如何使用Ruby1.9.2和roryO的net-ldap-gem从RubyOnRails3修改ActiveDirectory中的userAccountControl? [英] How to modify userAccountControl in ActiveDirectory from RubyOnRails3 with Ruby1.9.2 and roryO's net-ldap - gem?

查看：61 发布时间：2020/4/30 8:49:21 ruby-on-rails ruby active-directory ldap

本文介绍了如何使用Ruby1.9.2和roryO的net-ldap-gem从RubyOnRails3修改ActiveDirectory中的userAccountControl?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我要做的是启用/禁用Active Directory用户帐户. 在Active Directory中，信息以十六进制值的形式存储在名为userAccessControl的属性的位寄存器中.在我们的Windows 2008 Server R1中，对于启用的帐户(用户密码永不过期)为0x10200，对于禁用的帐户(用户密码永不过期)为0x10202.

what I want to do is to en-/disable an Active Directory Useraccount. In Active Directory that information is stored in a bit-register in an attribute called userAccessControl as a HEX-Value. In our Windows 2008 Server R1, that is 0x10200 for an enabled account with the option that a users password never expires, or 0x10202 for a disabled account with the option that a users password never expires.

现在只需触摸启用/禁用信息的标志，我编写了以下方法...

Now to just touch the flag for the enabled/disabled information, I wrote the following method...

def set_account_active_flag(activate)
  success = false
  get_aduser if @aduser.nil?
  puts "#####################################"
  unless @uac.nil? || @uac.blank?
    tmpuac = @uac.to_i
    tmpuac = activate ? tmpuac & 2 == 0 ? tmpuac | 2
                                        : tmpuac
                      : tmpuac & 2 == 2 ? tmpuac ^ 2
                                        : tmpuac
    ldap_con = self.class.initialize_ldap_con
    # success = ldap_con.replace_attribute ldap_encode(@dn), :userAccountControl, tmpuac


   success = ldap_con.replace_attribute ldap_encode(@dn), :userAccountControl, ldap_encode(tmpuac.to_s)
  else
    puts ">>>>>\nuserAccessControl-Register is not available\n<<<<<"
  end
rescue Net::LDAP::LdapError => e
  puts "NET::LDAP::LdapError\n#{e}"
ensure
  puts "-------------------------------------"
  puts "LDAP operation failed (#{ldap_con.get_operation_result.code}):"
  puts "-------------------------------------"
  puts ldap_con.get_operation_result.message
  puts "#####################################"
  return success
end

好的...内部结构:

get_aduser只是一种加载一组广告属性(['dn'，'userPrincipalName'，'givenname'，'sn'，'mail'，'memberof'，'userAccountControl'])并存储它们的方法进入尝试登录的用户的实例变量(@ dn，@ user_principal_name，@ first_name，@ last_name，@ groups，@ uac)

那部分就像一个护身符. @uac(重新设置为字符串)，我可以转换为整数

That part works like a charm. @uac (returened as a string), I can transform to an integer

x = @uac.to_i

然后将其用作位寄存器以检查和修改标志

and then use that as a bit-register to check and modify flags

x &  2 # => 0 if unset, => 1 if set
x |= 2 # sets the flag
x ^= 2 # unsets the flag

工作正常后，我认为将其值写回我的Active Directory就很容易.

That working I thought it as easy as to just write back that value to my Active Directory.

出现我的问题: 到目前为止，我尝试将新的userAccountControl值写回为 integer 和 string ，但是两次尝试都失败了，尽管两种情况下的操作结果消息均为{Code: 0，消息:成功"}

There comes my Problem: So far I tried to write back the new userAccountControl value as integer and as string, but both attempts fail, although the operation-result-message in both cases is {Code:0, Message:'Success'}

尝试将新的userAccessControl值写回为整数会引发NET :: LDAP :: LdapError

Trying to write back the new userAccessControl value as integer raises NET::LDAP::LdapError

#####################################
NET::LDAP::LdapError 
response missing or invalid
-------------------------------------
LDAP operation failed (0):
-------------------------------------
Success
#####################################
=> false

尝试将新的userAccessControl值写回为 string 不会引发错误，但仍然会导致错误

Trying to write back the new userAccessControl value as string does not raise an error but still results in false

#####################################
-------------------------------------
LDAP operation failed (0):
-------------------------------------
Success
#####################################
=> false

所以我想知道，我在做什么错了?"

So I wonder, 'What am I doing wrong?'

有人知道如何将userAccessControl写回ActiveDirectory吗?

Does anybody know how to write back userAccessControl to ActiveDirectory?

