Re: possible bug(s) in python-ldap sasl code

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

<<Im sorry of this comes up as a double post, but I dont seem to get =20
the messages from the mailing list even though Im subscribed, and the =20=

web gui doesnt work... is sf.net having a lot of problems lately?>>

Thanks a lot for your swift response, I hope you can bear with me =20
with my somewhat funky and ugly code, and appreciate all help/advice/=20
pointers I can get :)

For viewing (dis)pleasure, I nested my response:

On 04 May 2007, at 23:09, Michael Str=F6der wrote:

> Ino Heatwave wrote:
>>
>> Im currently testing out python-ldap and Im connecting to an active
>> directory service.
>>
>> Binding works ok, but searching usually (usually as in I cant =20
>> remember
>> if it has worked at one point in time or not) ends with an error
>> ("00000000: LdapErr: DSID-0C090627, comment: In order to perform this
>> operation a successful bind must be completed on the connection., =20
>> data
>> 0, vece").
>
> Yes. For most entries there is no anonymous access allowed in the
> default installation of Active Directory.

Well, the problem is that I've already bound as a user with the =20
needed rights to search (even tried with Administrator, and I still =20
get the error).

>
> Some entries are accessible even with anon access. But without knowing
> how your code looks like it's hard to tell what happens.

You certainly may be at the heart of the problem here, but is there =20
any way, using the python-ldap api to ignore errors like that? Like =20
saying: "ok, I realize I might not have access to everything in the =20
directory as this user, but at least return what I have access to"?

>
>> I could provide sample code that gives me this behaviour.
>
> Yes, please provide simple test code demonstrating your issue.

Below is an ugly example I've cooked up for the purpose:

[[ look for attachment named ldap_simple_test.py ]]

>
>> But my main problem is: I cant bind with two different LDAPObjects on
>> the same server.
>
> Are your sure? I'm doing this all the time with web2ldap.
>
>> E.g creating two connections to the same server, using
>> sasl bind (digest-md5). The latter bind operation always raises
>> "ldap.INVALID_CREDENTIALS: {'info': '00090313: LdapErr: =20
>> DSID-0C09043E,
>> comment: AcceptSecurityContext error, data 0, vece', 'desc': 'Invalid
>> credentials'}", even though the username/password are identical. =20
>> Again,
>> I could provide some sample code that shows this behaviour if you're
>> interested.
>
> Please provide a simple example demostrating the problem.
>
> The following code works for me with OpenLDAP 2.3.35:

And the exact same code (modified only to fit with my server =20
parameters of course) bails out with the exception. I've attached the =20=

code I ran and the results, seen from the command line with =20
trace_level =3D 3.

I've done some further testing, and using two different python =20
processes to make two connections to the same server at the same time =20=

works ok, so there definately is something going on here.

Is there some other way to trace whats going on that would make any =20
sense to any of us? Im running this on OS X 10.4.9, with the lastest =20
python-ldap (2.3) built against OpenLDAP 2.3.34. The AD servers Im =20
trying against are Windows server 2003 instances.