adcon Module¶
- class adcon.mldap(**args)[source]¶
This class is specifically designed to connect to and interact with our Active Directory via ldap.
- Named parameters:
- credsfile
- LDAP_USERNAME
- LDAP_PASSWORD
- LDAP_SERVER
- LDAP_BASE
- LDAP_USER_BASE
- LDAP_GROUP_BASE
- LDAP_DOMAIN
- checkidno(idno)[source]¶
Taking an IDNO as only argument, does a search in the employeeNumber LDAP field for this value.
Deprecated since version 2.0: Use getattr_by_filter() instead.
Parameters: idno – string containing the users 7-digit ID.NO Returns: sAMAccountName or None
- checkuser(samaccountname)[source]¶
Returns a given set of attributes for an SN.
Deprecated since version 2.0: Use getattr() instead.
- compare(samaccountname, attr, value)[source]¶
Perform an ldap compare operation on an AD object.
Returns: Bool (True for match) Raises: ldap.NO_SUCH_ATTRIBUTE
- compare_by_objectguid(objectguid, attr, value)[source]¶
Verify that an AD object has attr set to value (using ldap compare).
Raises: ldap.NO_SUCH_ATTRIBUTE
- connect()[source]¶
Try to build a connection.
Note
This shouldn’t (but does) call sys.exit() for ldap.INVALID_CREDENTIALS and ldap.SERVER_DOWN exceptions!
- create(samaccountname, cn, path, CONSTattributes={})[source]¶
Create a new account with the specified attributes set. All ‘attributes’ are expected to be LDAP attributes except for attributes[‘password’] which is properly converted for AD’s unicodePwd field.
Parameters: - samaccountname (str) – Username to create
- cn (str) – CN of new account (only the CN=(whatever))
- path (str) – ldap path of OU for new account
- CONSTattributes (dict) – A dict of LDAP attributes for the new account.
- create_group(groupname, path, members=[])[source]¶
Create a new group with the specified members.
Parameters: - groupname (str) – Group name to create
- path (str) – base CN of new group
- members (list) – A list of members to pre-populate group.
- exists(samaccountname)[source]¶
Check if an account exists based on the presence of a sAMAccountName
Returns: bool
- getattr(samaccountname, attr='*')[source]¶
Lookup attributes on a given sAMAccountName. If not specified, return all attributes.
Parameters: attr – String containing one LDAP attribute, a list of LDAP attributes, or a string containing ‘*’ to return all attributes. Returns: Requested attr. If Multiple attributes are requested, returns a a dictionary with attr keys. - Usage:
>>> getattr(sAMAccountName, [attr1, attr2, ...]) >>> getattr(samaccountname)
- Examples:
>>> mldapObj.getattr("wimpy", "sAMAccountName") 'wimpy'
>>> mldapObj.getattr("wimpy")['mail'] 'wimpy@wimpy.org'
>>> mldapObj.getattr("wimpy", ['sAMAccountName', 'mail']) {'mail': 'wimpy@wimpy.org', 'sAMAccountName': 'wimpy'}
- getattr_by_filter(key, value, attr)[source]¶
Performance a search to match an object by attribute value.
Returns: The requested value, or None. Examples:
Get the mail attribute from an AD object identified by sAMAccountName = “wimpy”:
>>> mldapObj.getattr_by_filter('sAMAccountName', 'wimpy', 'mail') 'wimpy@wimpy.org'
Get the objectClass from an AD object identified by sAMAccountName = “wimpy”:
>>> mldapObj.getattr_by_filter('sAMAccountName', 'wimpy', 'objectClass') ['top', 'person', 'organizationalPerson', 'user']
- getattr_old(samaccountname, attr='*')[source]¶
Lookup attributes on a given sAMAccountName. If not specified, return all attributes.
- Usage:
- getattr(sAMAccountName, [attr1, attr2, ...]) getattr(samaccountname)
Deprecated since version 2.0: Use getattr() instead.
- getattrs_by_filter(key, value, attrlist=None, base=None, pageSize=1000, compare='=', addt_filter='')[source]¶
Search AD by attribute.
Parameters: - attrlist (list) – The attributes desired (None for all)
- compare – Comparison, valid operators: =, >=, <= (lexicographical)
Returns: A list of result dictionaries.
