python ldap3 创建用户_无法通过ldap3 Python3更改用户密码

使用ldap3库尝试更改Active Directory用户密码时遇到错误,错误代码为53,通常由未加密连接或密码编码不正确引起。尽管SSL连接似乎正常,但通过'unicodePwd'字段修改密码仍然失败。解决方案是使用ldap3的extend.microsoft.modify_password方法来专门更改AD密码。
摘要由CSDN通过智能技术生成

Whenever I try to change someone's password via ldap3 library I get the following error:

{'type': 'modifyResponse', 'result': 53, 'message': '0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\n\x00', 'referrals': None, 'description': 'unwillingToPerform', 'dn': ''}

This error usually occurs because of the two conditions: either user is trying to modify the password through the unencrypted connection or the password is being sent with the incorrect encoding. My SSL connection is fine (at least it seems to be):

print(connection)

>>> ldaps://DC1.DOMAIN.LOCAL:636 - ssl - user: DOMAIN\admin - not lazy - bound - open - - tls not started - listening - SyncStrategy - internal decoder

I tried to encode the string I'm trying send to the LDAP server, but .encode('utf-16le') didn't do the trick. Any other workarounds?

I have a test domain environment with Windows Server 2012 R2 as a domain controller, and the code I'm trying to change the password with is present below.

import ssl

from ldap3 import *

tls_configuration = Tls(validate=ssl.CERT_REQUIRED, version=ssl.PROTOCOL_TLSv1_2)

s = Server('DC1.domain.local', get_info=ALL, use_ssl=True, tls=tls_configuration)

password = 'mypasswordhere'

c = Connection(s, user="DOMAIN\\admin", password=password)

c.open()

c.bind()

user = "CN=Dummy Dumass,OU=Automatically Generated,OU=Staff,OU=RU,DC=DOMAIN,DC=LOCAL"

c.modify(user, {

'unicodePwd': [(MODIFY_REPLACE, ['New12345'])]

})

print(c.result)

c.unbind()

解决方案

ldap3 contains a specific method for changing AD password, use the following code instead of c.modify():

c.extend.microsoft.modify_password(user, new_password)

LDAP(轻量级目录访问协议)服务器中,通过Pythonldap3库可以实现新建用户并为其增加属性,比如`memberof`属性。以下是一个简单的示例流程: 1. 首先,确保已经安装了`ldap3`库,如果没有安装,可以使用pip进行安装: ```python pip install ldap3 ``` 2. 导入ldap3库并建立与LDAP服务器的连接: ```python from ldap3 import Server, Connection, ALL # 假设LDAP服务器地址为 'ldap://localhost', 并且已知管理员的用户名和密码 server = Server('ldap://localhost', get_info=ALL) conn = Connection(server, 'cn=admin,dc=example,dc=com', 'password', auto_bind=True) ``` 3. 创建新用户: ```python # 创建新用户的基本信息,例如用户名和密码 user_info = { 'sn': 'NewUser', 'cn': 'NewUser', 'uid': 'newuser', 'userPassword': 'newpassword', 'mail': 'newuser@example.com', 'memberOf': [] # 初始情况下,这里的值可以为空数组或者不设置 } # 假设新用户放入名为 'ou=People,dc=example,dc=com' 的组织单元 conn.extend.novice.create('uid=newuser,ou=People,dc=example,dc=com', attributes=user_info) ``` 4. 更新用户的`memberOf`属性,这通常涉及到修改用户的`uniquemember`属性。如果你的LDAP使用的是`groupOfNames`结构,可以这样做: ```python # 假设用户需要被加入到 'cn=MyGroup,ou=Groups,dc=example,dc=com' 这个组中 group_info = { 'memberUid': 'newuser' } # 假设组信息位于 'ou=Groups,dc=example,dc=com' conn.extend.novice.modify('cn=MyGroup,ou=Groups,dc=example,dc=com', attributes=group_info) ``` 5. 最后,不要忘记关闭与LDAP服务器的连接: ```python conn.unbind() ``` 确保在执行上述操作时具有足够的权限,并且LDAP服务器的配置允许进行这些操作。如果你的操作需要特定的权限,请确保在LDAP服务器上进行相应的权限配置。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值