[python-ldap] Authenticating against Active Directory always returns (97, [])

Chris Doherty Chris.Doherty at ca.flextronics.com
Thu May 24 20:37:47 CEST 2012

> The 97 is not the LDAP result code. It's the result type ldap.RES_BIND.

> So your code should look like this:
> try:
>   conn.simple_bind_s('user at domain.com', 'WrongPassword')
>   user_error_msg('wrong password provided')

That has...important implications.  Most notably, vanilla 2003 Active Directory will allow anonymous binds, and anonymous searches on the root DSE (only), but will not throw an authentication error unless one tries to search lower in the LDAP tree. What was confusing me was the fact that this works:

>>> conn.simple_bind_s('', 'CorrectPassword')
(97, [])
>>> conn.simple_bind_s('', '')
(97, [])

which I now see is working entirely as designed, but doing a simple bind only is the commonly encountered pattern for authenticating against Active Directory.  It seems that simple_bind_s() followed by some trivial search is the correct way to go here to ensure that actual authentication is taking place.

Thank you for your prompt response, this has been very helpful.

Legal Disclaimer:
The information contained in this message may be privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete or destroy any copy of this message

More information about the python-ldap mailing list