[python-ldap] Authenticating against Active Directory always returns (97, [])

Chris Doherty Chris.Doherty at ca.flextronics.com
Thu May 24 19:26:34 CEST 2012 

I am trying to perform simple authentication to a 2003 Active Directory
using python ldap (CentOS 6.2 x86_64, Python 2.6.6, python-ldap 2.3.10
from the CentOS repos).

Despite following all the usual steps in the init, including

conn.set_option(ldap.OPT_REFERRALS, 0)

if I pass the correct credentials I always get a (97, []) returned:

>>> import ldap
>>> conn = ldap.initialize('ldap://ad.server.domain.com')
>>> conn.protocol_version = 3
>>> conn.set_option(ldap.OPT_REFERRALS, 0)
>>> conn.simple_bind_s('user at domain.com', 'WrongPassword')
ldap.INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334,
comment: AcceptSecurityContext error, data 52e, vece', 'desc': 'Invalid
credentials'}
>>> conn.simple_bind_s('user at domain.com', 'CorrectPassword')
(97, [])

Error code 97 is not a success; it's the LDAP_REFERRAL_LIMIT_EXCEEDED
error being returned from AD.  Setting ldap.OPT_REFERRALS to 0 is
supposed to stop this, but it's not working.

Even more frustrating is that this script is a migration from an old
Perl script using Net::LDAP, which does return 0 for a successful
authenticated bind to the same AD and server, otherwise I would be
inclined to think there's something wrong with the AD servers.

I have tested python-ldap 2.2.0 and python 2.4.4 on an old CentOS 5.5
box I had lying around and it "fails" in exactly the same way.

I turned on python-ldap and LDAP lib debugging and ran it again:

Python 2.6.6 (r266:84292, Dec  7 2011, 20:48:22)
[GCC 4.4.6 20110731 (Red Hat 4.4.6-3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap
>>> ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)
>>> conn = ldap.initialize('ldap://server.sub.domain.com:389',
trace_level=2)
ldap_create
ldap_url_parse_ext(ldap://server.domain.com:389)
*** ldap://server.sub.domain.com:389 - SimpleLDAPObject.set_option ((17,
3),{})
>>> conn.protocol_version = 3
*** ldap://server.sub.domain.com:389 - SimpleLDAPObject.set_option ((17,
3),{})
>>> conn.set_option(ldap.OPT_REFERRALS, 0)
*** ldap:// server.sub.domain.com:389 - SimpleLDAPObject.set_option ((8,
0),{})
>>> conn.simple_bind_s('user at sub.domain.com', 'CorrectPassword.')
*** ldap:// server.sub.domain.com:389 - SimpleLDAPObject.simple_bind
(('user at sub.domain.com', CorrectPassword.', None, None),{})
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server.sub.domain.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.999.999.999:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
=> result: 1
*** ldap://server.sub.domain.com:389 - SimpleLDAPObject.result3 ((1, 1,
-1),{})
ldap_result ld 0x14751f0 msgid 1
wait4msg ld 0x14751f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x14751f0 msgid 1 all 1
** ld 0x14751f0 Connections:
* host: server.sub.domain.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu May 24 13:10:30 2012


** ld 0x14751f0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x14751f0 request count 1 (abandoned 0)
** ld 0x14751f0 Response Queue:
   Empty
  ld 0x14751f0 response count 0
ldap_chkResponseList ld 0x14751f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x14751f0 NULL
ldap_int_select
read1msg: ld 0x14751f0 msgid 1 all 1
read1msg: ld 0x14751f0 msgid 1 message type bind
read1msg: ld 0x14751f0 0 new referrals
read1msg:  mark request completed, ld 0x14751f0 msgid 1
request done: ld 0x14751f0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
=> result: (97, [], 1, [])
(97, [])

--
Chris Doherty
Software Engineer
Advanced Systems Engineering
FLEXComputing

chris.doherty at ca.flextronics.com
www.flextronics.com
Ph +1 289 288 1509
Fax +1 289 288 1549


 
Legal Disclaimer:
The information contained in this message may be privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete or destroy any copy of this message

More information about the python-ldap mailing list