python-ldap-dev — discussion among developers

Re: [ANNOUNCE] python-ad

[Noah G. <noa...@gm...>]

On Dec 11, 2007, at 10:31 AM, Rich Megginson wrote:

> Noah Gift wrote:
>> On Dec 11, 2007, at 10:02 AM, Rich Megginson wrote:
>>
>>
>>> Torsten Kurbad wrote:
>>>
>>>> At Tue, 11 Dec 2007 14:45:01 +0100
>>>> Michael Str=F6der <mi...@st...> wrote:
>>>>
>>>>
>>>>
>>>>> Ah, ok. Interesting. Why don't you separate the krb5 module into
>>>>> another project. I guess some people might be interested in that.
>>>>>
>>>>>
>>>> ME, ME, ME!!! :o)
>>>>
>>>> I tried several krb5 modules lying around in the net so far - =20
>>>> and  none
>>>> really worked! In fact, most of the implementations require an  =20
>>>> external
>>>> kinit call, which is NOT what I intend to let my users do...
>>>>
>>>> So, I'd very much appreciate, if you think about Michael's idea,
>>>> Geert!
>>>>
>>>> Regards,
>>>> Torsten
>>>>
>>>>
>>> You might be interested in the freeipa.org project which uses =20
>>> python,
>>> python-ldap, turbogears, PyKerberos, and supports http =20
>>> authentication
>>> with forwardable tickets.  I don't think they support SPNEGO yet but
>>> patches are welcome :-)
>>>
>>
>> Rich,
>>
>> Have you used freeipa?  I would be interested in covering this in =20
>> the  book I am writing about Python for Systems Administration.
>>
> No, I haven't used it, but I have worked on some of the directory =20
> server features it uses.

Red Hat is really picking up steam on creating Python Sys Admin =20
Tools.  I will have to check out freeipa when I get a chance.  Thanks =20=

for the info.

>
>>
>> Noah Gift
>>
>>
>>> =
-------------------------------------------------------------------------
>>> SF.Net email is sponsored by:
>>> Check out the new SourceForge.net Marketplace.
>>> It's the best place to buy or sell services for
>>> just about anything Open Source.
>>> http://sourceforge.net/services/buy/index.php
>>> _______________________________________________
>>> Python-LDAP-dev mailing list
>>> Pyt...@li...
>>> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
>>>
>>
>>
>> =
-------------------------------------------------------------------------
>> SF.Net email is sponsored by:
>> Check out the new SourceForge.net Marketplace.
>> It's the best place to buy or sell services for
>> just about anything Open Source.
>> http://sourceforge.net/services/buy/index.php
>> _______________________________________________
>> Python-LDAP-dev mailing list
>> Pyt...@li...
>> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
>>
>>
>

Re: [ANNOUNCE] python-ad

[Rich M. <ric...@gm...>]

Noah Gift wrote:
> On Dec 11, 2007, at 10:02 AM, Rich Megginson wrote:
>
>   
>> Torsten Kurbad wrote:
>>     
>>> At Tue, 11 Dec 2007 14:45:01 +0100
>>> Michael Ströder <mi...@st...> wrote:
>>>
>>>
>>>       
>>>> Ah, ok. Interesting. Why don't you separate the krb5 module into
>>>> another project. I guess some people might be interested in that.
>>>>
>>>>         
>>> ME, ME, ME!!! :o)
>>>
>>> I tried several krb5 modules lying around in the net so far - and  
>>> none
>>> really worked! In fact, most of the implementations require an  
>>> external
>>> kinit call, which is NOT what I intend to let my users do...
>>>
>>> So, I'd very much appreciate, if you think about Michael's idea,
>>> Geert!
>>>
>>> Regards,
>>> Torsten
>>>
>>>       
>> You might be interested in the freeipa.org project which uses python,
>> python-ldap, turbogears, PyKerberos, and supports http authentication
>> with forwardable tickets.  I don't think they support SPNEGO yet but
>> patches are welcome :-)
>>     
>
> Rich,
>
> Have you used freeipa?  I would be interested in covering this in the  
> book I am writing about Python for Systems Administration.
>   
No, I haven't used it, but I have worked on some of the directory server 
features it uses.
>
> Noah Gift
>
>   
>> -------------------------------------------------------------------------
>> SF.Net email is sponsored by:
>> Check out the new SourceForge.net Marketplace.
>> It's the best place to buy or sell services for
>> just about anything Open Source.
>> http://sourceforge.net/services/buy/index.php
>> _______________________________________________
>> Python-LDAP-dev mailing list
>> Pyt...@li...
>> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
>>     
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by:
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
>
>   

