Menu
▾
▴
python-ldap-dev
|
From: Ino H. <in...@gm...> - 2007-05-04 12:33:41
|
Hi,
Im currently testing out python-ldap and Im connecting to an active
directory service.
Binding works ok, but searching usually (usually as in I cant remember if it
has worked at one point in time or not) ends with an error ("00000000:
LdapErr: DSID-0C090627, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, vece"). The
data, however is received when I use the library asynchronously. (I.e it
sends me the search results, then raises the exception). I could provide
sample code that gives me this behaviour. Writing a custom search method
that masks this error works great though, but feels kinda ugly...
But my main problem is: I cant bind with two different LDAPObjects on the
same server. E.g creating two connections to the same server, using sasl
bind (digest-md5). The latter bind operation always raises "
ldap.INVALID_CREDENTIALS: {'info': '00090313: LdapErr: DSID-0C09043E,
comment: AcceptSecurityContext error, data 0, vece', 'desc': 'Invalid
credentials'}", even though the username/password are identical. Again, I
could provide some sample code that shows this behaviour if you're
interested.
Connecting with two ldapobjects to the same server and binding works fine
with TLS though, but it would certainly be a lot better if we could have
support for this through sasl.
Any ideas?
|
|
From: <mi...@st...> - 2007-05-04 21:12:02
|
Ino Heatwave wrote:
>
> Im currently testing out python-ldap and Im connecting to an active
> directory service.
>
> Binding works ok, but searching usually (usually as in I cant remember
> if it has worked at one point in time or not) ends with an error
> ("00000000: LdapErr: DSID-0C090627, comment: In order to perform this
> operation a successful bind must be completed on the connection., data
> 0, vece").
Yes. For most entries there is no anonymous access allowed in the
default installation of Active Directory.
> The data, however is received when I use the library
> asynchronously.
>( I.e it sends me the search results, then raises the
> exception).
Some entries are accessible even with anon access. But without knowing
how your code looks like it's hard to tell what happens.
> I could provide sample code that gives me this behaviour.
Yes, please provide simple test code demonstrating your issue.
> Writing a custom search method that masks this error works great though,
> but feels kinda ugly...
???
> But my main problem is: I cant bind with two different LDAPObjects on
> the same server.
Are your sure? I'm doing this all the time with web2ldap.
> E.g creating two connections to the same server, using
> sasl bind (digest-md5). The latter bind operation always raises
> "ldap.INVALID_CREDENTIALS: {'info': '00090313: LdapErr: DSID-0C09043E,
> comment: AcceptSecurityContext error, data 0, vece', 'desc': 'Invalid
> credentials'}", even though the username/password are identical. Again,
> I could provide some sample code that shows this behaviour if you're
> interested.
Please provide a simple example demostrating the problem.
The following code works for me with OpenLDAP 2.3.35:
--------------------------- snip ---------------------------
import ldap,ldap.sasl
trace_level=2
ldapcon1 = ldap.initialize('ldap://localhost:1390',trace_level=trace_level)
#ldapcon1.simple_bind_s('cn=Fred
Feuerstein,ou=Testing,dc=stroeder,dc=de','fredsecret')
sasl_auth = ldap.sasl.sasl({
ldap.sasl.CB_AUTHNAME :'fred',
ldap.sasl.CB_PASS :'fredsecret',
},'DIGEST-MD5')
ldapcon1.sasl_interactive_bind_s("", sasl_auth)
ldapcon1.search_s('',ldap.SCOPE_BASE)
ldapcon2 = ldap.initialize('ldap://localhost:1390',trace_level=trace_level)
#ldapcon2.simple_bind_s('uid=anna,ou=Testing,dc=stroeder,dc=de','annasecret')
sasl_auth = ldap.sasl.sasl({
ldap.sasl.CB_AUTHNAME :'anna',
ldap.sasl.CB_PASS :'annasecret',
},'DIGEST-MD5')
ldapcon2.sasl_interactive_bind_s("", sasl_auth)
ldapcon1.search_s('',ldap.SCOPE_BASE)
--------------------------- snip ---------------------------
> Any ideas?
Use trace_level to examine what your code really does... ;-)
Ciao, Michael.
|
|
From: Ino P. <in...@gm...> - 2007-05-04 22:54:46
|
Thanks a lot for your swift response, I hope you can bear with me =20
with my somewhat funky and ugly code, and appreciate all help/advice/=20
pointers I can get :)
For viewing (dis)pleasure, I nested my response:
On 04 May 2007, at 23:09, Michael Str=F6der wrote:
> Ino Heatwave wrote:
>>
>> Im currently testing out python-ldap and Im connecting to an active
>> directory service.
>>
>> Binding works ok, but searching usually (usually as in I cant =20
>> remember
>> if it has worked at one point in time or not) ends with an error
>> ("00000000: LdapErr: DSID-0C090627, comment: In order to perform this
>> operation a successful bind must be completed on the connection., =20
>> data
>> 0, vece").
>
> Yes. For most entries there is no anonymous access allowed in the
> default installation of Active Directory.
Well, the problem is that I've already bound as a user with the =20
needed rights to search (even tried with Administrator, and I still =20
get the error).
