问题描述
我想以编程方式启用/禁用 LDAP 用户帐户.从命令提示符我可以使用 dsutil ,这显然设置/删除 nsAccountLock 操作属性.我试图做 modify_s() 以在 Python 中设置和删除此属性,但始终收到以下错误消息:对条目 '' 的 'nsAccountLock' 属性的'写入'权限不足".
I would like to programmatically enable/disable LDAP user accounts. From the command prompt I can use dsutil and this apparently sets/removes the nsAccountLock operational attribute. I have attempted to do modify_s() to set and remove this attribute from w/in Python but always get the following error message: "Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry ''".
有没有办法通过 Python 以编程方式设置/删除/添加操作属性或启用/禁用 ldap 用户?
Is there a way to set/remove/add operational attributes or otherwise enable/disable ldap users programmatically through Python?
谢谢,C
推荐答案
您应该使用包含一组控制位的属性userAccountControl".
You should use the attribute 'userAccountControl' which contains a set of control bits.
如果你是管理普通用户,启用用户:
If you are managing normal users, to enable user:
userAccountControl = 512
并禁用它:
userAccountControl = 514
一般来说,如果您想启用/禁用现有用户,您应该检索当前值并以这种方式更新它.
Generally, if you want to enable/disable an existing user, you should retrieve current value and update it this way.
userADAccountControlFlag = 2
userAccountControl = user.userAccountControl
# To enable user:
userAccountControl = userAccountControl & ~userADAccountControlFlag # (& bit-wise AND, ~ bit-wise Negate)
# To disable user:
userAccountControl = userAccountControl | userADAccountControlFlag # (| bit-wise OR)
user.userAccountControl = userAccountControl
# Then update user on ldap server
您可以在此处找到有关 userAccountControl 属性的更多信息:http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm
you can find more about userAccountControl attribute here: http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm
这篇关于使用 Python ldap 模块以编程方式启用/禁用帐户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!