如何使用Ruby1.9.2和roryO的net-ldap-gem从RubyOnRails3修改ActiveDirectory中的userAccountControl? [英] How to modify userAccountControl in ActiveDirectory from RubyOnRails3 with Ruby1.9.2 and roryO's net-ldap - gem?
问题描述
我要做的是启用/禁用Active Directory用户帐户. 在Active Directory中,信息以十六进制值的形式存储在名为userAccessControl的属性的位寄存器中.在我们的Windows 2008 Server R1中,对于启用的帐户(用户密码永不过期)为0x10200,对于禁用的帐户(用户密码永不过期)为0x10202.
what I want to do is to en-/disable an Active Directory Useraccount. In Active Directory that information is stored in a bit-register in an attribute called userAccessControl as a HEX-Value. In our Windows 2008 Server R1, that is 0x10200 for an enabled account with the option that a users password never expires, or 0x10202 for a disabled account with the option that a users password never expires.
现在只需触摸启用/禁用信息的标志,我编写了以下方法...
Now to just touch the flag for the enabled/disabled information, I wrote the following method...
def set_account_active_flag(activate)
success = false
get_aduser if @aduser.nil?
puts "#####################################"
unless @uac.nil? || @uac.blank?
tmpuac = @uac.to_i
tmpuac = activate ? tmpuac & 2 == 0 ? tmpuac | 2
: tmpuac
: tmpuac & 2 == 2 ? tmpuac ^ 2
: tmpuac
ldap_con = self.class.initialize_ldap_con
# success = ldap_con.replace_attribute ldap_encode(@dn), :userAccountControl, tmpuac
success = ldap_con.replace_attribute ldap_encode(@dn), :userAccountControl, ldap_encode(tmpuac.to_s)
else
puts ">>>>>\nuserAccessControl-Register is not available\n<<<<<"
end
rescue Net::LDAP::LdapError => e
puts "NET::LDAP::LdapError\n#{e}"
ensure
puts "-------------------------------------"
puts "LDAP operation failed (#{ldap_con.get_operation_result.code}):"
puts "-------------------------------------"
puts ldap_con.get_operation_result.message
puts "#####################################"
return success
end
好的...内部结构:
- get_aduser只是一种加载一组广告属性(['dn','userPrincipalName','givenname','sn','mail','memberof','userAccountControl'])并存储它们的方法进入尝试登录的用户的实例变量(@ dn,@ user_principal_name,@ first_name,@ last_name,@ groups,@ uac)
那部分就像一个护身符. @uac(重新设置为字符串),我可以转换为整数
That part works like a charm. @uac (returened as a string), I can transform to an integer
x = @uac.to_i
然后将其用作位寄存器以检查和修改标志
and then use that as a bit-register to check and modify flags
x & 2 # => 0 if unset, => 1 if set
x |= 2 # sets the flag
x ^= 2 # unsets the flag
工作正常后,我认为将其值写回我的Active Directory就很容易.
That working I thought it as easy as to just write back that value to my Active Directory.
出现我的问题: 到目前为止,我尝试将新的userAccountControl值写回为 integer 和 string ,但是两次尝试都失败了,尽管两种情况下的操作结果消息均为{Code: 0,消息:成功"}
There comes my Problem: So far I tried to write back the new userAccountControl value as integer and as string, but both attempts fail, although the operation-result-message in both cases is {Code:0, Message:'Success'}
尝试将新的userAccessControl值写回为整数会引发NET :: LDAP :: LdapError
Trying to write back the new userAccessControl value as integer raises NET::LDAP::LdapError
#####################################
NET::LDAP::LdapError
response missing or invalid
-------------------------------------
LDAP operation failed (0):
-------------------------------------
Success
#####################################
=> false
尝试将新的userAccessControl值写回为 string 不会引发错误,但仍然会导致错误
Trying to write back the new userAccessControl value as string does not raise an error but still results in false
#####################################
-------------------------------------
LDAP operation failed (0):
-------------------------------------
Success
#####################################
=> false
所以我想知道,我在做什么错了?"
