python-ldap-dev

problem binding to AD with known-good credentials

[jacob m. <mar...@gm...>]

I am unable to bind to an Active Directory system using python-ldap.

I created a user in AD with search rights and am able to do a simple
bind with the java-based "LDAP Browser" and search/browse the
directory with those credentials.

When I try to do a simple bind to the directory with python-ldap I
don't get an exception, but when I try to perform the search, I get an
exception indicating I didn't bind successfully:

Traceback (most recent call last):
  File "./tmp", line 29, in ?
    search_ad(email='us...@do...',password='passwd')
  File "./tmp", line 20, in search_ad
    result_type, result_data = l.result(ldap_result_id, 0)
  File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line
399, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line
405, in result2
    return self._ldap_call(self._l.result2,msgid,all,timeout)
  File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 94,
in _ldap_call
    result = func(*args,**kwargs)
ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece', 'desc': 'Operations
error'}

I am attaching the script that generated this exception.  Am I missing
something?

Thanks!

jacob

Re: problem binding to AD with known-good credentials

[jacob m. <mar...@gm...>]

I forgot to add I am using python2.3-ldap 2.0.4-1 on a debian 3.1 system.

thanks,
jacob

On 6/17/06, jacob martinson <mar...@gm...> wrote:
> I am unable to bind to an Active Directory system using python-ldap.
>
> I created a user in AD with search rights and am able to do a simple
> bind with the java-based "LDAP Browser" and search/browse the
> directory with those credentials.
>
> When I try to do a simple bind to the directory with python-ldap I
> don't get an exception, but when I try to perform the search, I get an
> exception indicating I didn't bind successfully:
>
> Traceback (most recent call last):
>   File "./tmp", line 29, in ?
>     search_ad(email='us...@do...',password='passwd')
>   File "./tmp", line 20, in search_ad
>     result_type, result_data = l.result(ldap_result_id, 0)
>   File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line
> 399, in result
>     res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
>   File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line
> 405, in result2
>     return self._ldap_call(self._l.result2,msgid,all,timeout)
>   File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 94,
> in _ldap_call
>     result = func(*args,**kwargs)
> ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627,
> comment: In order to perform this operation a successful bind must be
> completed on the connection., data 0, vece', 'desc': 'Operations
> error'}
>
> I am attaching the script that generated this exception.  Am I missing
> something?
>
> Thanks!
>
> jacob
>
>
>

Re: problem binding to AD with known-good credentials

[<mi...@st...>]

jacob martinson wrote:
> 
> I created a user in AD with search rights and am able to do a simple
> bind with the java-based "LDAP Browser" and search/browse the
> directory with those credentials.
> 
> When I try to do a simple bind to the directory with python-ldap I
> don't get an exception, but when I try to perform the search, I get an
> exception indicating I didn't bind successfully:

I guess something's wrong in your code.

> ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627,
> comment: In order to perform this operation a successful bind must be
> completed on the connection., data 0, vece', 'desc': 'Operations
> error'}

I suspect you're really doing a search before an appropriate bind.

> I am attaching the script that generated this exception.  Am I missing
> something?

I'm not going to debug your code especially since it's an incomplete
excerpt. Just some hints:

> def search_ad(email,password=''):

Where is password used?

>         # Connect to ldap server, retrieve the CN tied to the given email addr
>         try:
>                 l = ldap.open(ldapconf.host)

You should use ldap.initialize(). Look into arguments trace_level and
trace_file. (Hmm, docs needs update in this regard.)

The output could help you finding the error in sequence and arguments of
the LDAP requests you send. Beware: It outputs passwords!

>                 l.simple_bind_s(ldapconf.ldap_user,ldapconf.ldap_pass)

Obviously ldapconf.ldap_pass is not argument password above.

Another hint: The universal principal name is not always the RFC 822
e-mail address of a user. This depends on your AD / Exchange installation.

>         ldap_result_id = l.search(ldapconf.base_dn,
ldap.SCOPE_SUBTREE, ldapconf.filter, ['cn'])
>         result_set = []
>         while 1:
>                 result_type, result_data = l.result(ldap_result_id, 0)
>                 if (result_data == []):
>                         break
>                 else:
>                         if result_type == ldap.RES_SEARCH_ENTRY:
>                                 result_set.append(result_data)
>         print result_set

Style: Any reason why you don't use the simple l.search_s() method call?
I wouldn't expect many results. I don't know your LDAP search filter though.

Ciao, Michael.