Active Directory user creation with python-ldap
michael at stroeder.com
Fri Apr 29 08:51:18 EDT 2011
> I need to create an Active Directory user using python-ldap library. So, I
> authenticate with an admin account and I use "add_s" to create the user.
This is possible. Which version of AD are you working with.
> Anyway, by default users are disabled on creation,
That's the correct way of doing this.
> and I can not set
> userAccountControl to swith off the flag ACCOUNTDISABLE, i.e. setting
> userAccountControl with 512 (NORMAL_ACCOUNT) value.
This should be possible. Make sure you really bind as the admin and you have
sufficient access rights.
Check your code. I'd suggest to set trace_level when calling ldap.initialize()
to observe what gets passed to python-ldap in which order.
> Same thing if - as someone suggests - I create the user without a
> password and try to set userAccountCreation later.
Passwords are different anyway since you have to set the unicodePwd attribute.
I never tried to do this with a single write operation though.
You can try my web2ldap which does all this also with MS AD. It has a special
plugin class for attribute userAccountControl which lets you set values
bit-wise when modifying an user entry. And setting password automagically
switches to setting unicodePwd when working with MS AD.
More information about the Python-list