问题描述

我想以编程方式启用/禁用LDAP用户帐户.在命令提示符下，我可以使用dsutil，这显然可以设置/删除nsAccountLock操作属性.我试图做Modify_s()来从w/in设置和删除此属性，但是总是收到以下错误消息:对条目""的'nsAccountLock'属性没有足够的'写'权限.

I would like to programmatically enable/disable LDAP user accounts. From the command prompt I can use dsutil and this apparently sets/removes the nsAccountLock operational attribute. I have attempted to do modify_s() to set and remove this attribute from w/in Python but always get the following error message: "Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry ''".

是否可以通过Python以编程方式设置/删除/添加操作属性或以其他方式启用/禁用ldap用户?

Is there a way to set/remove/add operational attributes or otherwise enable/disable ldap users programmatically through Python?

谢谢，C

推荐答案

您应该使用属性"userAccountControl"，其中包含一组控制位.

You should use the attribute 'userAccountControl' which contains a set of control bits.

如果您要管理普通用户，请启用用户:

If you are managing normal users, to enable user:

userAccountControl = 512

并禁用它:

userAccountControl = 514

通常，如果要启用/禁用现有用户，则应检索当前值并以这种方式更新它.

Generally, if you want to enable/disable an existing user, you should retrieve current value and update it this way.

userADAccountControlFlag = 2
userAccountControl = user.userAccountControl

# To enable user:
userAccountControl = userAccountControl & ~userADAccountControlFlag # (& bit-wise AND, ~ bit-wise Negate)

# To disable user:
userAccountControl = userAccountControl | userADAccountControlFlag # (| bit-wise OR)

user.userAccountControl = userAccountControl

# Then update user on ldap server

您可以在此处找到有关userAccountControl属性的更多信息: http://www.selfadsi .org/ads-attributes/user-userAccountControl.htm

you can find more about userAccountControl attribute here: http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

这篇关于使用Python ldap模块以编程方式启用/禁用帐户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！