<div dir="ltr"><div class="gmail_default" style="font-family:'courier new',monospace">I'm working under the "easier to beg forgiveness than ask permission" model (having already tried the alternative and gotten a run-around). Hence, I'm lacking some of the specifics about the server I'm talking to. However, I hope I'm providing enough info to get a reasonable answer.<br>
</div><div class="gmail_quote"><div dir="ltr">
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Our IT department has some sort of LDAP server.<div class="gmail_default" style="font-family:'courier new',monospace;display:inline">
(Active Directory, I think.)</div> I have successfully gotten Python's LDAP module to talk to it, and fetch all the info I need (after authenticating to it). This was in part to determine if a user is "legit" enough to use services I'm providing, and to offer auto-completion of employee names.</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">It seemed to be working fine with the small handful of users that I tested with. Well, now I've been asked to make the login capability of my little web app more publicly available to other folks on campus (who have LDAP records as well). Since advertising the new capability, it behaves randomly: Sometimes a user will succeed in authenticating, and then a few minutes later, it fails for the same user. The failures don't seem to be the same thing twice, and I haven't had the opportunity to copy the various error messages being given back.<div class="gmail_default" style="font-family:'courier new',monospace;display:inline">
I have two different IP addresses, one of which uses ldaps:// and the other ldap://. I have had "luck" both good and bad with both of them.</div></font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">This isn't a service that people are going to be hammering at. So, I don't think the source of trouble is that my server is too busy with people trying to authenticate simultaneously.<div class="gmail_default" style="font-family:'courier new',monospace;display:inline">
It's also depending (a little) on security through obscurity, having an unlikely URL.</div></font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Here are the relevant portions of the code:</font></div><div>
<br></div><div><div><font face="courier new, monospace"> import ldap, ldap.sasl</font></div><div><span style="font-family:'courier new',monospace">...</span><font face="courier new, monospace"><br></font></div>
<div>
<font face="courier new, monospace"> server = "ldaps://.../"</font></div><div><font face="courier new, monospace"> base_dn = "OU=people,dc=ad,dc=gallaudet,dc=edu"</font></div><div><font face="courier new, monospace"> screen = "(sn=*)"</font></div>
<div><font face="courier new, monospace"> scope = ldap.SCOPE_SUBTREE<br></font></div><div><font face="courier new, monospace"> fields = ["sn","givenName",]<br>
</font></div><div></div><div><font face="courier new, monospace"> con = ldap.initialize(server)<br></font></div><div><font face="courier new, monospace"> con.set_option(ldap.OPT_REFERRALS, 0)<div class="gmail_default" style="font-family:'courier new',monospace;display:inline">
# Recommended somewhere</div></font></div><div><font face="courier new, monospace">...</font></div><div><div><font face="courier new, monospace"> user = request.POST["username"].strip()</font></div><div>
<font face="courier new, monospace"> cut = user.find("@<a href="http://gallaudet.edu" target="_blank">gallaudet.edu</a>")</font></div>
<div><font face="courier new, monospace"> if cut > 0: user = user[:cut] </font><span style="font-family:'courier new',monospace"> </span><span style="font-family:'courier new',monospace"> # username, not e-mail</span></div>
<div><font face="courier new, monospace"> passwd = request.POST["password"]</font></div><div><font face="courier new, monospace"> token = ldap.sasl.digest_md5(user,passwd)</font></div><div><font face="courier new, monospace"> try:</font></div>
<div><font face="courier new, monospace"> con.sasl_interactive_bind_s("",token)</font></div><div><div><font face="courier new, monospace"> except ldap.INVALID_CREDENTIALS, e:</font></div><div><font face="courier new, monospace"> return HttpResponseRedirect("/.../login/")</font></div>
</div></div><div><font face="courier new, monospace">...</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><div>
temp = map(lambda x: x[1], con.search_s(base_dn, scope, screen, fields))</div><div> found = [entry for entry in temp if "givenName" in entry]</div><div><br></div><div><div style="font-family:arial">
<font face="courier new, monospace">Is it just a matter of bad timing? Should I be "MUNGing" it, retrying repeatedly if it's not an INVALID_CREDENTIALS exception<div class="gmail_default" style="font-family:'courier new',monospace;display:inline">
, and hoping for a lucky roll of the dice? </div></font></div><div style="font-family:arial"><font face="courier new, monospace"><div class="gmail_default" style="font-family:'courier new',monospace;display:inline">
<br></div></font></div><div style="font-family:arial"><font face="courier new, monospace"><div class="gmail_default" style="font-family:'courier new',monospace;display:inline">Thanks!</div></font></div></div><div style="font-family:arial">
<font face="courier new, monospace"><br></font></div></font></div></div><div style="clear:both;font-family:'Times New Roman';font-size:medium"></div>
</div>
</div><div style="width:780px;font-family:Verdana,Arial,Helvetica,sans-serif;font-size:16px"></div><div style="clear:both;font-family:'Times New Roman';font-size:medium"></div>
</div>