4

I want to change the userAccountControl and password of the AD user. User is already created in AD. The user is created with python-ldap module in AD and is in 'Disabled' state and with no password.

AD is hosted on win2k8R2.

When I change the uac and password with the pythion-ldap script it throws below error:

ldap://192.168.254.1:389
(97, [])
Traceback (most recent call last):
  File "C:\workspace\utils\src\u.py", line 16, in <module>
    l.modify_s(dn, mod_attrs)
  File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 336, in modify_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 436, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 440, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 446, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "C:\Python26\lib\site-packages\ldap\ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
ldap.UNWILLING_TO_PERFORM: {'info': '00002077: SvcErr: DSID-031903A4, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'}


import ldap

host = "192.168.254.1"
ip = "ldap://%s:%d"%(host, 389)
l = ldap.initialize(ip)
newUser = "vishalworld"
dn = "cn=%s,%s"%(newUser, "cn=Users,DC=example,DC=com")
print l.simple_bind_s("administrator",password)
pwd = '"abcdefgh"'.encode("utf-16-le")
mod_attrs = [
                (ldap.MOD_REPLACE, "lockoutTime", 0),
                (ldap.MOD_REPLACE, "unicodePwd", pwd),
            ]
l.modify_s(dn, mod_attrs)
vishal ekhe
  • 199
  • 3
  • 8
  • can someone look into? – vishal ekhe May 11 '13 at 15:24
  • Upvote and accept answers you find usefull. It will give reputation points to you and the person helping you. Giving out points like this will encourage people to respond to you. *Bumping* your own question does not, as you can see from your other unanswered questions. – ixe013 Jul 16 '13 at 03:59

1 Answers1

6

First you need to add tls support to your AD.http://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/ this is a tutorial to explain how to create the certificate

Then you need to authenticate with tls to the AD. like this

import ldap

LDAP_SERVER_EMG = "ldaps://192.168.0.250"
BIND_DN = "Administrador@emgS.local"
BIND_PASS = "xxxXXXxxxXXXxxx"
USER_BASE = "dc=emgS,dc=local"
try:
   ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, 0)
   lcon_emg = ldap.initialize(LDAP_SERVER_EMG)
   lcon_emg.simple_bind_s(BIND_DN, BIND_PASS)
except ldap.LDAPError, e:
   print e

Then you can add your user for test

ad_u = {
            'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
            'cn': 'test',
            'displayName': 'test',
            'distinguishedName': 'CN=test,DC=emgS,dc=local',
            'givenName': 'test test',
            'sAMAccountName': 'test',
            'sn': 'test',
            'userAccountControl': '514',
            'userPrincipalName': 'test@emgS.local',
            'mail': mail_user,
             #732 is test in 3ll1t3
            'employeeID': '732'
            }
        mods = ldap.modlist.addModlist(ad_u)

        try:
            lcon_emg.add_s(ad_u.get('distinguishedName'),
                                mods)
        except Exception, e:
            response.update({'error_ad': 'ActiveD: Error  %s' % str(e)})
        else:
            response.update({'success_ad': 'ActiveD: F4ck y34h'})

    #then you can put a password for the user
    unicode_pass = unicode('\"' + "my super secret password :)" + '\"', 'iso-8859-1')
    password_value = unicode_pass.encode('utf-16-le')
    add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
    # 512 will set user account to enabled
    mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', '512')]

    try:
        lcon_emg.modify_s(ad_u.get('distinguishedName'), add_pass)
    except ldap.LDAPError, error_message:
        response.update({'error_ad_clave': 'ActiveD: Error %s' % str(error_message)})
    else:
        response.update({'success_ad_clave': 'ActiveD: Yeah'})

    try:
        lcon_emg.modify_s(ad_u.get('distinguishedName'), mod_acct)
    except ldap.LDAPError, error_message:
        response.update({'error_ad_hab': 'Error  %s' % str(error_message)})
    else:
        response.update({'success_ad_hab': 'Success'})
        lcon_emg.unbind_s()

and TA TA!!!

Pjl
  • 1,752
  • 18
  • 21
  • Thanks a lot peter. After adding the certificate it started working. And thanks for the link and brief explanation. – vishal ekhe May 29 '13 at 11:04