python操作windows AD的代码-expert1-ChinaUnix博客

import ldap
import ldap.modlist as modlist
import test_Passwords
class new:
def __init__(self,server='ad.xxx.com'):
login = test_Passwords.new()
username, password = login.credentials('ad')
self.dn = {'base':'dc=ad,dc=xxx,dc=com'}
self.dgattrs = {'user':{},'chat':{},'mail':{}}
self.dgattrs['user']['dn'] = ','.join(['ou=Basers',self.dn['base']])
self.dgattrs['user']['objectClass'] = ['top','group']
self.dgattrs['user']['description'] = ['user_group']
self.dgattrs['user']['member_field'] = 'member'
self.dgattrs['user']['filter'] = '(objectClass=group)'
self.dgattrs['all'] = self.dgattrs['user']
self.dgattrs['chat']['dn'] = ','.join(['ou=Chat Groups',self.dn['base']])
self.dgattrs['chat']['objectClass'] = ['top','groupOfUniqueNames']
self.dgattrs['chat']['description'] = ['chat_group']
self.dgattrs['chat']['member_field'] = 'uniqueMember'
self.dgattrs['chat']['filter'] = '(&(objectClass=groupOfUniqueNames)(description=chat_group))'
self.dgattrs['mail']['dn'] = ','.join(['ou=Email Aliases',self.dn['base']])
self.dgattrs['mail']['objectClass'] = ['top','groupOfUniqueNames']
self.dgattrs['mail']['description'] = ['mail_group']
self.dgattrs['mail']['member_field'] = 'uniqueMember'
self.dgattrs['mail']['filter'] = '(&(objectClass=groupOfUniqueNames)(description=mail_group))'
host = 'ldap://%s' % server
self.conn = ldap.initialize(host)
self.conn.set_option(ldap.OPT_NETWORK_TIMEOUT,10)
self.conn.set_option(ldap.OPT_TIMEOUT,10)
self.conn.set_option(ldap.OPT_TIMELIMIT,10)
self.conn.set_option(ldap.OPT_SIZELIMIT,0)
self.conn.bind(username,password)
self.conn.whoami_s()
self.group_users = {}
self.groups = []
def disconnect(self):
self.conn.unbind()
def search(self,dn='dc=ad,dc=xxx,dc=com',search_filter='',attrs='cn',scope=ldap.SCOPE_SUBTREE):
if isinstance(attrs,basestring): attrs=[attrs]
results = []
if not dn:
dn = self.dn['base']
try:
s = self.conn.search_ext(dn, scope, search_filter, attrs, sizelimit=-1)
while True:
stype,sresult = self.conn.result(s,0)
if stype == ldap.RES_SEARCH_ENTRY:
results.extend([sresult])
else:
break
except ldap.NO_SUCH_OBJECT:
return
return results
def get_users(self,refresh=False):
if refresh: del self.users
try:
return self.users
except:
self.users = []
for userline in self.search(search_filter='(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl=514))(!(userAccountControl=546))(!(userAccountControl=66050))(!(userAccountControl=66082))(!(userAccoun
tControl=262658))(!(userAccountControl=262690))(!(userAccountControl=328194))(!(userAccountControl=328226)))'):
self.users.extend([userline[0][1]['cn'][0]])
return self.users
def get_real_users(self,refresh=False):
if refresh: del self.real_users
try:
return self.real_users
except:
self.real_users = []
for userline in self.search(search_filter='(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl=514))(!(userAccountControl=546))(!(userAccountControl=66050))(!(userAccountControl=66082))(!(userAccoun
tControl=262658))(!(userAccountControl=262690))(!(userAccountControl=328194))(!(userAccountControl=328226))(!(UserAccountControl=66080)))'):
self.real_users.extend([userline[0][1]['cn'][0]])
return self.real_users
def get_groups(self,gtype='all',refresh=False):
if refresh and gtype in self.groups:
del self.groups[gtype]
try:
return self.groups[gtype]
except:
self.groups = {'user':[],'chat':[],'mail':[],'all':[]}
for g in self.groups:
if g == 'all': continue
dn = self.dgattrs[g]['dn']
search_filter = self.dgattrs[g]['filter']
#print g,dn,search_filter
for groupline in self.search(dn=dn,search_filter=search_filter):
self.groups[g].extend([groupline[0][1]['cn'][0]])
self.groups['all'].extend([groupline[0][1]['cn'][0]])
return self.groups[gtype]
def create_group(self,group,users=[],gtype='user'):
if isinstance(users,basestring): users=[users]
if group in self.get_groups(gtype=gtype,refresh=True):
print 'group exists skipping'
return
attrs = {}
