python-ldap reading an OU with more than 1000 objects

  • Thread starter Erick Perez - Quadrian Enterprises, S.A.
  • Start date
E

Erick Perez - Quadrian Enterprises, S.A.

Hi,
I have a MS Windows AD domain, and have one OU with more tan 1000 users
objects. When I try to read it, I hit the 1000 limit of AD while returning
objects, so I'm asking for advice as to how to read them.
Here is my actual code, it is not the cleanest as I am learning python.
Suggestions are welcomed :)

Runnig this script on RedHat 5.x with "python zimbra2.py" returns:
{'info': '', 'desc': 'Size limit exceeded'}

The script:

#!/usr/bin/python
#---------------------------------------------------------------------------
-----------------------
# Variables can be changed here:
import ldap, string, os, time, sys
base = 'ou=usuarios con papel tapiz,dc=organojudicial,dc=gob,dc=pa'
scope = ldap.SCOPE_SUBTREE
ZimbraEmail = "CN=ZimbraEmail,CN=Users,DC=organojudicial,DC=gob,DC=pa"
domain = "organojudicial.gob.pa" # "example.com"
ldapserver="ancon"
port="389"
emaildomain="organojudicial.gob.pa"
ldapbinddomain="organojudicial"
ldapbind="zimbrasync"
ldappassword="xxxxxxxx"
pathtozmprov="/opt/zimbra/bin/zmprov"
#---------------------------------------------------------------------------
-----------------------

#---------------------------------------------------------------------------
-----------------------
#output the list of all accounts from zmprov gaa (get all accounts)
# this is related to the Zimbra Mail System
f = os.popen(pathtozmprov +' gaa')
zmprovgaa= []
zmprovgaa = f.readlines()
#---------------------------------------------------------------------------
-----------------------

#---------------------------------------------------------------------------
-----------------------
# Let's connect to the Windows AD Domain
l=ldap.initialize("ldap://"+ldapserver+"."+domain+":"+port)
try:
l.simple_bind_s(ldapbinddomain+"\\"+ldapbind,ldappassword)
except ldap.INVALID_CREDENTIALS:
print "Your username or password to bind to AD is incorrect."
sys.exit()
except ldap.LDAPError, e:
if type(e.message) == dict and e.message.has_key('desc'):
print e.message['desc']
else:
print e
sys.exit()
# end of connection procedure to AD
#---------------------------------------------------------------------------
-----------------------

#---------------------------------------------------------------------------
-----------------------
# If connection to AD is ok
# Lets find only enabled users in a specific OU controlled by the variable
named base
# and get the login username the first name, the last name and what groups
this
# user belongs to as well as the email field.
#userAccountControl 512 = normal , 514 = disabled account. We only want
enabled accounts

try:
res = l.search_s(base,scope, "(&(ObjectCategory=user)
(userAccountControl=512))", ['sAMAccountName','givenName','sn','memberOf',
'mail'])
for (dn, vals) in res:
samaccount = vals['sAMAccountName'][0].lower()
accountname = vals['sAMAccountName'][0].lower()
try:
alias1 = vals['mail'][0].lower()
except:
alias1 = 'none'
try:
sirname = vals['sn'][0]
except:
sirname = vals['sAMAccountName'][0]
try:
givenname = vals['givenName'][0]
except:
givenname = vals['sAMAccountName'][0]
try:
groups = vals['memberOf']
except:
groups = 'none'

# this code is not working. Python chokes.
#initial = givenname[:1].upper()
#sirname = sirname.replace(' ', )
#sirname = sirname.replace('\\', )
#sirname = sirname.replace('-', )
#sirname = sirname.capitalize()

name = givenname + " " + sirname
accountname = accountname + "@" + emaildomain
password = " \'\' "
sys.stdout.flush()
# If the Active Directory user is a member of the AD group called
ZimbraMail, we begin processing this user.
if ZimbraEmail in groups:
print "SAM ACCOUNT: " + samaccount
print "accountname: " + accountname
print "name: " + name
print "Alias de zimbra " + alias1
if accountname +"\n" not in zmprovgaa:
print accountname," exists in active directory but not in
zimbra, the account is being created\n"
time.sleep(1)
os.system(pathtozmprov +' ca %s %s displayName "%s"' %
(accountname,password,name))
print "Creando Alias"
os.system(pathtozmprov +' aaa %s %s' % (accountname,alias1))
time.sleep(1)
else:
print accountname, alias1, " user is not a member of the ZimbraMail
AD Group. Will not be processed\n"
#---------------------------------------------------------------------------
-----------------------

except ldap.LDAPError, error_message:
print error_message
l.unbind_s()

thanks all for your comments.

Erick.
 
M

Michael Ströder

Erick said:
I have a MS Windows AD domain, and have one OU with more tan 1000 users
objects. When I try to read it, I hit the 1000 limit of AD while returning
objects, so I'm asking for advice as to how to read them.

IIRC with MS AD you can circumvent this limit by using the Simple Paged
Control (see RFC 2696). Check Demo/page_control.py in python-ldap's
source distribution for example code.

Ciao, Michael.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,902
Latest member
Elena68X5

Latest Threads

Top