Menu
▾
▴
python-ldap-dev
|
From: Mike M. <mm...@wy...> - 2007-11-06 19:47:48
|
Hi all, Apologies in advanced if this is a duplicate post, but every time I tried searching the archives it would time out. I am wondering if it is possible to create Active Directory objects (users) with the python- ldap module. I am currently developing on Mac OS X. I realize there are AD modules out there, but I am not aware of any that will compile and run on Mac OS X. If there are I would appreciate any suggestions. Any information you can provide would be much appreciated! Regards, Mike |
|
From: Geert J. <ge...@bo...> - 2007-11-06 20:17:17
|
Hello Mike > Apologies in advanced if this is a duplicate post, but every time I > tried searching the archives it would time out. I am wondering if it > is possible to create Active Directory objects (users) with the python- > ldap module. I am currently developing on Mac OS X. I realize there > are AD modules out there, but I am not aware of any that will compile > and run on Mac OS X. If there are I would appreciate any > suggestions. Any information you can provide would be much appreciated! > It is definately possibly to create active directory users with python-ldap. You just need to take care that you set the minimum amount of attributes required, otherwise the addition will fail. I don't have any code ready at the moment, but just create a user object with ADUC and see what attributes that sets. Then take these as a base. Note that you don't need to create the SID and the GUID -- these are created automatically by AD. Regards, Geert |
|
From: <mi...@st...> - 2007-11-07 09:44:43
|
Geert Jansen wrote: > > It is definately possibly to create active directory users with > python-ldap. You just need to take care that you set the minimum amount > of attributes required, otherwise the addition will fail. I don't have > any code ready at the moment, but just create a user object with ADUC > and see what attributes that sets. Then take these as a base. Note that > you don't need to create the SID and the GUID -- these are created > automatically by AD. I vaguely remember that there are some issues with really activating a user entry as a Windows user. But this is not a problem of accessing AD via python-ldap. Ciao, Michael. |
|
From: Geert J. <ge...@bo...> - 2007-11-07 18:51:00
|
Michael Ströder wrote: > I vaguely remember that there are some issues with really activating a > user entry as a Windows user. But this is not a problem of accessing AD > via python-ldap. > This indeed rings a bell. You need to create the user as disabled (look for userAccountControl on MSDN), set a compliant password, and then enable him. Regards, Geert |
|
From: Mike M. <mm...@wy...> - 2007-11-08 03:15:40
|
Thanks for the help guys. It got me off to a great start. I have = successfully created a user in my AD. As you already eluded to, I am = struggling with the password attribute. Can the password attribute be = set when creating a user. From what I gathered, the password attribute = is 'unicodePwd'. This attribute cannot be created, it can only be = modified. Is this attribute created by default when a user is created? = Would I be able to do an add and then a modify to set the password? I = am aware of the fact that there are certain restrictions in place in = order to modify the password. I have setup my AD to include SSL and I = am able to bind as Administrator over port 636. With that said one of = the examples I ran across for adding a user refers to another attribute = 'userPassword'. I am unable to tell what this attribute is. In the = link below, it appears that the password is being set when the entry is = added. I have tried this unsuccessfully. I appreicate all the help = thus far. Regards, Mike Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html -----Original Message----- From: Geert Jansen [mailto:ge...@bo...] Sent: Wed 11/7/2007 1:50 PM To: Michael Str=F6der Cc: Mike Matz; pyt...@li... Subject: Re: Creating Active Directory Objects =20 Michael Str=F6der wrote: > I vaguely remember that there are some issues with really activating a > user entry as a Windows user. But this is not a problem of accessing = AD > via python-ldap. > =20 This indeed rings a bell. You need to create the user as disabled (look for userAccountControl on MSDN), set a compliant password, and then enable him. Regards, Geert |
|
From: David L. <d...@ad...> - 2007-11-08 12:49:06
|
