当前位置: 首页 > 工具软件 > Python-LDAP > 使用案例 >

python查询ad域用户名_通过python-ldap操作管理AD/LDAP用户及组织结构

邢俊悟
2023-12-01

LDAP/AD是两种应用最广泛的认证服务器,AD是微软基于LDAP开发而成的,应用于Windows平台,而LDAP主要应用于Linux平台(LDAP用在Windows平台比较少)。既然AD是基于LDAP的扩展,则LDAP大部分协议,AD均可原生支持,这位我们操作和管理AD认证服务器提供了大大的便利。

在软件开发过程中,很多公司都采用AD/LDAP用于自己的用户认证体系,本文重点研究通过Python语言提供的Python-Ldap框架,来操作和管理AD/LDAP中的用户,组织结构等,希望对大家有所帮助。

基本概念:

o– organization(组织-公司)

ou – organization unit(组织单元/部门)

c - countryName(国家)

dc - domainComponent(域名组件)

sn – suer name(真实名称)

cn - common name(常用名称)

dn - distinguished name(唯一标识)

AD和LDAP中的字段及含义:

用户表字段对应关系:

字段描述 表示值

唯一标识 dn

用户名 userPrincipalName(AD)/cn(LDAP)

密码 userPassword

真实姓名 displayName

工作地点 physicalDeliveryOfficeName

职务 title

邮箱 mail

个人电话 telephoneNumber

公司电话 homePhone

组织结构表对应关系:

字段描述 表示值

唯一标识 dn

组织名称 ou

组织描述 description

在AD中创建用户

import ldap

def create_ad_user(username, unicode_password, org_dn):

l = ldap.initialize('ldap://172.16.1.163:636') #use secure port default:636

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

user = {}

user['objectclass'] = ['top', 'person', 'organizationalPerson', 'user']

user_dn = 'cn=%s,%s' % (username,org_dn)

user['userPrincipalName'] = '%s@%s' % (username, domain)

user['userAccountControl'] = '66048' # active user account

user['unicodePwd'] = unicode_password

ldif = modlist.addModlist(user)

ret, _ = l.add_s(user_dn, ldif)

print ret

在LDAP中创建用户

import ldap

def create_ldap_user(username, password, org_dn):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

user = {}

user['objectclass'] = ['top', 'person', 'inetOrgPerson']

user['cn'] = username

user['sn'] = user['cn']

user['password'] = password

user_dn = 'cn=%s,%s' % (username,org_dn)

ldif = modlist.addModlist(user)

ret, _ = l.add_s(user_dn, ldif)

print ret

修改AD/LDAP用户基本信息

import ldap

def modify_user(username):

firstname = 'Abel'

lastname = 'Lee'

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

cn = username

dn = 'cn=%s,ou=org1,dc=testad,dc=com' % cn

old = {'description': 'old description'}

new = {'description': 'new description'}

ldif = ldap.modifyModlist(old, new)

ret = l.modify_s(dn, ldif)

l.unbind_s()

print ret

删除AD/LDAP用户

import ldap

def delete_users(user_dn):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

ret = l.delete_s(user_dn)

l.unbind_s()

print ret

查询AD用户信息

import ldap

def describe_ad_users(org_dn='', usernames = []):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

USER_ATTRS = ['userAccountControl','displayName','description','homePhone','physicalDeliveryOfficeName','title','mail','telephoneNumber']

filterstr = '(&(objectclass=user)'

if len(usernames) > 0:

filterstr = filterstr + '(|'

for username in usernames:

username = '%s@%s' % (username, domain)

userPrincipalName = '(userPrincipalName=%s)' % username

filterstr += userPrincipalName

if len(usernames) > 0:

filterstr += '))'

else:

filterstr += ')'

if org_dn:

ret = l.search_s(org_dn, ldap.SCOPE_SUBTREE, filterstr,

attrlist=USER_ATTRS)

else:

ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,

attrlist=USER_ATTRS)

print ret

查询LDAP中的用户

import ldap

def describe_ldap_users(org_dn='', usernames = []):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

