LDAP/AD是两种应用最广泛的认证服务器，AD是微软基于LDAP开发而成的，应用于Windows平台，而LDAP主要应用于Linux平台（LDAP用在Windows平台比较少）。既然AD是基于LDAP的扩展，则LDAP大部分协议，AD均可原生支持，这位我们操作和管理AD认证服务器提供了大大的便利。

在软件开发过程中，很多公司都采用AD/LDAP用于自己的用户认证体系，本文重点研究通过Python语言提供的Python-Ldap框架，来操作和管理AD/LDAP中的用户，组织结构等，希望对大家有所帮助。

基本概念：

o– organization（组织-公司）ou – organization unit（组织单元/部门）c - countryName（国家）dc - domainComponent（域名组件）sn – suer name（真实名称）cn - common name（常用名称）dn - distinguished name（唯一标识）

AD和LDAP中的字段及含义：

• 用户表字段对应关系：

  字段描述    表示值唯一标识    dn用户名 userPrincipalName(AD)/cn(LDAP)密码  userPassword真实姓名    displayName工作地点    physicalDeliveryOfficeName职务  title邮箱  mail个人电话    telephoneNumber公司电话    homePhone

• 组织结构表对应关系：

  字段描述    表示值唯一标识    dn组织名称    ou组织描述    description

• 在AD中创建用户

import ldapdef create_ad_user(username, unicode_password, org_dn):    l = ldap.initialize('ldap://172.16.1.163:636') #use secure port default:636    l.protocol_version = 3    l.set_option(ldap.OPT_REFERRALS, 0)    l.simple_bind_s('Administrator', 'P@ssword')    user = {}    user['objectclass'] = ['top', 'person', 'organizationalPerson', 'user']    user_dn = 'cn=%s,%s' % (username,org_dn)    user['userPrincipalName'] = '%s@%s' % (username, domain)    user['userAccountControl'] = '66048' # active user account    user['unicodePwd'] = unicode_password    ldif = modlist.addModlist(user)    ret, _ = l.add_s(user_dn, ldif)    print ret

• 在LDAP中创建用户

  import ldapdef create_ldap_user(username, password, org_dn):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')user = {}user['objectclass'] = ['top', 'person', 'inetOrgPerson']user['cn'] = usernameuser['sn'] = user['cn']user['password'] = passworduser_dn = 'cn=%s,%s' % (username,org_dn)ldif = modlist.addModlist(user)ret, _ = l.add_s(user_dn, ldif)print ret

• 修改AD/LDAP用户基本信息

  import ldapdef modify_user(username):firstname = 'Abel'lastname = 'Lee'l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')cn = usernamedn = 'cn=%s,ou=org1,dc=testad,dc=com' % cnold = {'description': 'old description'}new = {'description': 'new description'}ldif = ldap.modifyModlist(old, new)ret = l.modify_s(dn, ldif)l.unbind_s()print ret

• 删除AD/LDAP用户

  import ldapdef delete_users(user_dn):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')ret = l.delete_s(user_dn)l.unbind_s()print ret

• 查询AD用户信息

  import ldapdef describe_ad_users(org_dn='', usernames = []):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')USER_ATTRS = ['userAccountControl','displayName','description','homePhone','physicalDeliveryOfficeName','title','mail','telephoneNumber']filterstr = '(&(objectclass=user)'if len(usernames) > 0:    filterstr = filterstr + '(|'for username in usernames:    username = '%s@%s' % (username, domain)    userPrincipalName = '(userPrincipalName=%s)' % username    filterstr += userPrincipalNameif len(usernames) > 0:    filterstr += '))'else:    filterstr += ')'if org_dn:    ret = l.search_s(org_dn, ldap.SCOPE_SUBTREE, filterstr,                                        attrlist=USER_ATTRS)else:    ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,                                        attrlist=USER_ATTRS) print ret