Re: [ANNOUNCE] python-ad

[Noah G. <noa...@gm...>]

On Dec 11, 2007, at 10:02 AM, Rich Megginson wrote:

> Torsten Kurbad wrote:
>> At Tue, 11 Dec 2007 14:45:01 +0100
>> Michael Str=F6der <mi...@st...> wrote:
>>
>>
>>> Ah, ok. Interesting. Why don't you separate the krb5 module into
>>> another project. I guess some people might be interested in that.
>>>
>>
>> ME, ME, ME!!! :o)
>>
>> I tried several krb5 modules lying around in the net so far - and =20
>> none
>> really worked! In fact, most of the implementations require an =20
>> external
>> kinit call, which is NOT what I intend to let my users do...
>>
>> So, I'd very much appreciate, if you think about Michael's idea,
>> Geert!
>>
>> Regards,
>> Torsten
>>
> You might be interested in the freeipa.org project which uses python,
> python-ldap, turbogears, PyKerberos, and supports http authentication
> with forwardable tickets.  I don't think they support SPNEGO yet but
> patches are welcome :-)

Rich,

Have you used freeipa?  I would be interested in covering this in the =20=

book I am writing about Python for Systems Administration.


Noah Gift

>
>
> =
-------------------------------------------------------------------------
> SF.Net email is sponsored by:
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: [ANNOUNCE] python-ad

[Rich M. <ric...@gm...>]

Torsten Kurbad wrote:
> At Tue, 11 Dec 2007 14:45:01 +0100
> Michael Ströder <mi...@st...> wrote:
>
>   
>> Ah, ok. Interesting. Why don't you separate the krb5 module into
>> another project. I guess some people might be interested in that.
>>     
>
> ME, ME, ME!!! :o)
>
> I tried several krb5 modules lying around in the net so far - and none
> really worked! In fact, most of the implementations require an external
> kinit call, which is NOT what I intend to let my users do...
>
> So, I'd very much appreciate, if you think about Michael's idea,
> Geert!
>
> Regards,
> Torsten
>   
You might be interested in the freeipa.org project which uses python, 
python-ldap, turbogears, PyKerberos, and supports http authentication 
with forwardable tickets.  I don't think they support SPNEGO yet but 
patches are welcome :-)

Re: [ANNOUNCE] python-ad

[Torsten K. <pyt...@tk...>]

At Tue, 11 Dec 2007 14:45:01 +0100
Michael Str=F6der <mi...@st...> wrote:

> Ah, ok. Interesting. Why don't you separate the krb5 module into
> another project. I guess some people might be interested in that.

ME, ME, ME!!! :o)

I tried several krb5 modules lying around in the net so far - and none
really worked! In fact, most of the implementations require an external
kinit call, which is NOT what I intend to let my users do...

So, I'd very much appreciate, if you think about Michael's idea,
Geert!

Regards,
Torsten
--=20
  "Triumph without Victory, The Unreported History of the Persian
  Gulf War", -Headline published in the U.S. News & World Report,
  1992.

Re: [ANNOUNCE] python-ad

[David L. <d...@ad...>]

Michael Ströder wrote:
> Geert Jansen wrote:
>   
>> Michael Ströder wrote:
>>
>>     
>>> I saw that kinit is started as a shell sub-process.
>>>       
>> Actually Python-AD comes with a C module that wraps the required
>> Kerberos functions (see lib/ad/protocol/krb5.c). What you probably saw
>> is the use of kinit in the test suite, where I use it to verify the
>> credentials acquired by the C module.
>>     
>
> Ah, ok. Interesting. Why don't you separate the krb5 module into another
> project. I guess some people might be interested in that.
>
> Especially my dream would be to support HTTP-Authentication based on
> SPNEGO/GSSAPI in web2ldap. But not only authenticating the user at the
> web server. I would rather like forward the service ticket requested for
> a particular LDAP service to the LDAP server in a SASL/GSSAPI
> BindRequest. Do you think that's feasible?
>   
there is pykerberos from 
http://trac.calendarserver.org/projects/calendarserver/browser/PyKerberos/