Hi, Mike I think AD uses an extension to the Kerberos protocol to change the password of a user. See http://msdn2.microsoft.com/en-us/library/ms808911.aspx As far as I understand it, the unicodePwd attribute is the NT hash of the user's password. (See http://msdn2.microsoft.com/en-us/library/ms680513.aspx). Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's LDAP. It should be a lot easier to manage than SSL certs. David Mike Matz wrote: > > Thanks for the help guys. It got me off to a great start. I have > successfully created a user in my AD. As you already eluded to, I am > struggling with the password attribute. Can the password attribute be > set when creating a user. From what I gathered, the password > attribute is 'unicodePwd'. This attribute cannot be created, it can > only be modified. Is this attribute created by default when a user is > created? Would I be able to do an add and then a modify to set the > password? I am aware of the fact that there are certain restrictions > in place in order to modify the password. I have setup my AD to > include SSL and I am able to bind as Administrator over port 636. > With that said one of the examples I ran across for adding a user > refers to another attribute 'userPassword'. I am unable to tell what > this attribute is. In the link below, it appears that the password is > being set when the entry is added. I have tried this unsuccessfully. > I appreicate all the help thus far. > Regards, > Mike > > Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html > > > -----Original Message----- > From: Geert Jansen [mailto:ge...@bo...] > Sent: Wed 11/7/2007 1:50 PM > To: Michael Ströder > Cc: Mike Matz; pyt...@li... > Subject: Re: Creating Active Directory Objects > > Michael Ströder wrote: > > > I vaguely remember that there are some issues with really activating a > > user entry as a Windows user. But this is not a problem of accessing AD > > via python-ldap. > > > > This indeed rings a bell. You need to create the user as disabled (look > for userAccountControl on MSDN), set a compliant password, and then > enable him. > > Regards, > Geert > -- David Leonard d...@ad... Ph:+61 404 844 850 |
|
From: Mike M. <mm...@wy...> - 2007-11-08 13:41:52
|
Thanks for your input David. I will read through the MSDN articles to =20= see if they provide me with any inside. I am not familiar with using =20= SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly provide =20= me with a few steps to accomplish this? Thanks, Mike On Nov 8, 2007, at 7:48 AM, David Leonard wrote: > Hi, Mike > > I think AD uses an extension to the Kerberos protocol to change the =20= > password of a user. See = http://msdn2.microsoft.com/en-us/library/ms808911.aspx > As far as I understand it, the unicodePwd attribute is the NT hash =20 > of the user's password. (See = http://msdn2.microsoft.com/en-us/library/ms680513.aspx)=20 > . > Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to =20= > AD's LDAP. It should be a lot easier to manage than SSL certs. > > David > > Mike Matz wrote: >> >> Thanks for the help guys. It got me off to a great start. I have =20= >> successfully created a user in my AD. As you already eluded to, I =20= >> am struggling with the password attribute. Can the password =20 >> attribute be set when creating a user. =46rom what I gathered, the =20= >> password attribute is 'unicodePwd'. This attribute cannot be =20 >> created, it can only be modified. Is this attribute created by =20 >> default when a user is created? Would I be able to do an add and =20 >> then a modify to set the password? I am aware of the fact that =20 >> there are certain restrictions in place in order to modify the =20 >> password. I have setup my AD to include SSL and I am able to bind =20= >> as Administrator over port 636. With that said one of the examples =20= >> I ran across for adding a user refers to another attribute =20 >> 'userPassword'. I am unable to tell what this attribute is. In =20 >> the link below, it appears that the password is being set when the =20= >> entry is added. I have tried this unsuccessfully. I appreicate =20 >> all the help thus far. >> Regards, >> Mike >> >> Example Add Entry - = http://www.grotan.com/ldap/python-ldap-samples.html >> >> >> -----Original Message----- >> From: Geert Jansen [mailto:ge...@bo...] >> Sent: Wed 11/7/2007 1:50 PM >> To: Michael Str=F6der >> Cc: Mike Matz; pyt...@li... >> Subject: Re: Creating Active Directory Objects >> >> Michael Str=F6der wrote: >> >> > I vaguely remember that there are some issues with really =20 >> activating a >> > user entry as a Windows user. But this is not a problem of =20 >> accessing AD >> > via python-ldap. >> > >> >> This indeed rings a bell. You need to create the user as disabled =20 >> (look >> for userAccountControl on MSDN), set a compliant password, and then >> enable him. >> >> Regards, >> Geert >> >> > > --=20 > David Leonard d...@ad... > Ph:+61 404 844 850 |