>
> Some entries are accessible even with anon access. But without knowing
> how your code looks like it's hard to tell what happens.
You certainly may be at the heart of the problem here, but is there =20
any way, using the python-ldap api to ignore errors like that? Like =20
saying: "ok, I realize I might not have access to everything in the =20
directory as this user, but at least return what I have access to"?
>
>> I could provide sample code that gives me this behaviour.
>
> Yes, please provide simple test code demonstrating your issue.
Below is an ugly example I've cooked up for the purpose:
[[ look for attachment named ldap_simple_test.py ]]
>
>> But my main problem is: I cant bind with two different LDAPObjects on
>> the same server.
>
> Are your sure? I'm doing this all the time with web2ldap.
>
>> E.g creating two connections to the same server, using
>> sasl bind (digest-md5). The latter bind operation always raises
>> "ldap.INVALID_CREDENTIALS: {'info': '00090313: LdapErr: =20
>> DSID-0C09043E,
>> comment: AcceptSecurityContext error, data 0, vece', 'desc': 'Invalid
>> credentials'}", even though the username/password are identical. =20
>> Again,
>> I could provide some sample code that shows this behaviour if you're
>> interested.
>
> Please provide a simple example demostrating the problem.
>
> The following code works for me with OpenLDAP 2.3.35:
And the exact same code (modified only to fit with my server =20
parameters of course) bails out with the exception. I've attached the =20=
code I ran and the results, seen from the command line with =20
trace_level =3D 3.
I've done some further testing, and using two different python =20
processes to make two connections to the same server at the same time =20=
works ok, so there definately is something going on here.
Is there some other way to trace whats going on that would make any =20
sense to any of us? Im running this on OS X 10.4.9, with the lastest =20
python-ldap (2.3) built against OpenLDAP 2.3.34. The AD servers Im =20
trying against are Windows server 2003 instances.
|
|
From: Ino P. <in...@gm...> - 2007-05-04 23:43:55
|
<<Im sorry of this comes up as a double post, but I dont seem to get =20 the messages from the mailing list even though Im subscribed, and the =20= web gui doesnt work... is sf.net having a lot of problems lately?>> Thanks a lot for your swift response, I hope you can bear with me =20 with my somewhat funky and ugly code, and appreciate all help/advice/=20 pointers I can get :) For viewing (dis)pleasure, I nested my response: On 04 May 2007, at 23:09, Michael Str=F6der wrote: > Ino Heatwave wrote: >> >> Im currently testing out python-ldap and Im connecting to an active >> directory service. >> >> Binding works ok, but searching usually (usually as in I cant =20 >> remember >> if it has worked at one point in time or not) ends with an error >> ("00000000: LdapErr: DSID-0C090627, comment: In order to perform this >> operation a successful bind must be completed on the connection., =20 >> data >> 0, vece"). > > Yes. For most entries there is no anonymous access allowed in the > default installation of Active Directory. Well, the problem is that I've already bound as a user with the =20 needed rights to search (even tried with Administrator, and I still =20 get the error). > > Some entries are accessible even with anon access. But without knowing > how your code looks like it's hard to tell what happens. You certainly may be at the heart of the problem here, but is there =20 any way, using the python-ldap api to ignore errors like that? Like =20 saying: "ok, I realize I might not have access to everything in the =20 directory as this user, but at least return what I have access to"? > >> I could provide sample code that gives me this behaviour. > > Yes, please provide simple test code demonstrating your issue. Below is an ugly example I've cooked up for the purpose: [[ look for attachment named ldap_simple_test.py ]] > >> But my main problem is: I cant bind with two different LDAPObjects on >> the same server. > > Are your sure? I'm doing this all the time with web2ldap. > >> E.g creating two connections to the same server, using >> sasl bind (digest-md5). The latter bind operation always raises >> "ldap.INVALID_CREDENTIALS: {'info': '00090313: LdapErr: =20 >> DSID-0C09043E, >> comment: AcceptSecurityContext error, data 0, vece', 'desc': 'Invalid >> credentials'}", even though the username/password are identical. =20 >> Again, >> I could provide some sample code that shows this behaviour if you're >> interested. > > Please provide a simple example demostrating the problem. > > The following code works for me with OpenLDAP 2.3.35: And the exact same code (modified only to fit with my server =20 parameters of course) bails out with the exception. I've attached the =20= code I ran and the results, seen from the command line with =20 trace_level =3D 3. I've done some further testing, and using two different python =20 processes to make two connections to the same server at the same time =20= works ok, so there definately is something going on here. Is there some other way to trace whats going on that would make any =20 sense to any of us? Im running this on OS X 10.4.9, with the lastest =20 python-ldap (2.3) built against OpenLDAP 2.3.34. The AD servers Im =20 trying against are Windows server 2003 instances. |
|
From: <mi...@st...> - 2007-05-10 09:55:22
|
Ino Pua wrote: > > Is there some other way to trace whats going on that would make any > sense to any of us? Im running this on OS X 10.4.9, with the lastest > python-ldap (2.3) built against OpenLDAP 2.3.34. Did you also build OpenLDAP from scratch? With which SASL libs? Ciao, Michael. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X