依赖包:
pip install python-ldap
说明:
脚本适用linux下的openldap服务
示例ldap服务器地址为1.1.1.1:389
示例dn为dc=test,dc=com
示例ou为cn=people,dc=test,dc=com
示例user为cn=autoops,ou=people,dc=test,dc=com
示例userPwd为abcd.1234
#-*- coding=utf-8 -*-
#-*- encoding:utf-8 -*-
import sys
import ldap
import ldap.modlist
default_encoding = "utf-8"
if sys.getdefaultencoding() != default_encoding:
reload(sys)
sys.setdefaultencoding(default_encoding)
def ldap_authentication():
"""
用户认证
"""
con = ldap.initialize('ldap://1.1.1.1:389')
try:
con.simple_bind_s("cn=autoops,ou=people,dc=test,dc=com", "abcd.1234")
print("auth success")
except:
print("auth failed")
con.unbind()
def get_ldap_users():
"""
获取用户信息
"""
users = con.search_s(
"ou=people,dc=test,dc=com",
ldap.SCOPE_SUBTREE,
'(objectclass=organizationalUnit)'
)
for user in users:
# 字段说明:
# cn:用户名
# displayName: 姓名
# mail: 邮箱
# sn: 姓
# givenName: 名
# userPassword: 用户密码
# pwdAccountLockedTime: 密码锁定时间,如果值为000001010000Z为永久锁定
# objectClass: 对象类型
print(user)
def new_ldap_ou():
"""
创建新ou
"""
attr = {
'ou': 'people',
'objectClass': ['top', 'organizationalUnit']
}
con.add_s("ou=people,dc=test,dc=com", ldap.modlist.addModlist(attr))
def new_ldap_user():
"""
创建用户
"""
attr = {
'cn': 'autoops',
'sn': '运维',
'givenName': '机器人',
'displayName': '运维机器人',
'mail': 'autoops@test.com',
'objectClass': ['person'],
'userPassword': 'abcd.1234'
}
con.add_s("cn=autoops,ou=people,dc=test,dc=com", ldap.modlist.addModlist(attr))
def modify_ldap_user():
"""
修改用户属性,userPassword可重置密码
"""
mail = "autoops@test.com"
displayName = "运维机器人"
userpwd = "www.test.com"
mod_attrs = [
( ldap.MOD_REPLACE, 'displayName', fullname.encode("utf-8") ),
( ldap.MOD_REPLACE, 'mail', email.encode("utf-8") ),
( ldap.MOD_REPLACE, 'userPassword', userpwd.encode("utf-8") )
]
con.modify_s("cn=autoops,ou=people,dc=test,dc=com", mod_attrs)
def delete_ldap_user_attr():
"""
删除用户属性
"""
mod_attrs = [ (ldap.MOD_DELETE, 'description', 'ww') ]
con.modify_s("cn=autoops,ou=people,dc=test,dc=com", mod_attrs)
def change_ldap_user_pwd():
"""
修改用户密码,需要知道旧密码
"""
userpwd = "www.test.com"
con.passwd_s("cn=autoops,ou=people,dc=test,dc=com", "abcd.1234", new_userpwd)
def disable_ldap_user():
"""
禁用帐号
"""
mod_attrs = [( ldap.MOD_REPLACE, 'pwdAccountLockedTime', "000001010000Z" )]
con.modify_s("cn=autoops,ou=people,dc=test,dc=com", mod_attrs)
def new_ldap_group():
"""
创建组并指定组成员
"""
attrs = {
'objectClass': ['groupOfUniqueNames'],
'cn': 'tech',
'uniqueMember': ['cn=autoops,ou=people,dc=test,dc=com']
}
con.add_s("cn=tech,ou=group,dc=test,dc=com", ldap.modlist.addModlist(attrs))
def get_ldap_group():
"""
获取组信息
"""
groups = ldap_conn.search_s(
"ou=group,dc=test,dc=com",
ldap.SCOPE_SUBTREE,
'(objectclass=groupOfUniqueNames)'
)
for group in groups:
print(group)
def modify_ldap_group():
"""
修改组属性
"""
old_attrs = {'uniqueMember': ['']}
attrs = {
'uniqueMember': [
'cn=autoops,ou=people,dc=test,dc=com',
'cn=sre,ou=people,dc=test,dc=com',
'cn=devops,ou=people,dc=test,dc=com'
]
}
con.modify_s(
"cn=tech,ou=group,dc=test,dc=com",
ldap.modlist.modifyModlist(old_attrs, attrs)
)
网友评论