• 查询LDAP中的用户

  import ldapdef describe_ldap_users(org_dn='', usernames = []):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')USER_ATTRS = ['userAccountControl','displayName','description','homePhone','physicalDeliveryOfficeName','title','mail','telephoneNumber']filterstr = '(&(objectclass=person)'if len(usernames) > 0:    filterstr = filterstr + '(|'for cn in usernames:    cn = '(cn=%s)' % cn    filterstr += cnif len(usernames) > 0:    filterstr += '))'else:    filterstr += ')'if org_dn:    ret = l.search_s(org_dn, ldap.SCOPE_SUBTREE, filterstr,                                        attrlist=USER_ATTRS)else:    ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,                                        attrlist=USER_ATTRS) print ret

• AD用户认证

  import ldapdef login_ad(user_dn, password):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s(user_dn, password)cn = user_dn.split(',')[0].split('=')base_dn = 'dc=testad,dc=com'domain = 'testad.com'username = '%s@%s' % (cn[1], domain)ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE,"(userPrincipalName=%s)" % username, ["userPrincipalName"])if ret is None or len(ret) == 0:    return Falsereturn True

• LDAP用户认证

  import ldapdef login_ldap(user_dn, password):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s(user_dn, password)cn = user_dn.split(',')[0].split('=')base_dn = 'dc=testad,dc=com'ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE,"%s=%s" % (cn[0], cn[1]))if ret is None or len(ret) == 0:    return Falsereturn True

• 设置AD用户密码，修改AD用户密码可以先认证再设置

  import ldapdef set_ad_password(user_dn, unicode_password):l = ldap.initialize('ldap://172.16.1.163:636') #use secure portl.simple_bind_s('Administrator', 'P@ssword')param_pwd = [(ldap.MOD_REPLACE, 'unicodePwd', [password_utf16]), (ldap.MOD_REPLACE, 'unicodePwd', [password_utf16])]ret,_ = l.modify_s(user_dn, param_pwd)print ret

• 设置LDAP用户密码

  import ldapdef set_ldap_password(user_dn, password):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')l.passwd_s(user_dn, None, password)

• 修改LDAP用户密码

  import ldapdef modify_ldap_password(user_dn, old_password, new_password):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')l.passwd_s(user_dn, old_password, new_password)

• 创建AD/LDAP组织结构

  import ldapdef create_ou(parent_dn, ou):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')attrs= {'ou': ou}attrs['description'] = 'this is description'attrs['objectClass'] = ['organizationalUnit','top']dn = 'ou=%s,%s' % (attrs['ou'], parent_dn)ldif = modlist.addModlist(attrs)ret, _ = l.add_s(dn,ldif)print ret

• 修改AD/LDAP组织结构

  import ldapdef modify_ou(attrs={'description': 'new_description'}):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')old_attrs = {'description': 'old_description'}ldif = modlist.modifyModlist(old_attrs, attrs)l.modify_s(dn,ldif)

• 删除AD/LDAP组织结构

  import ldapdef delete_ou(dn):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0) l.simple_bind_s('Administrator', 'P@ssword')l.delete_s(dn)

• 查询AD/LDAP组织结构

  import ldapdef describe_ou(parent_dn='', org_dns=[]):ORGANIZATION_ATTRS = ['ou', 'description']l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')filterstr = '(&(objectclass=organizationalUnit)'for dn in org_dns:    objectGUID = '(ou=%s)' % dn    filterstr += objectGUIDfilterstr += ')'if parent_dn:    ret = l.search_s(parent_dn, ldap.SCOPE_SUBTREE, filterstr,                                    attrlist=ORGANIZATION_ATTRS)else:    ret = l.search_s(base_dn, ldap.SCOPE_SUBTREE, filterstr,                                    attrlist=ORGANIZATION_ATTRS)print ret

• 修改用户所属组织结构

  import ldapdef change_user_in_ou(user_dn, new_org_dn):l = ldap.initialize('ldap://172.16.1.163:389')l.protocol_version = 3l.set_option(ldap.OPT_REFERRALS, 0)l.simple_bind_s('Administrator', 'P@ssword')cn = user_dn.split(',')[0]ret = l.rename_s(user_dn, cn, new_org_dn)print ret

注意：AD和LDAP中如：创建用户，查询用户等操作，其使用端口和查询字段均有差异，还请格外注意，另外，代码如有不明确指出，欢迎留言讨论。