- Examples:
>>> mldapObj.getattrs_by_filter("sAMAccountName", "wimpy")[0]['sAMAccountName'] 'wimpy'
>>> mldapObj.getattrs_by_filter("sAMAccountName", "wimpy")[0]['objectClass'] ['top', 'person', 'organizationalPerson', 'user']
- getgroup(group)[source]¶
Return a group as a adgroup.ADgroup object
- getmattr(samaccountname, attr='*')[source]¶
Return a multiple, multivalued, attributes from AD.
When working with results from LDAP the scheme is as follows:
C{results[r][n]{attr}[values]}
- Where:
- C{r = result number}
- C{n[0] = dn of result}
- C{n[1] = search attributes}
- C{{attr} = dictionary of attribute:[values]}
- C{[values] = list of values (always in list form)}
- getuac(samaccountname)[source]¶
Retrieve the userAccountControl field for a given user.
>>> ad.getuac('shaunt').flags() ['ADS_UF_NORMAL_ACCOUNT']
>>> ad.getuac('shaunt') <<class 'mldap.uac'> object (['ADS_UF_NORMAL_ACCOUNT'])>
>>> ad.getuac('wimpy').set(uac.ADS_UF_PASSWORD_EXPIRED).commit()
Returns: a uac.uac object derived from these flags.
- getuser(samaccountname_or_dn)[source]¶
Return an object of type ADUser for a given sAMAccountName or DN
- getuser_by_filter(attr, value)[source]¶
Retrieve a single user by filter.
Raises Exception if there is more than one match to the filter.
Parameters: attr (str) – AD attribute (sAMAccountName, etc) Returns: a list of aduser.ADuser objects or None if there is no match. Examples:
>>> user = self.getusers_by_filter(attr, value)
- getusers(base=None, objectType='samaccountname')[source]¶
Retrieve a list of aduser.ADuser objects (a more Object-Oriented version of adcon.mldap.listou())
- getusers_by_filter(attr, value)[source]¶
Retrieve a list of users by filter.
Parameters: attr (str) – AD attribute (sAMAccountName, etc) Returns: a list of aduser.ADuser objects Examples:
>>> user = self.getusers_by_filter(attr, value)
- isexpired(samaccountname)[source]¶
Is a given sAMAccountName expired?
accountExpires is the number of ticks (100n/s [.0000001s]) since 12:00AM Jan 1, 1601. [#thanksMS]_ Additionally, it’s in UTC
If a user object in Active Directory has never had an expiration date, the accountExpires attribute is set to a huge number. The actual value is 2^63 - 1, or 9,223,372,036,854,775,807.
- islocked(samaccountname)[source]¶
Is a given account locked?
MSDN has this to say about lockoutTime:
The date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.
However, further down the MSDN page says:
This attribute value is only reset when the account is logged onto successfully. This means that this value may be non zero, yet the account is not locked out. To accurately determine if the account is locked out, you must add the Lockout-Duration to this time and compare the result to the current time, accounting for local time zones and daylight savings time.
- ismember(samaccountname, group)[source]¶
Check if a given samaccountname is a member of a given group.
- listou(base=None, objectType='sAMAccountName', pageSize=1000)[source]¶
Return a list all sAMAccountNames in a given OU
- move(srcDN, destDN)[source]¶
Move an object from srcDN to destDN.
Todo
Should not use print statements here.
- move2(samaccountname, destOU)[source]¶
This uses code not available until python-ldap v2.3.2. On RHEL/CentOS 5.8, repositories only have python-ldap v2.2.0.
Parameters: - samaccountname – The accountname to search and move.
- destOU – the folder to move the samaccountname into.
- replace(samaccountname, attribute, value)[source]¶
Replace/Set/Clear the value of a given attribute for the specified user.
- replace_by_idno(idno, attribute, value)[source]¶
Replace/Set the value of a given attribute for the specified user (by IDNO).
- replace_by_objectguid(objectGUID, attribute, value)[source]¶
Replace/Set the value of a given attribute for the specified user.
- resetpw(sAMAccountName, newpass)[source]¶
Wraps around L{self.replace()} to reset a given password.
Note
This attempts the administrative reset using the user this instance used to bind, make sure that it has the proper AD permissions.
- resetpw_by_objectguid(objectGUID, newpass)[source]¶
Perform an administrative password reset. To perform this reset, the account that was used to bind to ldap must have permissions in AD to reset the password belonging to objectGUID object.
- setuac(samaccountname, new_uac)[source]¶
Set the uac field for a given user.
Parameters: new_uac – The decimal representation of the userAccountControl field (actually, any input is ok as long as it converts properly with str() which at this time means string, uac object, or int. This means ‘512’, 512, uac(512) are all acceptable.