您好,登錄后才能下訂單哦!
LDAP/AD是兩種應用最廣泛的認證服務器,AD是微軟基于LDAP開發而成的,應用于Windows平臺,而LDAP主要應用于Linux平臺(LDAP用在Windows平臺比較少)。既然AD是基于LDAP的擴展,則LDAP大部分協議,AD均可原生支持,這位我們操作和管理AD認證服務器提供了大大的便利。
在軟件開發過程中,很多公司都采用AD/LDAP用于自己的用戶認證體系,本文重點研究通過Python語言提供的Python-Ldap框架,來操作和管理AD/LDAP中的用戶,組織結構等,希望對大家有所幫助。
基本概念:
o– organization(組織-公司)
ou – organization unit(組織單元/部門)
c - countryName(國家)
dc - domainComponent(域名組件)
sn – suer name(真實名稱)
cn - common name(常用名稱)
dn - distinguished name(唯一標識)
AD和LDAP中的字段及含義:
字段描述 表示值
唯一標識 dn
用戶名 userPrincipalName(AD)/cn(LDAP)
密碼 userPassword
真實姓名 displayName
工作地點 physicalDeliveryOfficeName
職務 title
郵箱 mail
個人電話 telephoneNumber
公司電話 homePhone
字段描述 表示值
唯一標識 dn
組織名稱 ou
組織描述 description
import ldap
def create_ad_user(username, unicode_password, org_dn):
l = ldap.initialize('ldap://172.16.1.163:636') #use secure port default:636
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
user = {}
user['objectclass'] = ['top', 'person', 'organizationalPerson', 'user']
user_dn = 'cn=%s,%s' % (username,org_dn)
user['userPrincipalName'] = '%s@%s' % (username, domain)
user['userAccountControl'] = '66048' # active user account
user['unicodePwd'] = unicode_password
ldif = modlist.addModlist(user)
ret, _ = l.add_s(user_dn, ldif)
print ret
import ldap
def create_ldap_user(username, password, org_dn):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
user = {}
user['objectclass'] = ['top', 'person', 'inetOrgPerson']
user['cn'] = username
user['sn'] = user['cn']
user['password'] = password
user_dn = 'cn=%s,%s' % (username,org_dn)
ldif = modlist.addModlist(user)
ret, _ = l.add_s(user_dn, ldif)
print ret
import ldap
def modify_user(username):
firstname = 'Abel'
lastname = 'Lee'
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
cn = username
dn = 'cn=%s,ou=org1,dc=testad,dc=com' % cn
old = {'description': 'old description'}
new = {'description': 'new description'}
ldif = ldap.modifyModlist(old, new)
ret = l.modify_s(dn, ldif)
l.unbind_s()
print ret
import ldap
def delete_users(user_dn):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
ret = l.delete_s(user_dn)
l.unbind_s()
print ret
import ldap
def describe_ad_users(org_dn='', usernames = []):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
USER_ATTRS = ['userAccountControl','displayName','description','homePhone','physicalDeliveryOfficeName','title','mail','telephoneNumber']
filterstr = '(&(objectclass=user)'
if len(usernames) > 0:
filterstr = filterstr + '(|'
for username in usernames:
username = '%s@%s' % (username, domain)
userPrincipalName = '(userPrincipalName=%s)' % username
filterstr += userPrincipalName
if len(usernames) > 0:
filterstr += '))'
else:
filterstr += ')'
if org_dn:
ret = l.search_s(org_dn, ldap.SCOPE_SUBTREE, filterstr,
attrlist=USER_ATTRS)
else:
ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,
attrlist=USER_ATTRS)
print ret
import ldap
def describe_ldap_users(org_dn='', usernames = []):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
USER_ATTRS = ['userAccountControl','displayName','description','homePhone','physicalDeliveryOfficeName','title','mail','telephoneNumber']
filterstr = '(&(objectclass=person)'
if len(usernames) > 0:
filterstr = filterstr + '(|'
for cn in usernames:
cn = '(cn=%s)' % cn
filterstr += cn
if len(usernames) > 0:
filterstr += '))'
else:
filterstr += ')'
if org_dn:
ret = l.search_s(org_dn, ldap.SCOPE_SUBTREE, filterstr,
attrlist=USER_ATTRS)
else:
ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,
attrlist=USER_ATTRS)
print ret
import ldap
def login_ad(user_dn, password):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s(user_dn, password)
cn = user_dn.split(',')[0].split('=')
base_dn = 'dc=testad,dc=com'
domain = 'testad.com'
username = '%s@%s' % (cn[1], domain)
ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE,"(userPrincipalName=%s)" % username, ["userPrincipalName"])
if ret is None or len(ret) == 0:
return False
return True
import ldap
def login_ldap(user_dn, password):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s(user_dn, password)
cn = user_dn.split(',')[0].split('=')
base_dn = 'dc=testad,dc=com'
ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE,"%s=%s" % (cn[0], cn[1]))
if ret is None or len(ret) == 0:
return False
return True
import ldap
def set_ad_password(user_dn, unicode_password):
l = ldap.initialize('ldap://172.16.1.163:636') #use secure port
l.simple_bind_s('Administrator', 'P@ssword')
param_pwd = [(ldap.MOD_REPLACE, 'unicodePwd', [password_utf16]), (ldap.MOD_REPLACE, 'unicodePwd', [password_utf16])]
ret,_ = l.modify_s(user_dn, param_pwd)
print ret
import ldap
def set_ldap_password(user_dn, password):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
l.passwd_s(user_dn, None, password)
import ldap
def modify_ldap_password(user_dn, old_password, new_password):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
l.passwd_s(user_dn, old_password, new_password)
import ldap
def create_ou(parent_dn, ou):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
attrs= {'ou': ou}
attrs['description'] = 'this is description'
attrs['objectClass'] = ['organizationalUnit','top']
dn = 'ou=%s,%s' % (attrs['ou'], parent_dn)
ldif = modlist.addModlist(attrs)
ret, _ = l.add_s(dn,ldif)
print ret
import ldap
def modify_ou(attrs={'description': 'new_description'}):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
old_attrs = {'description': 'old_description'}
ldif = modlist.modifyModlist(old_attrs, attrs)
l.modify_s(dn,ldif)
import ldap
def delete_ou(dn):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
l.delete_s(dn)
import ldap
def describe_ou(parent_dn='', org_dns=[]):
ORGANIZATION_ATTRS = ['ou', 'description']
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
filterstr = '(&(objectclass=organizationalUnit)'
for dn in org_dns:
objectGUID = '(ou=%s)' % dn
filterstr += objectGUID
filterstr += ')'
if parent_dn:
ret = l.search_s(parent_dn, ldap.SCOPE_SUBTREE, filterstr,
attrlist=ORGANIZATION_ATTRS)
else:
ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,
attrlist=ORGANIZATION_ATTRS)
print ret
import ldap
def change_user_in_ou(user_dn, new_org_dn):
l = ldap.initialize('ldap://172.16.1.163:389')
l.protocol_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('Administrator', 'P@ssword')
cn = user_dn.split(',')[0]
ret = l.rename_s(user_dn, cn, new_org_dn)
print ret
注意:AD和LDAP中如:創建用戶,查詢用戶等操作,其使用端口和查詢字段均有差異,還請格外注意,另外,代碼如有不明確指出,歡迎留言討論。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。