2024/5/23,记录一下曲折的过程!
1、域服务器准备
常规搭建,额外的操作只有证书,在服务器管理器添加证书服务
2、Ldap3库
网上大多数教程都不靠谱,特别是最近流行的百度AI,代码完全不能用,最后一个个试,找到了几篇靠谱的文章才搭建起来,链接放这里了
https://www.cnblogs.com/NoSong/p/11904477.html
ldap3 官方文档学习之增删改查操作_ldap官方文档-CSDN博客
3、我的代码
运维岗位,随便写的,不好看,能用就行!!
方法是根据需求对原生的封装了一下,折腾过的应该能看懂一些
from ldap3 import Server, Connection, ALL_ATTRIBUTES, ALL, MODIFY_REPLACE
from ldap3.utils.dn import safe_rdn
from settings import Setting
class Ldap:
def __init__(self, ldap_info=s_ldap_info):
self.ldap_info = ldap_info
ad_ip = '172.16.11.70'
username = 'xxxx\dcadmin'
passwd = 'abc123'
server = Server(host=ad_ip, get_info=ALL, use_ssl=True) # 替换为域控制器的IP
self.__conn = Connection(server, user=username, password=passwd, auto_bind=True)
self.__conn.bind()
# 将hr人员信息转换成ldap用户格式
# 接收一个用户信息的字典{"name": "name","dept": "IT部","emp_no": "112233",'mobile':"12345678912"}
def hr_to_ldap(self, hr_info):
# 传入hr用户信息,输出组织单位ou
aaa = {
'ou': 'ou=' + hr_info['dept'] + ',' + self.ldap_info["root_ou"],
# cn用姓名加工号避免重复
'dn': 'cn=' + hr_info['name'] + '-' + hr_info['emp_no'] + ',ou=' + hr_info['dept'] + ',' + self.ldap_info[
"root_ou"],
'cn': hr_info['name'] + '-' + hr_info['emp_no'],
'userPrincipalName': hr_info["emp_no"] + '@' + self.ldap_info["domain"],
'deptGroup': 'cn=' + hr_info['dept'] + ',ou=' + hr_info['dept'] + ',' + self.ldap_info["root_ou"],
}
merged_dict = {**hr_info, **aaa}
return merged_dict
# 添加用户,
# 传参:hr_info,一个用户信息的字典,包含name,emp_no,dept
def add_user(self, hr_info):
new_user_info = self.hr_to_ldap(hr_info)
print(new_user_info["deptGroup"])
add_info = self.__conn.add(new_user_info["dn"], ['user', 'posixGroup', 'top'],
# 旧版登录名
{'sAMAccountName': new_user_info["emp_no"],
# 新版登录名
'userPrincipalName': new_user_info['userPrincipalName'],
# 部门
'department': new_user_info['dept'],
'userAccountControl': [512]
})
# 加入用户到组
self.__conn.extend.microsoft.add_members_to_groups(new_user_info["dn"], new_user_info["deptGroup"])
# self.__conn.unbind()
print(add_info)
def delete_user(self, hr_info):
new_user_info = self.hr_to_ldap(hr_info)
user_dn = new_user_info["dn"]
self.__conn.delete(user_dn)
def query_user(self, condition='ALL'):
attribute = ['department', 'cn', 'sAMAccountName', 'memberOf', 'displayName', 'distinguishedName', 'userPrincipalName']
self.__conn.search(self.ldap_info["root_ou"], '(objectClass=person)', attributes=ALL_ATTRIBUTES)
user_list = []
if condition == 'ALL':
for i in self.__conn.entries:
user_list.append(i.entry_attributes_as_dict)
else:
for i in self.__conn.entries:
if i.entry_attributes_as_dict["sAMAccountName"][0] == condition:
user_list.append(i.entry_attributes_as_dict)
return user_list
def update_user(self, hr_info):
new_user_info = self.hr_to_ldap(hr_info)
# 根据传入工号,来查找到对应用户
old_info = self.query_user(new_user_info['emp_no'])[0]
# 用户原dn
old_dn = old_info["distinguishedName"][0]
result = self.__conn.modify(old_dn,
{'givenName': [(MODIFY_REPLACE, ['givenname-1-replaced'])],
'sn': [(MODIFY_REPLACE, ['sn-replaced'])],
'department': [(MODIFY_REPLACE, new_user_info['dept'])],
'userPrincipalName': [(MODIFY_REPLACE, new_user_info['userPrincipalName'])],
'userAccountControl': [(MODIFY_REPLACE, [512])]
})
print(result)
if old_info["department"] != new_user_info["dept"]:
# dn = old_info["distinguishedName"][0] # "cn=test,ou=zbx,dc=zhzbx,dc=com"
rdn = safe_rdn(old_dn)
self.__conn.modify_dn(old_dn, rdn[0],
new_superior=new_user_info["ou"]) # '''ou=B3,ou=zbx,dc=zhzbx,dc=com'''
else:
print('相同部门,不需要移动')
def disable_user(self, dn):
self.__conn.modify(dn, {'userAccountControl': [(MODIFY_REPLACE, [514])]})