views:

258

answers:

1

My Django application using python-ldap library (ldap_groups django application) must add users against an Active Directory on a Windows 2003 Virtual Machine domain. My application running on a Ubuntu virtual Machine is not member of the Windows domain:

Here is the code:

settings.py

DNS_NAME='IP_ADRESS'

LDAP_PORT=389
LDAP_URL='ldap://%s:%s' % (DNS_NAME,LDAP_PORT)
BIND_USER='cn=administrateur,cn=users,dc=my,dc=domain,dc=fr'
BIND_PASSWORD="AdminPassword"

SEARCH_DN='cn=users,dc=my,dc=domain,dc=fr'
NT4_DOMAIN='E2C'
SEARCH_FIELDS= ['mail','givenName','sn','sAMAccountName','memberOf']
MEMBERSHIP_REQ=['Group_Required','Alternative_Group']

AUTHENTICATION_BACKENDS  = (

    'ldap_groups.accounts.backends.ActiveDirectoryGroupMembershipSSLBackend',
    'django.contrib.auth.backends.ModelBackend',
)

DEBUG=True
DEBUG_FILE='/$HOME/ldap.debug'

backends.py

import ldap
import ldap.modlist as modlist

username, email, password = kwargs['username'], kwargs['email'], kwargs['password1']

ldap.set_option(ldap.OPT_REFERRALS, 0)

# Open a connection
l = ldap.initialize(settings.LDAP_URL)

# Bind/authenticate with a user with apropriate rights to add objects
l.simple_bind_s(settings.BIND_USER,settings.BIND_PASSWORD)

# The dn of our new entry/object
dn="cn=%s,%s" % (username,settings.SEARCH_DN)


# A dict to help build the "body" of the object
attrs = {}
attrs['objectclass'] = ['top','organizationalRole','simpleSecurityObject']
attrs['cn'] = username.encode('utf-16')
attrs['userPassword'] = password.encode('utf-16')
attrs['description'] = 'User object for replication using slurpd'

# Convert our dict to nice syntax for the add-function using modlist-module
ldif = modlist.addModlist(attrs)

# Do the actual synchronous add-operation to the ldapserver
l.add_s(dn,ldif)

# Its nice to the server to disconnect and free resources when done
l.unbind_s()

When I trace my cod. It seems there is a problem while adding user calling "l.add_s".

However it returns the followings error:

UNWILLING_TO_PERFORM at /accounts/register/

{'info': '00002077: SvcErr: DSID-031907B4, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'}

If I use wrong credentials the server returns INVALID CREDENTIAL. So i guess my current credential using above are correct to bind on the ldap directory.

Pehaps my Ubuntu should be member of the domain or there is something wrong in my code????

Thanks for your lights.

+1  A: 

I found the problem. In fact my objectclass was not compliant with Active Directory. Furthermore change information encoding by a python string.

Here is the code to use:

 attrs = {}
        attrs['objectclass'] = ['top','person','organizationalPerson','user']
        attrs['cn'] = str(username)
        attrs['userPassword'] = str(password)
        attrs['mail']=str(email)
        attrs['givenName']=str(firstname)
        attrs['sn']=str(surname)
        attrs['description'] = 'User object for replication using slurpd'

I can add an account in my Active Directory successfully.

Hope it will help u.

David