So I wonder, 'What am I doing wrong?'
有人知道如何将userAccessControl写回ActiveDirectory吗?
Does anybody know how to write back userAccessControl to ActiveDirectory?
我是否必须使用回写用户密码所需的那种笨拙算法来转换新的userAccessControl-Value?
Do I have to transform the new userAccessControl-Value using something like that awkward algorithm needed to write back a user-password?
非常感谢您提供任何有用的提示甚至解决方案.
Thanks a lot in advance for any useful hint or even a solution.
最诚挚的问候,
Ingo Gambin
Ingo Gambin
推荐答案
好吧,从玩弄所有ldap连接的东西开始,并尝试了几种不同的方法,例如使用我在rails中执行的php脚本编写整个节目,回写修改后的值实际上似乎没有任何实际问题!
Ok, from toying around with all the ldap connection stuff and having tried several different approaches, like writing the whole show using php-scripts that I executed from within rails, it seems there is actually no real problem in writing the modified value back!
我做错了什么? 没事! ...好吧...或多或少...就是...
What did I do wrong? Nothing! ... well ... more or less ... that is ...
为什么我没有意识到上述种类"方法有效?
Why did I fail to realize the above approach 'kind of' worked?
- 具有ActiveDirectory SnapIn来查看用户列表时,在按"F5"时不会实现微小的已停用"图标...实际上,我认为F5可以在所有情况下实现该列表...但事实并非如此.所以我没看到那里的变化.
- 上面的代码包含一些逻辑错误.如果不启用帐户,则禁用该帐户,反之亦然,因为上述方法假定AD-control标志被称为帐户有效",但情况并非如此,该标志为帐户已停用".因此设置标志意味着DEACTIVATION,这与我上面的方法相反.
- 除了AD-Account-DEACTIVATION-Flag以外,我们的用户记录中还有一个类似的标志.我的测试用户实际上在那儿被禁用了,直接在不设置用户记录设置=>的情况下调用了LDAP-Modification,因此即使未禁用AD-Account,我的测试用户记录也仍然被禁用并且不允许登录.
-
最后但并非最不重要的一点:即使修改成功,替换"userAccountControl"值的实际尝试的返回值仍将返回false(并且仍然在下面给出的适当解决方案中这样做):>
success = ldap_con.replace_attribute ldap_encode(@dn), :userAccountControl, ldap_encode(tmpuac.to_s)
这里是设置帐户停用"的固定方法(并且要写回的值应为字符串):
Here the fixed method to set Account Deactivation (and the value to be written back is expected as a string):
def set_account_deactivation(deactivate)
get_aduser if @dn.nil?
success = false
unless @uac.nil? || @uac.blank?
tmpuac = @uac.to_i
# deactivate = true means 'Account Deactivated'-flag => false
tmpuac = deactivate ? tmpuac & 2 == 0 ? tmpuac | 2 # flag not set (active) = account is not deactivated ? deactivate
: tmpuac # : leave as is
: tmpuac & 2 == 2 ? tmpuac ^ 2 # flag set (deactivated) = account is deactivated ? activate
: tmpuac # : leave as is
ldap_con = self.class.initialize_ldap_con
success = ldap_con.replace_attribute ldap_encode(@dn), :useraccountcontrol, ldap_encode("#{tmpuac}")
else
puts "Failed to read userAccessControl-Register!"
end
rescue Net::LDAP::LdapError => e
puts "NET::LDAP::LdapError\n#{e}"
ensure
return success
end
def ldap_encode(string)
if string.encoding.name != 'ASCII-8BIT'
string.dup.force_encoding 'ASCII-8BIT'
else
string
end
end
这篇关于如何使用Ruby1.9.2和roryO的net-ldap-gem从RubyOnRails3修改ActiveDirectory中的userAccountControl?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!