Python-LDAP for Win32 & Windows 2003 LDAP
Markus Zapke-Gründemann
m.zapke-gruendemann at ewerk.com
Wed Aug 8 17:13:04 CEST 2007
Hallo Michael.
> -----Original Message-----
> Markus Zapke-Gründemann wrote:
> >
> > A few days ago I tried the first time a subtree search starting at
> > the root of an Active Directory on a Windows 2003 Server.
>
> This returns no results (if authenticated). So there's no point trying
> that. You should rather read namingContexts or
> defaultNamingContext from
> rootDSE (base search) to determine the search root on a particular DC.
This is a good suggestion. I will try it.
> > Operations error
> > 00000000: LdapErr: DSID-0C090627, comment: In order to perform this
> > operation a successful bind must be completed on the connection.,
> > data 0, vece
>
> Then you tried to connect anonymously which is prohibited in AD's
> default configuration.
This is also what I read on this error code. But when I use the same credentials on a diffenrent DN below the root everything works. This makes me wonder.
> > I did also a test with the ldp client of the Microsoft Support Tools
> > package[1], just to verify that all privileges are correct.
> With this
> > client a search with the same filter from the root of the directory
> > is working.
>
> And what did the client return as results?
It returned the results as I expected it. I did a subtree search with the following filter:
(&(!(userAccountControl=514))(&(company=*))(&(|(cn=*e*)(sn=*e*)(givenName=*e*)(mail=*e*)(telephoneNumber=*e*)(otherTelephone=*e*)(facsimileTelephoneNumber=*e*)(mobile=*e*)(memberOf=*e*)(physicalDeliveryOfficeName=*e*)(title=*e*)))(objectClass=person))
> Maybe ldp.exe is using SASL/GSSAPI bind based on your Windows
> workstation logon seamless without you taking notice of it. And maybe
> ldp.exe also looks at defaultNamingContext in the rootDSE...
I connected and bound to the LDAP server manually using ldp.exe. My workstation is in a different domain. So I think there are no other credentials which could be used.
> Best thing to find out what a client really does it using Wireshark.
This is a good idea. Maybe there is something happening under the hood...
Thank you for your hints.
With kind regards
Markus
More information about the python-ldap
mailing list