|
From: David L. <d...@ad...> - 2007-11-08 14:26:02
|
First step is configuring your platform's kerberos library so you can kinit against your AD server. You will need to read about krb5.conf and kinit, I suspect. Next step is getting a SASL-GSSAPI module installed so that SASL can access your Kerberos library (through its GSSAPI interface). This is a matter of package hunting usually. I'm assuming your OpenLDAP library has SASL support. Finally, you call ldap_sasl_bind to connect. I hope someone else can chime in here with an example of sasl binds with python-ldap. d Mike Matz wrote: > Thanks for your input David. I will read through the MSDN articles to > see if they provide me with any inside. I am not familiar with > using SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly > provide me with a few steps to accomplish this? > Thanks, > Mike > > > On Nov 8, 2007, at 7:48 AM, David Leonard wrote: > >> Hi, Mike >> >> I think AD uses an extension to the Kerberos protocol to change the >> password of a user. See >> http://msdn2.microsoft.com/en-us/library/ms808911.aspx >> As far as I understand it, the unicodePwd attribute is the NT hash of >> the user's password. (See >> http://msdn2.microsoft.com/en-us/library/ms680513.aspx). >> Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to >> AD's LDAP. It should be a lot easier to manage than SSL certs. >> >> David >> >> Mike Matz wrote: >>> >>> Thanks for the help guys. It got me off to a great start. I have >>> successfully created a user in my AD. As you already eluded to, I >>> am struggling with the password attribute. Can the password >>> attribute be set when creating a user. From what I gathered, the >>> password attribute is 'unicodePwd'. This attribute cannot be >>> created, it can only be modified. Is this attribute created by >>> default when a user is created? Would I be able to do an add and >>> then a modify to set the password? I am aware of the fact that >>> there are certain restrictions in place in order to modify the >>> password. I have setup my AD to include SSL and I am able to bind >>> as Administrator over port 636. With that said one of the examples >>> I ran across for adding a user refers to another attribute >>> 'userPassword'. I am unable to tell what this attribute is. In the >>> link below, it appears that the password is being set when the entry >>> is added. I have tried this unsuccessfully. I appreicate all the >>> help thus far. >>> Regards, >>> Mike >>> >>> Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html >>> >>> >>> -----Original Message----- >>> From: Geert Jansen [mailto:ge...@bo...] >>> Sent: Wed 11/7/2007 1:50 PM >>> To: Michael Ströder >>> Cc: Mike Matz; pyt...@li... >>> Subject: Re: Creating Active Directory Objects >>> >>> Michael Ströder wrote: >>> >>> > I vaguely remember that there are some issues with really activating a >>> > user entry as a Windows user. But this is not a problem of >>> accessing AD >>> > via python-ldap. >>> > >>> >>> This indeed rings a bell. You need to create the user as disabled (look >>> for userAccountControl on MSDN), set a compliant password, and then >>> enable him. >>> >>> Regards, >>> Geert >>> >> >> -- >> David Leonard d...@ad... >> Ph:+61 404 844 850 >> > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > ------------------------------------------------------------------------ > > _______________________________________________ > Python-LDAP-dev mailing list > Pyt...@li... > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev > -- David Leonard d...@ad... Ph:+61 404 844 850 |
|
From: <mi...@st...> - 2007-11-08 17:53:46
|
David Leonard wrote: > I hope someone else can > chime in here with an example of sasl binds with python-ldap. See: Demo/sasl_bind.py Ciao, Michael. |
|
From: David L. <d...@ad...> - 2007-11-09 00:06:10
|
Michael Ströder wrote:
> David Leonard wrote:
>
>> I hope someone else can
>> chime in here with an example of sasl binds with python-ldap.