I am interested in a better GSSAPI binding for Python.. and have some 
incomplete code locally if anyone else is interested.
To do credential forwarding, the gss is currently kind of crappy about 
how to extract creds portably, but if you know it's kerberos and you can 
set KRB5CCNAME to a temporary file you can stash a delegated TGT into a 
temp ccache so that SASL/GSS can find it when you talk ldap.


-- 
David Leonard                           d...@ad...
                                        Ph:+61 404 844 850

Re: [ANNOUNCE] python-ad

[<mi...@st...>]

Geert Jansen wrote:
> Michael Ströder wrote:
> 
>> I saw that kinit is started as a shell sub-process.
> 
> Actually Python-AD comes with a C module that wraps the required
> Kerberos functions (see lib/ad/protocol/krb5.c). What you probably saw
> is the use of kinit in the test suite, where I use it to verify the
> credentials acquired by the C module.

Ah, ok. Interesting. Why don't you separate the krb5 module into another
project. I guess some people might be interested in that.

Especially my dream would be to support HTTP-Authentication based on
SPNEGO/GSSAPI in web2ldap. But not only authenticating the user at the
web server. I would rather like forward the service ticket requested for
a particular LDAP service to the LDAP server in a SASL/GSSAPI
BindRequest. Do you think that's feasible?

Ciao, Michael.

Re: ldap.modlist.modifyModlist() bug?

[<mi...@st...>]

Craig Balfour wrote:
> I've just noticed, however, that when the old and new entry consist of
> the same characters but in a different order (as occurs when initials
> are swapped around, for example) ldap_compare_s() returns
> COMPARE_FALSE but modifyModlist() returns an empty list - the result
> being that nothing gets updated.
> 
> Here's some examples:
> 
> modlist = ldap.modlist.modifyModlist({"givenName": "Fred"}, {"givenName": "Bob"})
> print str(modlist)
> [(1, 'givenName', None), (0, 'givenName', 'Bob')]
> 
> modlist = ldap.modlist.modifyModlist({"givenName": "Fred"}, {"givenName": "derF"})
> print str(modlist)
> []
> 
> Is this a bug in modifyModlist() or a feature? 

This is a bug in *your* code. ;-)
But I also had to look at it twice before recognizing it.

Note that an attribute in the entry's dict is made of an attribute type
and a *list* of attribute values (strings). You're passing in strings as
attribute value lists and the function modifyModlist() iterates over the
single chars in the string instead of iterating over the list items
(attribute values).

So your examples should be (and modifyModlist() works expected):

Python 2.5.1 (r251:54863, Aug  3 2007, 00:52:06)
[GCC 4.1.2 20061115 (prerelease) (SUSE Linux)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from ldap.modlist import modifyModlist
>>> modifyModlist({"givenName": ["Fred"]}, {"givenName": ["Bob"]})
[(1, 'givenName', None), (0, 'givenName', ['Bob'])]
>>> modifyModlist({"givenName": ["Fred"]}, {"givenName": ["derF"]})
[(1, 'givenName', None), (0, 'givenName', ['derF'])]
>>>

Ciao, Michael.

Re: [ANNOUNCE] python-ad

[Geert J. <ge...@bo...>]

Michael Ströder wrote:

> I saw that kinit is started as a shell sub-process.

Actually Python-AD comes with a C module that wraps the required
Kerberos functions (see lib/ad/protocol/krb5.c). What you probably saw
is the use of kinit in the test suite, where I use it to verify the
credentials acquired by the C module.

Regards, Geert

Re: [ANNOUNCE] python-ad

[<mi...@st...>]

Geert Jansen wrote:
> Mike Matz wrote:
>> Will this initial release work on Mac OS X? If not, are there any
>> plans in the future for Mac OS X?
> 
> At the moment I have not tested Python-AD on OSX, but I would be happy
> to support it in a future version. This requires though that someone
> sends me patches, or that I find a way of getting access to OSX myself
> (I do not own a Mac).