我是否必须使用回写用户密码所需的那种笨拙算法来转换新的userAccessControl-Value?

Do I have to transform the new userAccessControl-Value using something like that awkward algorithm needed to write back a user-password?

非常感谢您提供任何有用的提示甚至解决方案.

Thanks a lot in advance for any useful hint or even a solution.

最诚挚的问候，

Ingo Gambin

推荐答案

好吧，从玩弄所有ldap连接的东西开始，并尝试了几种不同的方法，例如使用我在rails中执行的php脚本编写整个节目，回写修改后的值实际上似乎没有任何实际问题！

Ok, from toying around with all the ldap connection stuff and having tried several different approaches, like writing the whole show using php-scripts that I executed from within rails, it seems there is actually no real problem in writing the modified value back!

我做错了什么? 没事！ ...好吧...或多或少...就是...

What did I do wrong? Nothing! ... well ... more or less ... that is ...

为什么我没有意识到上述种类"方法有效?

Why did I fail to realize the above approach 'kind of' worked?

具有ActiveDirectory SnapIn来查看用户列表时，在按"F5"时不会实现微小的已停用"图标...实际上，我认为F5可以在所有情况下实现该列表...但事实并非如此.所以我没看到那里的变化.
上面的代码包含一些逻辑错误.如果不启用帐户，则禁用该帐户，反之亦然，因为上述方法假定AD-control标志被称为帐户有效"，但情况并非如此，该标志为帐户已停用".因此设置标志意味着DEACTIVATION，这与我上面的方法相反.
除了AD-Account-DEACTIVATION-Flag以外，我们的用户记录中还有一个类似的标志.我的测试用户实际上在那儿被禁用了，直接在不设置用户记录设置=>的情况下调用了LDAP-Modification，因此即使未禁用AD-Account，我的测试用户记录也仍然被禁用并且不允许登录.
最后但并非最不重要的一点:即使修改成功，替换"userAccountControl"值的实际尝试的返回值仍将返回false(并且仍然在下面给出的适当解决方案中这样做):

 success = ldap_con.replace_attribute ldap_encode(@dn), :userAccountControl, ldap_encode(tmpuac.to_s)

这里是设置帐户停用"的固定方法(并且要写回的值应为字符串):

Here the fixed method to set Account Deactivation (and the value to be written back is expected as a string):

def set_account_deactivation(deactivate)
  get_aduser if @dn.nil?
  success = false
  unless @uac.nil? || @uac.blank?
    tmpuac = @uac.to_i
    # deactivate = true means 'Account Deactivated'-flag => false
    tmpuac = deactivate ? tmpuac & 2 == 0 ? tmpuac | 2  # flag not set (active)  = account is not deactivated ? deactivate
                                          : tmpuac      #                                                     : leave as is
                        : tmpuac & 2 == 2 ? tmpuac ^ 2  # flag set (deactivated) = account is deactivated     ? activate
                                          : tmpuac      #                                                     : leave as is
    ldap_con = self.class.initialize_ldap_con
    success = ldap_con.replace_attribute ldap_encode(@dn), :useraccountcontrol, ldap_encode("#{tmpuac}")
  else
    puts "Failed to read userAccessControl-Register!"
  end
rescue Net::LDAP::LdapError => e
  puts "NET::LDAP::LdapError\n#{e}"
ensure
  return success
end

def ldap_encode(string)
  if string.encoding.name != 'ASCII-8BIT'
    string.dup.force_encoding 'ASCII-8BIT'
  else
    string
  end
end

这篇关于如何使用Ruby1.9.2和roryO的net-ldap-gem从RubyOnRails3修改ActiveDirectory中的userAccountControl?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

如何使用Ruby1.9.2和roryO的net-ldap-gem从RubyOnRails3修改ActiveDirectory中的userAccountControl? [英] How to modify userAccountControl in ActiveDirectory from RubyOnRails3 with Ruby1.9.2 and roryO's net-ldap - gem?

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

如何使用Ruby1.9.2和roryO的net-ldap-gem从RubyOnRails3修改ActiveDirectory中的userAccountControl? [英] How to modify userAccountControl in ActiveDirectory from RubyOnRails3 with Ruby1.9.2 and roryO&#39;s net-ldap - gem?

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

如何使用Ruby1.9.2和roryO的net-ldap-gem从RubyOnRails3修改ActiveDirectory中的userAccountControl? [英] How to modify userAccountControl in ActiveDirectory from RubyOnRails3 with Ruby1.9.2 and roryO's net-ldap - gem?

登录关闭