possible bug(s) in python-ldap sasl code

Sat May 5 01:43:45 CEST 2007

<<Im sorry of this comes up as a double post, but I dont seem to get  
the messages from the mailing list even though Im subscribed, and the  
web gui doesnt work... is sf.net having a lot of problems lately?>>

Thanks a lot for your swift response, I hope you can bear with me  
with my somewhat funky and ugly code, and appreciate all help/advice/ 
pointers I can get :)

For viewing (dis)pleasure, I nested my response:

On 04 May 2007, at 23:09, Michael Ströder wrote:

> Ino Heatwave wrote:
>>
>> Im currently testing out python-ldap and Im connecting to an active
>> directory service.
>>
>> Binding works ok, but searching usually (usually as in I cant  
>> remember
>> if it has worked at one point in time or not) ends with an error
>> ("00000000: LdapErr: DSID-0C090627, comment: In order to perform this
>> operation a successful bind must be completed on the connection.,  
>> data
>> 0, vece").
>
> Yes. For most entries there is no anonymous access allowed in the
> default installation of Active Directory.

Well, the problem is that I've already bound as a user with the  
needed rights to search (even tried with Administrator, and I still  
get the error).

>
> Some entries are accessible even with anon access. But without knowing
> how your code looks like it's hard to tell what happens.

You certainly may be at the heart of the problem here, but is there  
any way, using the python-ldap api to ignore errors like that? Like  
saying: "ok, I realize I might not have access to everything in the  
directory as this user, but at least return what I have access to"?

>
>> I could provide sample code that gives me this behaviour.
>
> Yes, please provide simple test code demonstrating your issue.

Below is an ugly example I've cooked up for the purpose:

[[ look for attachment named ldap_simple_test.py ]]

>
>> But my main problem is: I cant bind with two different LDAPObjects on
>> the same server.
>
> Are your sure? I'm doing this all the time with web2ldap.
>
>> E.g creating two connections to the same server, using
>> sasl bind (digest-md5). The latter bind operation always raises
>> "ldap.INVALID_CREDENTIALS: {'info': '00090313: LdapErr:  
>> DSID-0C09043E,
>> comment: AcceptSecurityContext error, data 0, vece', 'desc': 'Invalid
>> credentials'}", even though the username/password are identical.  
>> Again,
>> I could provide some sample code that shows this behaviour if you're
>> interested.
>
> Please provide a simple example demostrating the problem.
>
> The following code works for me with OpenLDAP 2.3.35:

And the exact same code (modified only to fit with my server  
parameters of course) bails out with the exception. I've attached the  
code I ran and the results, seen from the command line with  
trace_level = 3.

I've done some further testing, and using two different python  
processes to make two connections to the same server at the same time  
works ok, so there definately is something going on here.

Is there some other way to trace whats going on that would make any  
sense to any of us? Im running this on OS X 10.4.9, with the lastest  
python-ldap (2.3) built against OpenLDAP 2.3.34. The AD servers Im  
trying against are Windows server 2003 instances.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap_simple_test.py
Type: text/x-python-script
Size: 1349 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20070505/cccb7f33/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap_two_test.py
Type: text/x-python-script
Size: 549 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20070505/cccb7f33/attachment-0001.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ldap_two_test.trace.txt
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20070505/cccb7f33/attachment.txt>