Active Directory user creation with python-ldap

Discussion in 'Python' started by Nello, Apr 26, 2011.

  1. Nello

    Nello Guest

    I need to create an Active Directory user using python-ldap library.
    So, I authenticate with an admin account and I use "add_s" to create
    the user.
    Anyway, by default users are disabled on creation, and I can not set
    userAccountControl to swith off the flag ACCOUNTDISABLE, i.e. setting
    userAccountControl with 512 (NORMAL_ACCOUNT) value. See page
    http://support.microsoft.com/kb/305144 for a complete list of
    userAccount flags.

    If I try, the server respond:
    ldap.UNWILLING_TO_PERFORM: {'info': '0000052D: SvcErr: DSID-031A0FC0,
    problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is
    unwilling to perform'}

    Same thing if - as someone suggests - I create the user without a
    password and try to set userAccountCreation later.

    This is the code I use to create the account.
    Any suggestions?

    ----------------------------

    import ldap
    import ldap.modlist as modlist

    def addUser(username, firstname, surname, email, password):
    """Create a new user in Active Directory"""
    ldap.set_option(ldap.OPT_REFERRALS, 0)

    # Open a connection
    l = ldap.initialize(AD_LDAP_URL)

    # Bind/authenticate with a user with apropriate rights to add
    objects
    l.simple_bind_s(ADMIN_USER, ADMIN_PASSWORD)

    # The dn of our new entry/object
    dn="cn=%s,%s" % (username, AD_SEARCH_DN)

    displayName = '%s %s [%s]' % (surname, firstname, username)

    # A dict to help build the "body" of the object
    attrs = {}
    attrs['objectclass'] =
    ['top','person','organizationalPerson','user']
    attrs['cn'] = str(username)
    attrs['sAMAccountname'] = str(username)
    attrs['userPassword'] = str(password)
    attrs['givenName'] = str(firstname)
    attrs['sn'] = str(surname)
    attrs['displayName'] = str(displayName)
    attrs['userPrincipalName'] = "%" % username

    # Some flags for userAccountControl property
    SCRIPT = 1
    ACCOUNTDISABLE = 2
    HOMEDIR_REQUIRED = 8
    PASSWD_NOTREQD = 32
    NORMAL_ACCOUNT = 512
    DONT_EXPIRE_PASSWORD = 65536
    TRUSTED_FOR_DELEGATION = 524288
    PASSWORD_EXPIRED = 8388608

    # this works!
    attrs['userAccountControl'] = str(NORMAL_ACCOUNT + ACCOUNTDISABLE)

    # this does not work :-(
    attrs['userAccountControl'] = str(NORMAL_ACCOUNT)

    # Convert our dict to nice syntax for the add-function using
    modlist-module
    ldif = modlist.addModlist(attrs)

    l.add_s(dn,ldif)
     
    Nello, Apr 26, 2011
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Marty Underwood

    Active Directory using LDAP query

    Marty Underwood, Nov 27, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    634
    Marty Underwood
    Nov 27, 2003
  2. Andrew
    Replies:
    1
    Views:
    612
    Kevin Spencer
    Jun 24, 2004
  3. =?Utf-8?B?TWFyc2hhbGw=?=

    LDAP Active Directory Bind Stops Working

    =?Utf-8?B?TWFyc2hhbGw=?=, Oct 13, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    4,120
    =?Utf-8?B?TWFyc2hhbGw=?=
    Oct 18, 2004
  4. Gunjan Desai

    Creation of ASPNET user in Active Directory 203

    Gunjan Desai, Mar 29, 2005, in forum: ASP .Net Security
    Replies:
    5
    Views:
    652
    Dominick Baier [DevelopMentor]
    Apr 1, 2005
  5. Thana
    Replies:
    2
    Views:
    261
    Patrick.O.Ige
    Oct 3, 2006
Loading...

Share This Page