[python-ldap] simple_bind_s, no exception on empty password

Chaos Eternal chaoseternal at gmail.com
Sat Dec 8 08:06:17 CET 2012


Another  way is to check whether the password is empty before bind.
On Dec 8, 2012 3:01 PM, "Chris Gray" <fathed at gmail.com> wrote:

> Hmm, that's handy info. And that seems to work:
>
> if ldap_conn.whoami_s().lower() == "u:" + ldap_user.lower():
>
> This of course leads to new problems.
> First, .lower() says it is to be considered deprecated.
> http://docs.python.org/2/library/string.html
>
> After searching the webs, everything I see still uses .lower() or
> .upper(), even if it says it's written for Python3. So, not really sure if
> I should be concerned about that for now.
>
> And the second issue,
> type(ldap_conn.whoami_s()) is "str". Everything else I've read suggests
> that ActiveDirectory is LDAPv3, which should always be unicode.
> This probably isn't something I really need to be concerned about, but I'd
> rather solve it now instead of waiting for someone else to have an odd
> problem.
>
> I'm in python 2.7. I tried adding this to top, as I've seen suggested,
> from __future__ import unicode_literals
>
> Doing that does make this string be unicode,  "u:" + ldap_user.lower(),
> but not the string returned from the whoami_s call.
> Leaving it out returns both types as "str" (which is to be expected).
>
> I guess I would need a python3 version of the python-ldap library to solve
> that, meaning I should wait for the unicode issue, or try something like
> this:
> ldap_conn.whoami_s().decode('unicode_escape').encode('iso8859-1').decode('utf8'),
> which does set the type to unicode. This does work, just seems messy.
>
> Here's the current working version checking the supplied username against
> the whoami_s, (with deprecated .lower)
>
> Thanks Chaos Eternal!
>
>
> from __future__ import unicode_literals
> import sys
> import ldap
> import getpass
>
> ldap_user = sys.argv[1]
> ldap_pass = getpass.getpass()
>
> ldap_conn = ldap.initialize('ldap://domaincontroller')
> ldap_conn.protocol_version = 3
> ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
>
> ldap_domains = ['domain1',
>                 'domain2',
>                 'domain3',
>                 'domain4',
>                 'domain5',
>                 'domain6',
>                 'domain7']
>
> for domain in ldap_domains:
> try:
>  ldap_user = domain + "\\" + ldap_user
> ldap_conn.simple_bind_s(ldap_user, ldap_pass)
>  ldap_who =
> ldap_conn.whoami_s().decode('unicode_escape').encode('iso8859-1').decode('utf8').lower()
> if ldap_who == "u:" + ldap_user.lower():
>  sys.exit(0)
> except Exception:
> pass
>
> sys.exit(1)
>
>
> On Fri, Dec 7, 2012 at 7:05 PM, Chaos Eternal <chaoseternal at gmail.com>wrote:
>
>> Hi, Chris
>>
>> This is the RIGHT behavior when the LDAP Server which allows anonymous
>> bind. According to LDAP rfc, when no password provided to simple_bind,
>> the bind will be considered anonymous.
>>
>> if you really dont want this to be happening , my suggestion is that
>> you can use whoami_s right after a successful bind to check whether
>> the DN is desired.
>>
>>
>> On Sat, Dec 8, 2012 at 6:51 AM, Chris Gray <fathed at gmail.com> wrote:
>> > Hey everyone, I have a question with simple_bind_s.
>> >
>> > The code below, if passing in the wrong password, will return 1 as the
>> exit
>> > code. It will return 0 if the bind is successful. That's pretty much
>> all I
>> > need it to do.
>> >
>> > My problem is, if I just hit enter on the getpass() prompt, my exit code
>> > ends up being 0 anyway.
>> >
>> > Changing the bind line to ldap_conn.simple_bind_s(ldap_user, "") has the
>> > same effect, no exception thrown. That seems to do not even try to do
>> the
>> > bind, but the lack of exception doesn't seem to be the right behavior
>> > either.
>> >
>> > Variable data is changed to protect... or some reason.
>> >
>> > Any suggestions?
>> > Thanks!
>> > Chris
>> >
>> >
>> > import sys
>> > import ldap
>> > import getpass
>> >
>> >
>> > ldap_user = sys.argv[1]
>> > ldap_pass = getpass.getpass()
>> > #if ldap_pass == "":
>> > # ldap_pass = "badpassword"
>> >
>> > ldap_conn = ldap.initialize('ldap://domaincontroller.fqdn')
>> > ldap_conn.protocol_version = 3
>> > ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
>> >
>> > ldap_domains = ['domain1',
>> >                 'domain2',
>> >                 'domain3',
>> >                 'domain4',
>> >                 'domain5',
>> >                 'domain6',
>> >                 'domain7']
>> >
>> > for domain in ldap_domains:
>> > try:
>> > ldap_user += '@' + domain
>> > ldap_conn.simple_bind_s(ldap_user, ldap_pass)
>> > sys.exit(0)
>> > except Exception:
>> > pass
>> >
>> > sys.exit(1)
>> >
>> > _______________________________________________
>> > python-ldap mailing list
>> > python-ldap at python.org
>> > http://mail.python.org/mailman/listinfo/python-ldap
>> >
>>
>
>
>
> --
> Intelligence is a matter of opinion.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20121208/b0a183ce/attachment-0001.html>


More information about the python-ldap mailing list