ldap raises an UNWILLING TO PERFORM error
My Django application is using python-ldap library (ldap_groups django application) and must add users against an Active Directory on a Windows 2003 Virtual Machine domain. My application running on a Ubuntu virtual Machine is not member of the Windows domain.
Here is the code:
settings.py
DNS_NAME='IP_ADRESS'
LDAP_PORT=389
LDAP_URL='ldap://%s:%s' % (DNS_NAME,LDAP_PORT)
BIND_USER='cn=administrateur,cn=users,dc=my,dc=domain,dc=fr'
BIND_PASSWORD="AdminPassword"
SEARCH_DN='cn=users,dc=my,dc=domain,dc=fr'
NT4_DOMAIN='E2C'
SEARCH_FIELDS= ['mail','givenName','sn','sAMAccountName','memberOf']
MEMBERSHI开发者_StackOverflow中文版P_REQ=['Group_Required','Alternative_Group']
AUTHENTICATION_BACKENDS = (
'ldap_groups.accounts.backends.ActiveDirectoryGroupMembershipSSLBackend',
'django.contrib.auth.backends.ModelBackend',
)
DEBUG=True
DEBUG_FILE='/$HOME/ldap.debug'
backends.py
import ldap
import ldap.modlist as modlist
username, email, password = kwargs['username'], kwargs['email'], kwargs['password1']
ldap.set_option(ldap.OPT_REFERRALS, 0)
# Open a connection
l = ldap.initialize(settings.LDAP_URL)
# Bind/authenticate with a user with apropriate rights to add objects
l.simple_bind_s(settings.BIND_USER,settings.BIND_PASSWORD)
# The dn of our new entry/object
dn="cn=%s,%s" % (username,settings.SEARCH_DN)
# A dict to help build the "body" of the object
attrs = {}
attrs['objectclass'] = ['top','organizationalRole','simpleSecurityObject']
attrs['cn'] = username.encode('utf-16')
attrs['userPassword'] = password.encode('utf-16')
attrs['description'] = 'User object for replication using slurpd'
# Convert our dict to nice syntax for the add-function using modlist-module
ldif = modlist.addModlist(attrs)
# Do the actual synchronous add-operation to the ldapserver
l.add_s(dn,ldif)
# Its nice to the server to disconnect and free resources when done
l.unbind_s()
When I trace my code, it seems there is a problem while adding user calling "l.add_s".
However it returns the followings error:
UNWILLING_TO_PERFORM at /accounts/register/
{'info': '00002077: SvcErr: DSID-031907B4, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'}
If I use wrong credentials the server returns INVALID CREDENTIAL, so I think the credentials I'm using above are correct to bind on the ldap directory.
Pehaps my Ubuntu should be member of the domain or there is something wrong in my code?
I found the problem. In fact my objectclass was not compliant with Active Directory. Furthermore change information encoding by a python string.
Here is the code to use:
attrs = {}
attrs['objectclass'] = ['top','person','organizationalPerson','user']
attrs['cn'] = str(username)
attrs['userPassword'] = str(password)
attrs['mail']=str(email)
attrs['givenName']=str(firstname)
attrs['sn']=str(surname)
attrs['description'] = 'User object for replication using slurpd'
I can add an account in my Active Directory successfully.
Hope it will help u.
精彩评论