I saw that kinit is started as a shell sub-process. Another approach
might be to use a Python wrapper module for heimdal by Univention
(GPL-ed). Discussion starts here:

http://www.stacken.kth.se/lists/heimdal-discuss/2007-06/msg00073.html

I have a working installation (import works) but did no futher tests.

Ciao, Michael.

Re: [ANNOUNCE] python-ad

[Geert J. <ge...@bo...>]

Mike Matz wrote:
> Will this initial release work on Mac OS X? If not, are there any
> plans in the future for Mac OS X?

At the moment I have not tested Python-AD on OSX, but I would be happy
to support it in a future version. This requires though that someone
sends me patches, or that I find a way of getting access to OSX myself
(I do not own a Mac).

Regards
Geert

ldap.modlist.modifyModlist() bug?

[Craig B. <cr...@cs...>]

I've been using ldap.compare_s(), ldap.modlist.modifyModlist() and
ldap_modify_s() to keep an OpenLDAP database up to date from an
external datasource. 

I've just noticed, however, that when the old and new entry consist of
the same characters but in a different order (as occurs when initials
are swapped around, for example) ldap_compare_s() returns
COMPARE_FALSE but modifyModlist() returns an empty list - the result
being that nothing gets updated.

Here's some examples:

modlist = ldap.modlist.modifyModlist({"givenName": "Fred"}, {"givenName": "Bob"})
print str(modlist)
[(1, 'givenName', None), (0, 'givenName', 'Bob')]

modlist = ldap.modlist.modifyModlist({"givenName": "Fred"}, {"givenName": "derF"})
print str(modlist)
[]

Is this a bug in modifyModlist() or a feature? 

Craig
--
Craig Balfour <cr...@cs...> - Unix Systems Administrator 
Computer Science, University of Cape Town, Private Bag, Rondebosch, 7701

Re: [ANNOUNCE] python-ad

[Mike M. <mm...@wy...>]

Will this initial release work on Mac OS X?  If not, are there any  
plans in the future for Mac OS X?
Thanks,
Mike


On Dec 8, 2007, at 11:17 AM, Geert Jansen wrote:

> All,
>
> with this email I am announcing the first public release of python-ad.
> Python-AD is a Python client for MS Active Directory built on top of
> python-ldap. Amongst others it has the following features:
>
> * Automatic domain controller discovery (taking into account locality
> and timing)
> * Transparent multi-domain functionality.
> * Credential management. Credentials can be acquired using a
> username/password, username/keytab or can be loaded from the OS.
>
> Python-AD is ideal for situations where you need to manage data in AD
> from UNIX or Linux, such as adding users or querying printers.
>
> The software, including full documentation, can be found at:
> http://www.boskant.nl/trac/python-ad/
>
> Regards,
> Geert Jansen
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by:
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

[ANNOUNCE] python-ad

[Geert J. <ge...@bo...>]

All,

with this email I am announcing the first public release of python-ad.
Python-AD is a Python client for MS Active Directory built on top of
python-ldap. Amongst others it has the following features:

 * Automatic domain controller discovery (taking into account locality
and timing)
 * Transparent multi-domain functionality.
 * Credential management. Credentials can be acquired using a
username/password, username/keytab or can be loaded from the OS.

Python-AD is ideal for situations where you need to manage data in AD
from UNIX or Linux, such as adding users or querying printers.

The software, including full documentation, can be found at:
http://www.boskant.nl/trac/python-ad/

Regards,
Geert Jansen

Re: sAMAccountName

[<mi...@st...>]

Chaos Eternal wrote:
> i think, the may be some problem if you set sAMAccountName inconsistent
> with userPrincipalName.

AFAIK sAMAccountName and userPrincipalName are independent can be set
according to completely different naming conventions. You should try out
what is possible using the MMC User and Groups snapin.

Ciao, Michael.

