Re: determining if bind successful

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Michael Engelhart wrote:
> Hmm. OK - well below are the relevant snippets from LDAPWrapper class.  
> When I pass in a valid dn for "user" and an incorrect password, it still 
> binds.   It appears to bind as a user that has no privileges but it 
> doesn't throw an exception.

Strange. Maybe some problems with ACLs (check 
http://www.openldap.org/faq/data/cache/189.html)?

Below's a test I did with my local server.
1. ldap.INVALID_CREDENTIALS is raised if the password provided does not 
match value of attribute 'userPassword'.
2. ldap.INAPPROPRIATE_AUTH is raised if entry does not have attribute 
'userPassword' at all.
3. It only binds in the case the password matches.

Best bet is trying to reproduce the same behaviour with OpenLDAP's 
ldapsearch and ask on the openldap-software mailing list.

Ciao, Michael.

------------------------------- snip -------------------------------
 >>> import ldap
 >>> l=ldap.initialize('ldap://localhost:1390')
 >>> l.simple_bind_s('uid=anna,ou=Testing,dc=stroeder,dc=com','wrong password')
Traceback (most recent call last):
   File "<stdin>", line 1, in ?
   File "/usr/lib/python2.2/site-packages/ldap/ldapobject.py", line 435, in 
simple_bind_s
     self.bind_s(who,passwd,_ldap.AUTH_SIMPLE)
   File "/usr/lib/python2.2/site-packages/ldap/ldapobject.py", line 154, in 
bind_s
     self.result(msgid,all=1,timeout=self.timeout)
   File "/usr/lib/python2.2/site-packages/ldap/ldapobject.py", line 334, in 
result
     return self._ldap_call(self._l.result,msgid,all,timeout)
   File "/usr/lib/python2.2/site-packages/ldap/ldapobject.py", line 90, in 
_ldap_call
     result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'info': '', 'desc': 'Invalid credentials'}
 >>> l.simple_bind_s('cn=Michael 
Stroeder,ou=Testing,dc=stroeder,dc=com','wrong password')
Traceback (most recent call last):
   File "<stdin>", line 1, in ?
   File "/usr/lib/python2.2/site-packages/ldap/ldapobject.py", line 435, in 
simple_bind_s
     self.bind_s(who,passwd,_ldap.AUTH_SIMPLE)
   File "/usr/lib/python2.2/site-packages/ldap/ldapobject.py", line 154, in 
bind_s
     self.result(msgid,all=1,timeout=self.timeout)
   File "/usr/lib/python2.2/site-packages/ldap/ldapobject.py", line 334, in 
result
     return self._ldap_call(self._l.result,msgid,all,timeout)
   File "/usr/lib/python2.2/site-packages/ldap/ldapobject.py", line 90, in 
_ldap_call
     result = func(*args,**kwargs)
ldap.INAPPROPRIATE_AUTH: {'info': '', 'desc': 'Inappropriate authentication'}
 >>> l.simple_bind_s('uid=anna,ou=Testing,dc=stroeder,dc=com','anna')
 >>>