flag ACCOUNTDISABLE, i.e. setting
> userAccountControl with 512 (NORMAL_ACCOUNT) value.
This should be possible. Make sure you really bind as the admin and you have
sufficient access rights.
Check your code. I'd suggest to set trace_level when calling ldap.initialize()
to observe what gets passed to python-ldap in which order.
http://www.python-ldap.org/doc/html/ldap.html#ldap.initialize
> Same thing if - as someone suggests - I create the user without a
> password and try to set userAccountCreation later.
Passwords are different anyway since you have to set the unicodePwd attribute.
I never tried to do this with a single write operation though.
You can try my web2ldap which does all this also with MS AD. It has a special
plugin class for attribute userAccountControl which lets you set values
bit-wise when modifying an user entry. And setting password automagically
switches to setting unicodePwd when working with MS AD.
Ciao, Michael.