search

noirello / bonsai

Simple Python 3 module for LDAP, using libldap2 and winldap C libraries.
MIT License
116 stars 32 forks source link

Cannot change "userAccountControl" attribute #56

Closed jcklie closed 2 years ago

jcklie commented 2 years ago

Hi, thank you for developing bonsai, the API is much nicer than python-ldap. I have a problem that when I create a new user with bonsai via AD, then I cannot set the userAccountControl attribute to enable the user:

    entry = LDAPEntry(user.distinguished_name)
    entry["cn"] = user.fullname
    entry["givenName"] = user.firstname
    entry["sn"] = user.lastname
    entry["userPrincipalName"] = user.account_name
    entry["displayName"] = user.fullname
    entry["objectclass"] = "user",
    entry["sAMAccountName"] = user.account_name
    entry["userPassword"] = user.password
    entry["mail"] = user.email

    with self._build_client().connect() as conn:
        res = conn.add(entry)
        print(res)

        # http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm
        entry.change_attribute("userAccountControl", LDAPModOp.REPLACE, 66048 )
        entry.modify()

The account is created but the modify fails:

bonsai.errors.UnwillingToPerform: Unwilling To Perform. (0x0035 [53])

Do you have an idea what is wrong? I checked already the password, it adheres the AD policies and I also tried setting 512 instead of 66048. I also tried setting it in the initial create, but the error is then the same.

noirello commented 2 years ago

I added a test case when an AD user is created, then enabled. The entry is based on your example.

The test ran successfully on the CI, so my guess is that the error is related some AD configurations. The UnwillingToPerform error could indicate that some security criteria are not met.