attrs['objectClass'] = self.dgattrs[gtype]['objectClass']
attrs['description'] = self.dgattrs[gtype]['description']
if users:
for user in users:
if user in self.get_users():
if user not in self.get_groups(gtype=gtype):
attrs.setdefault(self.dgattrs[gtype]['member_field'],[]).extend([self.get_user_attr(user,'distinguishedName')])
else:
print user,'-> already in group skipping'
else:
print user,'-> not valid skipping'
if self.dgattrs[gtype]['member_field'] not in attrs:
print 'all users invalid or already in group'
return
elif gtype != 'user':
print 'need users for that group type skipping'
return
attrs[self.dgattrs[gtype]['member_field']] = list(set(attrs[self.dgattrs[gtype]['member_field']]))
dn = ','.join(['cn=%s'%group,self.dgattrs[gtype]['dn']])
print dn,modlist.addModlist(attrs)
self.conn.add_s(dn,modlist.addModlist(attrs))
def get_group_users(self,group,gtype='user',refresh=False):
if group not in self.get_groups(gtype=gtype):
print group,'-> not found skipping'
return
try:
return self.group_users[gtype][group]
except:
pass
self.group_users.setdefault(gtype,{})[group] = []
attr = self.dgattrs[gtype]['member_field']
users = self.get_group_attr(group=group,gtype=gtype,attr=attr)
if isinstance(users,basestring): users = [users]
for user in users:
cn = user.split(',')[0].split('=')[1]
self.group_users[gtype][group].extend([cn])
return self.group_users[gtype][group]
def add_users_to_group(self,users,group,gtype='user'):
dn = self.get_group_attr(group,gtype,'distinguishedName')
if isinstance(users,basestring): users = [users]
for user in users:
if user in self.get_users():
if group in self.get_groups(gtype=gtype):
if user not in self.get_group_users(group,gtype=gtype):
self.conn.modify_s(dn,[(ldap.MOD_ADD,self.dgattrs[gtype]['member_field'],self.get_user_attr(user,'distinguishedName'))])
else:
print user,'-> already in group %s skipping'%group
else:
print group,'-> invalid group skipping'
else:
print user,'-> invalid user skipping'
def remove_users_from_group(self,users,group,gtype='user'):
dn = self.get_group_attr(group,gtype,'distinguishedName')
if isinstance(users,basestring): users = [users]
for user in users:
if user in self.get_users():
if group in self.get_groups(gtype=gtype):
if user in self.get_group_users(group,gtype=gtype):
self.conn.modify_s(dn,[(ldap.MOD_DELETE,self.dgattrs[gtype]['member_field'],self.get_user_attr(user,'distinguishedName'))])
else:
print user,'-> already not in group %s skipping'%group
else:
print group,'-> invalid group skipping'
else:
print user,'-> invalid user skipping'
def change_users_group(self,users,source_group,target_group,gtype='user'):
self.remove_users_from_group(users,source_group,gtype=gtype)
self.add_users_to_group(users,target_group,gtype=gtype)
def get_group_attr(self,group,gtype='user',attr='cn'):
if group not in self.get_groups(gtype=gtype): return
dn = ','.join(["cn=%s"%group,self.dgattrs[gtype]['dn']])
search_filter = self.dgattrs[gtype]['filter']
ret = self.search(dn=dn,search_filter=search_filter,attrs=attr)
try:
ret[0][0][1][attr]
except KeyError:
return
val = ret[0][0][1][attr]
if len(val) == 1:
return val[0]
else:
return val
def get_user_attr(self,user,attr='cn',return_dn=False):
if user not in self.get_users(): return
dn = self.dgattrs['user']['dn']
ret = self.search(dn=dn,search_filter="(&(objectClass=user)(!(objectClass=computer))(cn=%s))"%user,attrs=[attr])
try:
ret[0][0][1][attr]
except:
if return_dn:
return (ret[0][0][0],None)
return
val = ret[0][0][1][attr]
if len(val) == 1:
if return_dn:
return (ret[0][0][0],val[0])
return val[0]
else:
if return_dn:
return (ret[0][0][0],val)
return val
def set_user_attr(self,user,attr,val):
if user not in self.get_users(): return
dn,current_val = self.get_user_attr(user,attr,return_dn=True)
if current_val:
current_val = current_val[0]
else:
current_val = ''
ldif = modlist.modifyModlist({attr:current_val},{attr:val})
self.conn.modify_s(dn,ldif)