Re: sAMAccountName

[Geert J. <ge...@bo...>]

Michael Ströder wrote:
> Geert Jansen wrote:
>   
>> On a related note, you may be interested in my current project
>> Python-AD: http://www.boskant.nl/trac/python-ad/
>>     
>
> How are you using Kerberos? Do you expect the user to run MIT's kinit
> before sending a SASL/GSSAPI bind request? Does it also work with
> heimdal? Do you make use of a Windows logon when running on Windows?
>   

The user doesn't need to run  kinit (but he can do so and in that case
those credentials can be picked up). I provide a class called "Creds"
that the user can use to acquire credentials:

    from ad import Creds, activate
    creds = Creds(domain)
    Creds.acquire(username, password)
    activate(creds)

Behind the scenes a new private ccache and Kerberos configuration are
installed using the $KRB5CCNAME and $KRB5_CONFIG environment variables.

I have not tested this with Heimdal so far. If it supports the
environment variables above it should work. Also I haven't tested
windows but I think that the Creds interface should be portable to that
platform as well.

Regards, Geert

Re: sAMAccountName

[Chaos E. <cha...@gm...>]

i think, the may be some problem if you set sAMAccountName inconsistent with
userPrincipalName.

BTW, If one Directory Server tells you that it UNWILLING TO PERFORM some
operations then you can not complete the same operations using ANY ldap
client!

On Dec 6, 2007 12:36 AM, Roland Hedberg <rol...@ad...> wrote:

> Hi!
>
> A short while ago there was a discussion about how to add users to an AD
> using python-ldap.
>
> I benefited a lot from that discussion, so you have my thanks too.
>
> On the topic python-ldap <-> AD:
>
> My problem is that I can add an entry using the User object class and
> attributes contained in that class without any problems.
>
> But when I try to add the samAccountName attribute and thereby the
> object class SecurityPrincipal the server complains.
>
> The error message I get is 'Server is unwilling to perform' which
> doesn't really tell me a lot :-)
>
> Anyone got a clue ?
>
> The AD isn't 'mine', but if there is something you need to know about it
> in order to answer my question I can ask the person in charge.
>
> -- Roland
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
>



-- 
Best Regards
Chaos Eternal

Re: sAMAccountName

[<mi...@st...>]

Geert Jansen wrote:
> 
> On a related note, you may be interested in my current project
> Python-AD: http://www.boskant.nl/trac/python-ad/

How are you using Kerberos? Do you expect the user to run MIT's kinit
before sending a SASL/GSSAPI bind request? Does it also work with
heimdal? Do you make use of a Windows logon when running on Windows?

Ciao, Michael.

Re: sAMAccountName

[Geert J. <ge...@bo...>]

Roland Hedberg wrote:

> On the topic python-ldap <-> AD:
>
> My problem is that I can add an entry using the User object class and
> attributes contained in that class without any problems.
>
> But when I try to add the samAccountName attribute and thereby the
> object class SecurityPrincipal the server complains.
>   

I am not 100% sure wether this is the same issue, but I have noticed
that you cannot create a security principal in AD without a valid
password. But because you can only set the password once the principal
is created, this is a cyclical dependency. You can get out of this by
creating the account in the disabled state (by setting the appropriate
flag in userAccountControl), then setting the password, and then
enabling it.

On a related note, you may be interested in my current project
Python-AD: http://www.boskant.nl/trac/python-ad/ The code is ready for
use and I will make the first release in a couple of days. At the moment
the code is available though Mercurial.

I have an working example script of create a user with Python-AD here:
http://www.boskant.nl/trac/python-ad/wiki/TutorialFive The example sets
sAMAccountName and it works flawlessly.

Regards,
Geert

Re: sAMAccountName

[Roland H. <rol...@ad...>]

Michael Ströder wrote:
> Also a reason why one should not bother with retrieving a recent AD
> schema at all. I vaguely remember even more mess with e.g. inetOrgPerson
> class when installing Exchange before W2K3R2 schema etc.
> 
> Conclusion: Make your AD-specific scripts simply work even if it looks
> not LDAPv3 compliant and leave the schema mess to your AD admins. :-)

I'm extremely sorry to hear this.
And wished I was able to leave it to the AD admins, but alas I can't.

Anyway, thanks Michael for the information.

