Python3 Ldap3: Cannot add entities ( new user object) on ldap via python script

Question

I am writing a python code to be able to add a new user account on LDAP.. Pyhton3 and LDAP3.. so far i can search the data out .. but i can not insert a new user into LDAP via script.. But same account i can insert by using fusiondirectoy.

Issue: it said i have no right when i use ObjectClass : inetOrgPerson. And i need to add givenName attribute which need to use this objectClass.

My code:

import boto3
import sys,getopt
import ldap3
def main(argv):
     add_uid = ''
     add_username = ''
     add_password = ''
     add_group = ''
     add_mail = ''
     add_role = ''
     actual_uid = ''
     actual_user = ''
     actual_pass = ''
     actual_group = ''
     actual_mail = ''
     actual_role = ''
     try:
         opts, args = getopt.getopt(argv, "hi:u:p:r:e:",["add_uid=","add_username=","add_password=","add_mail="])
     except getopt.GetoptError:
         PrintHelp()
     for opt, arg in opts:
         if opt == '-h':
            PrintHelp()
         elif opt in ("-i", "--add_uid"):
            actual_uid = arg
         elif opt in ("-u", "--add_username"):
            actual_user = arg
         elif opt in ("-p", "--add_password"):
            actual_pass = arg
         elif opt in ("-e", "--add_mail"):
            actual_mail = arg
     if (actual_uid == '') or (actual_user == '') or (actual_pass == '') or (actual_mail == ''):
         PrintHelp()
     else:
         LDAPfuction(actual_uid,actual_user,actual_pass,actual_mail)

def PrintHelp():
    print ('\n@@@ 4 parameters are needed @@@: python3 LDAPuserManagement.py -i {} -u {} -p {} -e {} \nExample --> LDAPuserManagement.py -i sumana_w -u "Sumana Wongrattanakul" -p XXXXXXXXXX -e *******@XXXXXX \n-i = user id  \n-u = usamename (that want to be added.. format = "FirstName Lastname") \n-p = Password\n-e = targeted user email (xxxxxx@acommerce.asia) \n\nOPTIONALS:\n\n-h = help (how to use)\n')
    sys.exit(2)

def LDAPfuction(actual_uid,actual_user,actual_pass,actual_mail):
    from ldap3 import Server, Connection, ALL
    ldap_server ='ldap://[server]:389'
    ldap_base_user = 'ou=people,dc=xxxxx,dc=xxxxxx,dc=xxxxx'
    ldap_user = 'user'
    ldap_password = 'password'
    user_dn = "uid="+ldap_user+","+ldap_base_user
    searchFilter_user = "(&(cn="+actual_user+")(objectclass=*))"
    search_att_user = ['uid','cn','sn','fdPrivateMail','givenName']
    l = ''
    conn_user= []
    c = ''
    lastname = []
    dn = ''
    attrs = {}
    result_add = ''
    attrs_1 = {}

    try:
    #--------------- Connecting to LDAP ---------------------------------------
        c=Server(ldap_server, port=389, get_info=ALL)

       l=Connection(c,user=user_dn,password=ldap_password,auto_bind=True)
        print (l.bind)
        if not l.bind():
            print ("ERROR in Blind", l.result)

    except:
        print ("\n\n @@@@ Please open DEV VPN connection @@@@ \n\n")
    #--------------- Checking if account is already existing or not -----------
    l.search(ldap_base_user, searchFilter_user, attributes=search_att_user)
    conn_user =l.entries
    if conn_user != []:
        print (conn_user)
        print ("\n\n @@@ This account already exist in LDAP @@@\n\n")
        sys.exit(2)
    else:
        lastname = str.split(actual_user)
        print (actual_uid)
        print (actual_user)
        print (actual_pass)
        print (lastname[0])
        print (lastname[1])
        print (actual_mail)

        dn_1 = "cn="+actual_user+","+ldap_base_user
        #dn_1 = "uid="+actual_uid+","+ldap_base_user
        attrs['objectclass']=['inetOrgPerson']
        attrs['cn'] = actual_user
        attrs['sn'] = lastname[1]
        attrs['givenName']=lastname[0]
        attrs['uid']=actual_uid
        attrs['userPassword']=actual_pass
        print (dn_1)
        print (attrs)
        l.add(dn_1,attributes=attrs)
        print (l.result)

if __name__ == "__main__":
    main(sys.argv[1:])

Result :{'result': 50, 'description': 'insufficientAccessRights', 'dn': '', 'message': 'no write access to parent', 'referrals': None, 'type': 'addResponse'}

Any help ?

Answer 1

It looks like you don't have the permission to create user accounts.

I ran some test code to check my theory where I bind to my LDAP server and try to create a user, the bind was successful but the Connection.add(...) failed with:

{'description': 'insufficientAccessRights', 'result': 50, 'type': 'addResponse', 'dn': '', 'message': '00000005: SecErr: DSID-03152857, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00', 'referrals': None}

Which to me looks very similar to your error.