Update LDAP attribute in AD with Python

Question

When I try to update an Active Directory attribute with this code:

dn = (
    "CN=user_ldap,OU=dept_name,OU=Application,"
    "OU=Service Accounts,OU=Domain Users,DC=company-corp,DC=global"
)

# define the server
server = ldap3.Server(
    "ldaps.company-corp.global", get_info=ldap3.ALL, port=636, use_ssl=True
)

# define the connection
conn = ldap3.Connection(server, dn, psw, auto_bind=True)

conn.start_tls()

userID = "jdoe"

# perform the Modify operation
conn.modify(
    f"CN={userID},OU=managed,OU=Domain Users,DC=company-corp,DC=global",
    {"displayName": [(ldap3.MODIFY_REPLACE, ["Doe, John D"])]},
)

print(conn.result)

I get the following error:

{'result': 32, 'description': 'noSuchObject', 'dn': 'OU=Managed,OU=Domain Users,DC=company-corp,DC=global', 'message': "0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:\n\t'OU=Managed,OU=Domain Users,DC=ssnc-corp,DC=global'\n\x00", 'referrals': None, 'type': 'modifyResponse'}

Please advise.

Thanks in advance.

Answer 1

The NO_OBJECT error generally means an object with the specified DN (in this case cn=jdoe,ou=managed,ou=domain users,dc=company-corp,dc=global) cannot be found.

It's possible to get the error when the service account doesn't have rights to read the record or when the fully qualified DN is incorrect.

To eliminate an incorrect fully qualified DN, you could try searching for an object (like do a search for sAMAccountName=LogonIDGoesHere) and retrieving the DN value.

To eliminate access, you can check an account's effective permissions to an object using Active Directory Users & Computers.

• On the "Security" tab, click "Advanced".
• In the advanced security settings window, click on the "Effective Access" tab.
• Click the 'select a user' link to select your service account then click "View effective access" to see if something like 'read all properties' or 'read general information' are allowed.