>>
>
> See: Demo/sasl_bind.py
>
>
oops, of course! thanks michael :)
--
David Leonard d...@ad...
Ph:+61 404 844 850
|
|
From: <mi...@st...> - 2007-11-08 18:02:46
|
David Leonard wrote: > > As far as I understand it, the unicodePwd attribute is the NT hash of > the user's password. I don't think so when setting it. Maybe it contains the NT hash afterwards, but conversion is probably done internally. http://support.microsoft.com/kb/269190 It seems you need to combine ldap.MOD_DELETE with old password and ldap.MOD_ADD with new password when setting unicodePwd yourself and ldap.MOD_REPLACE when setting it for another account. Additionally you have to use quotes around it. And furthermore it has to be UTF-16-encoded (low endian). MS docs are usually poorly written. > Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's > LDAP. It should be a lot easier to manage than SSL certs. The SSL certs are not used to bind to AD in this case. Rather they are just used to connect over SSL (ldaps://). Ciao, Michael. |
|
From: Geert J. <ge...@bo...> - 2007-11-08 18:41:59
|
> > Mike Matz wrote: >> >> Thanks for the help guys. It got me off to a great start. I have >> successfully created a user in my AD. As you already eluded to, I am >> struggling with the password attribute. Can the password attribute >> be set when creating a user. From what I gathered, the password >> attribute is 'unicodePwd'. >> Forget about using LDAP to change a user's password. It can be done but it requires 128-bit SSL and so you need to set up certificate services and distribute the CA certificate to your client. An easier way is to use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 and later support this protocol. Unfortunately there is no command-line interface to this call so you need to create a Python extension module for wrapping this call. My (in progress) project FreeADI contains a wrapper for the Set Password call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at freeadi.org. The code is available under the liberal MIT license. The "userPassword" attribute is the Unix shadow hash, and is not used for Kerberos. Regards, Geert |
|
From: <mi...@st...> - 2007-11-09 09:35:40
|
Geert Jansen wrote: > > Forget about using LDAP to change a user's password. It can be done but > it requires 128-bit SSL and so you need to set up certificate services > and distribute the CA certificate to your client. An easier way is to > use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 and > later support this protocol. Unfortunately there is no command-line > interface to this call so you need to create a Python extension module > for wrapping this call. > > My (in progress) project FreeADI contains a wrapper for the Set Password > call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at > freeadi.org. The code is available under the liberal MIT license. If you're already on that route you might be interested in the heimdal-wrapper module by Univention. Its license is GPL. Not sure whether they support the Set Password protocol though. Ciao, Michael. |
|
From: Mike M. <mm...@wy...> - 2007-11-09 13:36:36
|
Thank you to all who responded to my queries. I have been able to =20 successfully create an account and set the password for an AD user on =20= my test server. For those who are interested here is the breakdown of =20= what I did. As I continue to debug and test I will post updates to =20 this topic. Connected via SSL to the server. There is no need to manage =20 certificates on the client since I am not binding, only establishing =20 an LDAP connection. Certificate Services do need to be installed on =20 the server. In the future I plan to try to implement the sasl_bind =20 code that Michael mentioned. To create the account I performed an =20 ldap add and to set the password I performed a modify on the =20 unicodePwd attribute. This has appeared to work successfully. I am =20 able to authenticate as the newly created user, map a home directory, =20= etc. I will need to do further testing to ensure that this is a valid =20= method for creating an account. Once again, thanks to all who provided input! Regards, Mike On Nov 9, 2007, at 4:35 AM, Michael Str=F6der wrote: > Geert Jansen wrote: >> >> Forget about using LDAP to change a user's password. It can be done =20= >> but >> it requires 128-bit SSL and so you need to set up certificate =20 >> services >> and distribute the CA certificate to your client. An easier way is to >> use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 =20= >> and >> later support this protocol. Unfortunately there is no command-line >> interface to this call so you need to create a Python extension =20 >> module >> for wrapping this call. >> >> My (in progress) project FreeADI contains a wrapper for the Set =20 >> Password >> call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at >> freeadi.org. The code is available under the liberal MIT license. > > If you're already on that route you might be interested in the > heimdal-wrapper module by Univention. Its license is GPL. Not sure > whether they support the Set Password protocol though. > > Ciao, Michael. > > = ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a =20 > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Python-LDAP-dev mailing list > Pyt...@li... > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev |
|
From: <mi...@st...> - 2007-11-09 15:16:56
|
Mike Matz wrote: > In the future I plan to try to implement the sasl_bind > code that Michael mentioned. In the past after invoking kinit command-line tool for getting a TGT I was successful sending a SASL bind with mech GSSAPI with python-ldap, OpenLDAP libs and heimdal. But not sure about whether this all works together with a recent version of heimdal... Ciao, Michael. |
|
From: Joe L. <jl...@op...> - 2007-11-08 18:16:21
|
(repost from another address_
Here's something that may be useful in this conversation about AD =20
Objects. I wrote with some reference help a script to pack a SID as I =20=
was creating the necessary objects to create AD accounts from python =20
using python-ldap:
"""
packsid
"""
import base64,struct
def packsid(textsid):
if textsid[0] !=3D 'S':
return;
data =3D (textsid[2:]).split('-')
rev =3D int(data[0])
idauth =3D int(data[1])
subauthcount =3D len(data) - 2
packedsid =3D struct.pack("8B", rev, subauthcount, 0, 0, 0, 0, 0, =20
idauth)
for i in range(0,subauthcount):
addpack =3D struct.pack("<L", long(data[2+i]))
packedsid =3D packedsid+addpack
return packedsid
respack =3D packsid('S-1-5-21-1398680112-2183325515-263647921-996')
resenc =3D base64.encodestring(respack)
print resenc
I barely remember how I arrived at each part, but it was mostly =20
through trial and error.
On Nov 7, 2007, at 10:50 AM, Geert Jansen wrote:
> Michael Str=F6der wrote:
>
>> I vaguely remember that there are some issues with really =20
>> activating a
>> user entry as a Windows user. But this is not a problem of =20
>> accessing AD
>> via python-ldap.
>>
>
> This indeed rings a bell. You need to create the user as disabled =20
> (look
> for userAccountControl on MSDN), set a compliant password, and then
> enable him.
>
> Regards,
> Geert
>
> ----------------------------------------------------------------------=20=
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a =20
> browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
|
|
From: Joe L. <jo...@op...> - 2007-11-08 18:12:35
|
Here's something that may be useful in this conversation about AD =20
Objects. I wrote with some reference help a script to pack a SID as I =20=
was creating the necessary objects to create AD accounts from python =20
using python-ldap:
"""
packsid
"""
import base64,struct
def packsid(textsid):
if textsid[0] !=3D 'S':
return;
data =3D (textsid[2:]).split('-')
rev =3D int(data[0])
idauth =3D int(data[1])
subauthcount =3D len(data) - 2
packedsid =3D struct.pack("8B", rev, subauthcount, 0, 0, 0, 0, 0, =20
idauth)
for i in range(0,subauthcount):
addpack =3D struct.pack("<L", long(data[2+i]))
packedsid =3D packedsid+addpack
return packedsid
respack =3D packsid('S-1-5-21-1398680112-2183325515-263647921-996')
resenc =3D base64.encodestring(respack)
print resenc
I barely remember how I arrived at each part, but it was mostly =20
through trial and error.
On Nov 7, 2007, at 10:50 AM, Geert Jansen wrote:
> Michael Str=F6der wrote:
>
>> I vaguely remember that there are some issues with really =20
>> activating a
>> user entry as a Windows user. But this is not a problem of =20
>> accessing AD
>> via python-ldap.
>>
>
> This indeed rings a bell. You need to create the user as disabled =20
> (look
> for userAccountControl on MSDN), set a compliant password, and then
> enable him.
>
> Regards,
> Geert
>
> ----------------------------------------------------------------------=20=
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a =20
> browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X