问题
I would like to programmatically enable/disable LDAP user accounts. From the command prompt I can use dsutil and this apparently sets/removes the nsAccountLock operational attribute. I have attempted to do modify_s() to set and remove this attribute from w/in Python but always get the following error message: "Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry ''".
Is there a way to set/remove/add operational attributes or otherwise enable/disable ldap users programmatically through Python?
Thanks, C
回答1:
You should use the attribute 'userAccountControl' which contains a set of control bits.
If you are managing normal users, to enable user:
userAccountControl = 512
and to disable it:
userAccountControl = 514
Generally, if you want to enable/disable an existing user, you should retrieve current value and update it this way.
userADAccountControlFlag = 2
userAccountControl = user.userAccountControl
# To enable user:
userAccountControl = userAccountControl & ~userADAccountControlFlag # (& bit-wise AND, ~ bit-wise Negate)
# To disable user:
userAccountControl = userAccountControl | userADAccountControlFlag # (| bit-wise OR)
user.userAccountControl = userAccountControl
# Then update user on ldap server
you can find more about userAccountControl attribute here: http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm
来源:https://stackoverflow.com/questions/13597345/enable-disable-account-programmatically-using-python-ldap-module