[python-ldap] Seemingly random success and failures

Kevin Cole dc.loco at gmail.com
Sat Sep 7 04:13:00 CEST 2013 

I'm working under the "easier to beg forgiveness than ask permission" model
(having already tried the alternative and gotten a run-around). Hence, I'm
lacking some of the specifics about the server I'm talking to. However, I
hope I'm providing enough info to get a reasonable answer.

Our IT department has some sort of LDAP server.
​ (Active Directory, I think.)​
I have successfully gotten Python's LDAP module to talk to it, and fetch
all the info I need (after authenticating to it). This was in part to
determine if a user is "legit" enough to use services I'm providing, and to
offer auto-completion of employee names.

It seemed to be working fine with the small handful of users that I tested
with. Well, now I've been asked to make the login capability of my little
web app more publicly available to other folks on campus (who have LDAP
records as well). Since advertising the new capability, it behaves
randomly: Sometimes a user will succeed in authenticating, and then a few
minutes later, it fails for the same user.  The failures don't seem to be
the same thing twice, and I haven't had the opportunity to copy the various
error messages being given back.
​  I have two different IP addresses, one of which uses ldaps:// and the
other ldap://.​  I have had "luck" both good and bad with both of them.

This isn't a service that people are going to be hammering at. So, I don't
think the source of trouble is that my server is too busy with people
trying to authenticate simultaneously.
​ It's also depending (a little) on security through obscurity, having an
unlikely URL.​

Here are the relevant portions of the code:

    import ldap, ldap.sasl
...
    server  = "ldaps://.../"
    base_dn = "OU=people,dc=ad,dc=gallaudet,dc=edu"
    screen  = "(sn=*)"
    scope   = ldap.SCOPE_SUBTREE
    fields  = ["sn","givenName",]
    con     = ldap.initialize(server)
    con.set_option(ldap.OPT_REFERRALS, 0)
​ # Recommended somewhere​
...
    user   = request.POST["username"].strip()
    cut    = user.find("@gallaudet.edu")
    if cut > 0: user = user[:cut]         # username, not e-mail
    passwd = request.POST["password"]
    token  = ldap.sasl.digest_md5(user,passwd)
    try:
        con.sasl_interactive_bind_s("",token)
    except ldap.INVALID_CREDENTIALS, e:
        return HttpResponseRedirect("/.../login/")
...

    temp = map(lambda x: x[1], con.search_s(base_dn, scope, screen, fields))
    found = [entry for entry in temp if "givenName" in entry]

Is it just a matter of bad timing? Should I be "MUNGing" it, retrying
repeatedly if it's not an INVALID_CREDENTIALS exception
​, and hoping for a lucky roll of the dice​?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20130906/a6b3940b/attachment.html>

More information about the python-ldap mailing list