-- Roland

Re: sAMAccountName

[<mi...@st...>]

Roland,

Michael Ströder wrote:
> Roland Hedberg wrote:
>> The error message I get is 'Server is unwilling to perform' which
>> doesn't really tell me a lot :-)
> 
> Most times it also returns a numeric error code with that message. You
> could try to search for that. Also the guys in the AD newsgroups on MS'
> NNTP server are quite helpful. Don't forget to let us know... ;-)

FWIW:

news://msnews.microsoft.com/microsoft.public.windows.server.active_directory

Ciao, Michael.

Re: sAMAccountName

[<mi...@st...>]

Roland,

Roland Hedberg wrote:
> 
> I'm now convinced that this all comes down to LDAP schema problems.

Somewhat...I recommend not to care too much.

> The schema file I have describing the AD schema has samAccountName as an
> attribute in the 'securityPrincipal' aux class.
> 
> But, it turns out that the AD I working against has no problem using the
> attribute without adding the 'securityPrincipal' object class.
> In fact, in that server the attribute seems to be part of the object
> class 'User' !?

Welcome to the wonderful world of LDAP access to Active Directory. Don't
take the schema literally especially when accessing W2K/AD. Some things
improved with W2K3. Also some W2K/AD installations have the W2K3R2
schema installed. And also some behaviour might depend on the domain
functional level.

> I've search the net for up-to-date versions of the AD schema but they
> seem hard to get by.
> Anyone got a recent version ?

It would not help:
1. The schema is not really cleanly enforced.
2. It depends on Windows version and local configuration. Not sure about
the domain functional level though.

> I found one fairly recent but that caused other problems since some
> attributes previously part of the standard schema now has move over to
> the Microsoft exchange schema.

Also a reason why one should not bother with retrieving a recent AD
schema at all. I vaguely remember even more mess with e.g. inetOrgPerson
class when installing Exchange before W2K3R2 schema etc.

Conclusion: Make your AD-specific scripts simply work even if it looks
not LDAPv3 compliant and leave the schema mess to your AD admins. :-)

Ciao, Michael.

-- 
Michael Ströder
E-Mail: mi...@st...
http://www.stroeder.com

Re: sAMAccountName

[Roland H. <rol...@ad...>]

Michael Ströder wrote:
> 
> Roland Hedberg wrote:
>> But when I try to add the samAccountName attribute and thereby the
>> object class SecurityPrincipal the server complains.
> 
> Could you please post a small test script?
> 
> Are you sure the value of the samAccountName does not collide with any
> other user entry?

Oh, absolutely!

I'm now convinced that this all comes down to LDAP schema problems.

The schema file I have describing the AD schema has samAccountName as an
attribute in the 'securityPrincipal' aux class.

But, it turns out that the AD I working against has no problem using the
attribute without adding the 'securityPrincipal' object class.
In fact, in that server the attribute seems to be part of the object
class 'User' !?

I've search the net for up-to-date versions of the AD schema but they
seem hard to get by.

Anyone got a recent version ?

I found one fairly recent but that caused other problems since some
attributes previously part of the standard schema now has move over to
the Microsoft exchange schema.

So anyone got one of those too ?

Sigh !

-- Roland

Re: sAMAccountName

[<mi...@st...>]

Roland,

Roland Hedberg wrote:
> 
> But when I try to add the samAccountName attribute and thereby the
> object class SecurityPrincipal the server complains.

Could you please post a small test script?

Are you sure the value of the samAccountName does not collide with any
other user entry?

> The error message I get is 'Server is unwilling to perform' which
> doesn't really tell me a lot :-)

Most times it also returns a numeric error code with that message. You
could try to search for that. Also the guys in the AD newsgroups on MS'
NNTP server are quite helpful. Don't forget to let us know... ;-)

Ciao, Michael.

sAMAccountName

[Roland H. <rol...@ad...>]

Hi!

A short while ago there was a discussion about how to add users to an AD
using python-ldap.

I benefited a lot from that discussion, so you have my thanks too.

On the topic python-ldap <-> AD:

My problem is that I can add an entry using the User object class and
attributes contained in that class without any problems.

But when I try to add the samAccountName attribute and thereby the
object class SecurityPrincipal the server complains.

The error message I get is 'Server is unwilling to perform' which
doesn't really tell me a lot :-)

Anyone got a clue ?

The AD isn't 'mine', but if there is something you need to know about it
in order to answer my question I can ask the person in charge.

-- Roland