Reputation: 536
python-ldap creating a group
I'm trying to create a security group in AD from a python script with python-ldap.
I'm able to bind my user which has sufficient rights to perform such an operation (confirmed by creating the group from ADExplorer gui client) and search the domain, but when it comes to adding the new group it fails with:
ldap.INSUFFICIENT_ACCESS: {'info': '00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n', 'desc': 'Insufficient access'}
This is the script:
import ldap
import ldap.modlist as modlist
server = 'hidden'
user_dn = 'hidden'
user_pw = 'hidden'
fs_dn = 'ou=fssecuritygroups,ou=tkogroups,ou=tokyo,dc=unit,dc=xyz,dc=intra'
l = ldap.initialize("ldaps://"+server)
l.bind_s(user_dn, user_pw)
groupname = 'mytestfs'
attr = {}
attr['objectClass'] = ['group','top']
attr['groupType'] = '-2147483646'
attr['cn'] = groupname
attr['name'] = groupname
attr['sAMAccountName'] = groupname
ldif = modlist.addModlist(attr)
print(l.add_s(fs_dn,ldif))
Upvotes: 4
Views: 6026
Answers (1)
Reputation: 489
I got the same error when I try to add a new object under a dn where I am not allowed to add.
E.g. I have access rights to the ldap-server (binding works), I'm allowed to add group-objects under ou=germany,ou=groups,dc=ACME - but I'm not allowed to add a group-object under ou=groups,dc=ACME.
Maybe you checkout the constraints of the ldap or the like.
Upvotes: 2
Related Questions
- python-ldap creating a group returns "already exists" (in an empty OU and non existent sAMAccountName)
- How to add user to LDAP group using Python?
- Python ldap3 how to get all members of a group
- adding and removing members to/from active directory group in python
- ldap3 python add user to group
- Python ldap3 create group
- python 3.7 and ldap3 reading group membership
- Python LDAP authentication to a Security Group in Active Directory
- How do I add a new user to a group with LDAP in Python?
- adding group using python-ldap