[python-ldap] Programmatically enable/disable LDAP users from Python?

Carolyn Lanser cll at rincon.com
Wed Nov 28 20:10:13 CET 2012 

Chaos/Peter/Chris-

Thank you for the replies.  I was binding incorrectly (anonymously instead of with an admin dn).

However I am still having issues.  I printed out a user’s attributes before/after using dsutil to disable an account to see what changed, hoping that it would lead to an easy solution.  The only difference I saw was nsAccountLock was present and set to [‘true’] when the account was deactivated.  I tried to simulate this programmatically, but this did not work.  I changed the value of nsAccoutnLock to not be true but dsutil account-status still showed the account as active.  Likewise, setting nsAccountLock on an active account was not sufficient to disable an account.

Therefore it seems my assumptions were incorrect.  We are using Oracle Directory Server Enterprise Edition (11.1.1.5.0).    Does anybody have experience programmatically (using Python) enabling/disabling accounts?  Perhaps this is just a Oracle LDAP implementation limitation?

Cheers,
C

________________________________

From: Chaos Eternal [mailto:chaoseternal at gmail.com]


Hi,  this depends on which ldap server you are using.
On Nov 28, 2012 11:39 AM, "Carolyn Lanser" <cll at rincon.com<mailto:cll at rincon.com>> wrote:

I would like to programmatically enable/disable LDAP user accounts. From the command prompt I can use dsutil and this apparently sets/removes the nsAccountLock operational attribute. I have attempted to do modify_s() to set and remove this attribute from w/in Python but always get the following error message: "Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry ''".

Is there a way to set/remove/add operational attributes or otherwise enable/disable ldap users programmatically through Python?
Thanks, C
________________________________
From:  Peter Fisher
Look in your ldap servers slapd.conf (or related conf file) for the ACL that restricts this attribute.

If your ldap server is OpenLDAP you could view:
http://www.openldap.org/doc/admin24/access-control.html


Cheers,
Peter Fisher.

________________________________

From: Chris Dukes <chris.dukes.aix at gmail.com<mailto:chris.dukes.aix at gmail.com>>

To: python-ldap at python.org<mailto:python-ldap at python.org>

Subject: Re: [python-ldap] Programmatically enable/disable LDAP users

                from Python?

Message-ID: <50B5899D.80504 at gmail.com<mailto:50B5899D.80504 at gmail.com>>

Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"



You're going to have to read up on ACLs for the LDAP server you're using.



I suspect that you're failing to bind as a privileged user as you did not mention it in your email.  dsutil defaults to $LDAP_ADMIN_USER or cn=Directory Manager, and may further abuse a connection to localhost to determine authority.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20121128/e74103d4/attachment.html>

More information about the python-ldap mailing list