USER_ATTRS = ['userAccountControl','displayName','description','homePhone','physicalDeliveryOfficeName','title','mail','telephoneNumber']

filterstr = '(&(objectclass=person)'

if len(usernames) > 0:

filterstr = filterstr + '(|'

for cn in usernames:

cn = '(cn=%s)' % cn

filterstr += cn

if len(usernames) > 0:

filterstr += '))'

else:

filterstr += ')'

if org_dn:

ret = l.search_s(org_dn, ldap.SCOPE_SUBTREE, filterstr,

attrlist=USER_ATTRS)

else:

ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,

attrlist=USER_ATTRS)

print ret

AD用户认证

import ldap

def login_ad(user_dn, password):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s(user_dn, password)

cn = user_dn.split(',')[0].split('=')

base_dn = 'dc=testad,dc=com'

domain = 'testad.com'

username = '%s@%s' % (cn[1], domain)

ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE,"(userPrincipalName=%s)" % username, ["userPrincipalName"])

if ret is None or len(ret) == 0:

return False

return True

LDAP用户认证

import ldap

def login_ldap(user_dn, password):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s(user_dn, password)

cn = user_dn.split(',')[0].split('=')

base_dn = 'dc=testad,dc=com'

ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE,"%s=%s" % (cn[0], cn[1]))

if ret is None or len(ret) == 0:

return False

return True

设置AD用户密码,修改AD用户密码可以先认证再设置

import ldap

def set_ad_password(user_dn, unicode_password):

l = ldap.initialize('ldap://172.16.1.163:636') #use secure port

l.simple_bind_s('Administrator', 'P@ssword')

param_pwd = [(ldap.MOD_REPLACE, 'unicodePwd', [password_utf16]), (ldap.MOD_REPLACE, 'unicodePwd', [password_utf16])]

ret,_ = l.modify_s(user_dn, param_pwd)

print ret

设置LDAP用户密码

import ldap

def set_ldap_password(user_dn, password):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

l.passwd_s(user_dn, None, password)

修改LDAP用户密码

import ldap

def modify_ldap_password(user_dn, old_password, new_password):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

l.passwd_s(user_dn, old_password, new_password)

创建AD/LDAP组织结构

import ldap

def create_ou(parent_dn, ou):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

attrs= {'ou': ou}

attrs['description'] = 'this is description'

attrs['objectClass'] = ['organizationalUnit','top']

dn = 'ou=%s,%s' % (attrs['ou'], parent_dn)

ldif = modlist.addModlist(attrs)

ret, _ = l.add_s(dn,ldif)

print ret

修改AD/LDAP组织结构

import ldap

def modify_ou(attrs={'description': 'new_description'}):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

old_attrs = {'description': 'old_description'}

ldif = modlist.modifyModlist(old_attrs, attrs)

l.modify_s(dn,ldif)

删除AD/LDAP组织结构

import ldap

def delete_ou(dn):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

l.delete_s(dn)

查询AD/LDAP组织结构

import ldap

def describe_ou(parent_dn='', org_dns=[]):

ORGANIZATION_ATTRS = ['ou', 'description']

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

filterstr = '(&(objectclass=organizationalUnit)'

for dn in org_dns:

objectGUID = '(ou=%s)' % dn

filterstr += objectGUID

filterstr += ')'

if parent_dn:

ret = l.search_s(parent_dn, ldap.SCOPE_SUBTREE, filterstr,

attrlist=ORGANIZATION_ATTRS)

else:

ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,

attrlist=ORGANIZATION_ATTRS)

print ret

修改用户所属组织结构

import ldap

def change_user_in_ou(user_dn, new_org_dn):

l = ldap.initialize('ldap://172.16.1.163:389')

l.protocol_version = 3

l.set_option(ldap.OPT_REFERRALS, 0)

l.simple_bind_s('Administrator', 'P@ssword')

cn = user_dn.split(',')[0]

ret = l.rename_s(user_dn, cn, new_org_dn)

print ret

注意:AD和LDAP中如:创建用户,查询用户等操作,其使用端口和查询字段均有差异,还请格外注意,另外,代码如有不明确指出,欢迎留言讨论。

 类似资料: