[python-ldap] simple_bind_s, no exception on empty password
Chris Gray
fathed at gmail.com
Mon Dec 10 10:27:45 CET 2012
So, here's the final version I ended up going with. With added use of
SSL/TLS so no more clear text passwords over the wire. I'm not really sure
if the unicode matters too much, but I do need support Hangul (Korean).
Haven't tested that yet.
For the cert, just open mmc, add the cert snapin for local computer certs,
and export your root ca cert. Only the public of course (you shouldn't have
the private root cert on your workstation anyway). The DER format works
fine for me.
from __future__ import unicode_literals
import sys
import ldap
import getpass
ldap_user = sys.argv[1]
ldap_pass = getpass.getpass()
if ldap_pass == "":
sys.exit(1)
ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
ldap.set_option(ldap.OPT_REFERRALS, 0)
ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
ldap_conn = ldap.initialize('ldaps://ldapaddress:636')
ldap_conn.set_option(ldap.OPT_X_TLS_CERTFILE, 'Path\\To\\Cert')
ldap_conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 30)
ldap_domains = ['domain1',
'domain2',
'domain3',
'domain4',
'domain5',
'domain6']
for domain in ldap_domains:
try:
ldap_user = domain + "\\" + ldap_user
ldap_conn.simple_bind_s(ldap_user, ldap_pass)
ldap_who =
ldap_conn.whoami_s().decode('unicode_escape').encode('iso8859-1').decode('utf8')
if ldap_who.lower() == "u:" + ldap_user.lower():
sys.exit(0)
except Exception, e:
pass
sys.exit(1)
On Fri, Dec 7, 2012 at 5:39 PM, Tom Tucker <tktucker at gmail.com> wrote:
>
> If you figure this out, please let me know. ;-)
> I check for credentials issues with 'except ldap.INVALID_CREDENTIALS'
> after attempting an add, delete, etc activity.
>
>
> On Fri, Dec 7, 2012 at 5:51 PM, Chris Gray <fathed at gmail.com> wrote:
>
>> Hey everyone, I have a question with simple_bind_s.
>>
>> The code below, if passing in the wrong password, will return 1 as the
>> exit code. It will return 0 if the bind is successful. That's pretty much
>> all I need it to do.
>>
>> My problem is, if I just hit enter on the getpass() prompt, my exit code
>> ends up being 0 anyway.
>>
>> Changing the bind line to ldap_conn.simple_bind_s(ldap_user, "") has the
>> same effect, no exception thrown. That seems to do not even try to do the
>> bind, but the lack of exception doesn't seem to be the right behavior
>> either.
>>
>> Variable data is changed to protect... or some reason.
>>
>> Any suggestions?
>> Thanks!
>> Chris
>>
>>
>> import sys
>> import ldap
>> import getpass
>>
>>
>> ldap_user = sys.argv[1]
>> ldap_pass = getpass.getpass()
>> #if ldap_pass == "":
>> # ldap_pass = "badpassword"
>>
>> ldap_conn = ldap.initialize('ldap://domaincontroller.fqdn')
>> ldap_conn.protocol_version = 3
>> ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
>>
>> ldap_domains = ['domain1',
>> 'domain2',
>> 'domain3',
>> 'domain4',
>> 'domain5',
>> 'domain6',
>> 'domain7']
>>
>> for domain in ldap_domains:
>> try:
>> ldap_user += '@' + domain
>> ldap_conn.simple_bind_s(ldap_user, ldap_pass)
>> sys.exit(0)
>> except Exception:
>> pass
>>
>> sys.exit(1)
>>
>> _______________________________________________
>> python-ldap mailing list
>> python-ldap at python.org
>> http://mail.python.org/mailman/listinfo/python-ldap
>>
>>
>
--
Intelligence is a matter of opinion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20121210/4f11fd6a/attachment.html>
More information about the python-ldap
mailing list