python-ldap creating a group
Question
I'm trying to create a security group in AD from a python script with python-ldap.
I'm able to bind my user which has sufficient rights to perform such an operation (confirmed by creating the group from ADExplorer gui client) and search the domain, but when it comes to adding the new group it fails with:
ldap.INSUFFICIENT_ACCESS: {'info': '00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\\n', 'desc': 'Insufficient access'}
This is the script:
import ldap
import ldap.modlist as modlist
server = 'hidden'
user_dn = 'hidden'
user_pw = 'hidden'
fs_dn = 'ou=fssecuritygroups,ou=tkogroups,ou=tokyo,dc=unit,dc=xyz,dc=intra'
l = ldap.initialize("ldaps://"+server)
l.bind_s(user_dn, user_pw)
groupname = 'mytestfs'
attr = {}
attr['objectClass'] = ['group','top']
attr['groupType'] = '-2147483646'
attr['cn'] = groupname
attr['name'] = groupname
attr['sAMAccountName'] = groupname
ldif = modlist.addModlist(attr)
print(l.add_s(fs_dn,ldif))
1 answers
solution1
2 ACCPTED 2015-01-27 09:48:25
I got the same error when I try to add a new object under a dn where I am not allowed to add.
Eg I have access rights to the ldap-server (binding works), I'm allowed to add group-objects under ou=germany,ou=groups,dc=ACME - but I'm not allowed to add a group-object under ou=groups,dc=ACME .
Maybe you checkout the constraints of the ldap or the like.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.