Re: problem binding to AD with known-good credentials

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

jacob martinson wrote:
> 
> I created a user in AD with search rights and am able to do a simple
> bind with the java-based "LDAP Browser" and search/browse the
> directory with those credentials.
> 
> When I try to do a simple bind to the directory with python-ldap I
> don't get an exception, but when I try to perform the search, I get an
> exception indicating I didn't bind successfully:

I guess something's wrong in your code.

> ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627,
> comment: In order to perform this operation a successful bind must be
> completed on the connection., data 0, vece', 'desc': 'Operations
> error'}

I suspect you're really doing a search before an appropriate bind.

> I am attaching the script that generated this exception.  Am I missing
> something?

I'm not going to debug your code especially since it's an incomplete
excerpt. Just some hints:

> def search_ad(email,password=''):

Where is password used?

>         # Connect to ldap server, retrieve the CN tied to the given email addr
>         try:
>                 l = ldap.open(ldapconf.host)

You should use ldap.initialize(). Look into arguments trace_level and
trace_file. (Hmm, docs needs update in this regard.)

The output could help you finding the error in sequence and arguments of
the LDAP requests you send. Beware: It outputs passwords!

>                 l.simple_bind_s(ldapconf.ldap_user,ldapconf.ldap_pass)

Obviously ldapconf.ldap_pass is not argument password above.

Another hint: The universal principal name is not always the RFC 822
e-mail address of a user. This depends on your AD / Exchange installation.

>         ldap_result_id = l.search(ldapconf.base_dn,
ldap.SCOPE_SUBTREE, ldapconf.filter, ['cn'])
>         result_set = []
>         while 1:
>                 result_type, result_data = l.result(ldap_result_id, 0)
>                 if (result_data == []):
>                         break
>                 else:
>                         if result_type == ldap.RES_SEARCH_ENTRY:
>                                 result_set.append(result_data)
>         print result_set

Style: Any reason why you don't use the simple l.search_s() method call?
I wouldn't expect many results. I don't know your LDAP search filter though.

Ciao, Michael.