python-ldap vs. Active directory

Sean O'Connell oconnell at soe.ucsd.edu
Fri May 20 00:24:13 CEST 2005


Folks-

I am trying to get a trivial python-ldap script to work talking to our
campus active directory from a Linux machine (Fedora Core 3 or Centos
4), but I am being thwarted. I have successfully used python-ldap (same
versions) to talk to an openldap server quite happily; however, the AD
servers are proving to be quite stubborn.

The client side software versions are:

openldap (openldap-2.2.13-2 RPM)
python-ldap (python-ldap-2.0.1-2 RPM)
python (python-2.3.4-13.1)

The simple script is as follows, with some silly info tossed in for the
usual reasons.

---------------------------------- snip --------------------------------

import sys
import ldap

myLdapURI="ldap://ad.ucsd.edu"
myBaseDN="dc=ad,dc=ucsd,dc=edu"
myBindDN="cn=AdAccount,ou=foo,ou=bar,dc=ad,dc=ucsd,dc=edu"
myPassWD="LetMeIn" 

# Open the LDAP connection
print "initializing .."
try:
  l = ldap.initialize(myLdapURI)
except ldap.LDAPError,e:
  print e
  sys.exit(1)

# Set protocol version to LDAPv3
l.protocol_version = ldap.VERSION3

# Bind to AD
print "binding .."
try:
  l.bind_s(myBindDN,myPasswd)
except ldap.LDAPError, e:
  print e
  sys.exit(1)
else:
  print 'Sucessfully bound to AD'

#myFilter='(objectclass=*)'
myFilter='(sAMAccountName=AKnownUserInAD)'
myRetrieveAttrs = None
myScope=ldap.SCOPE_SUBTREE

# Do a search
print "searching .."
try:
  myResults = l.search_s(myBaseDN,myScope,myFilter,myRetrieveAttrs)
except ldap.LDAPError, e:
  print e
else:
  print myResults

# Close down the connection
l.unbind()

------------------------------- snip ----------------------------------
The results are invariably:

initializing ..
binding ..
Sucessfully bound to AD
searching ..
{'info': '00000000: LdapErr: DSID-0C0905FF, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece', 'desc': 'Operations error'}

It appears to do the bind properly, but seems to forget about it when it
goes to do the search. Whereas, the following returns the desired
results:

ldapsearch -x -w 'LetMeIn' -D
'cn=AdAccount,ou=foo,ou=bar,dc=ad,dc=ucsd,dc=edu' -b
'dc=ad,dc=ucsd,dc=edu' -H ldap://ad.ucsd.edu
'(sAMAccountName=AKnownUserInAD)'

Any ideas what's going on here? Am I missing something obvious? The
command line search also works using kinit (and dropping the -x flag).
The python-ldap doesn't appear to work with SASL at all.

Thanks
-- 
Sean







More information about the python-ldap mailing list