[python-ldap] Seemingly random success and failures

Michael Ströder michael at stroeder.com
Sat Sep 7 12:16:47 CEST 2013 

Kevin Cole wrote:
> Our IT department has some sort of LDAP server.
> ​ (Active Directory, I think.)​
> I have successfully gotten Python's LDAP module to talk to it, and fetch
> all the info I need (after authenticating to it). This was in part to
> determine if a user is "legit" enough to use services I'm providing, and to
> offer auto-completion of employee names.
> 
> It seemed to be working fine with the small handful of users that I tested
> with. Well, now I've been asked to make the login capability of my little
> web app more publicly available to other folks on campus (who have LDAP
> records as well). Since advertising the new capability, it behaves
> randomly: Sometimes a user will succeed in authenticating, and then a few
> minutes later, it fails for the same user.  The failures don't seem to be
> the same thing twice, and I haven't had the opportunity to copy the various
> error messages being given back.
> ​  I have two different IP addresses, one of which uses ldaps:// and the
> other ldap://.​  I have had "luck" both good and bad with both of them.
> 
> This isn't a service that people are going to be hammering at. So, I don't
> think the source of trouble is that my server is too busy with people
> trying to authenticate simultaneously.
> ​ It's also depending (a little) on security through obscurity, having an
> unlikely URL.​

Well, there are many aspects in your infrastructure where to look for the
cause of temporary failure.

Especially without having exact error messages / exceptions or similar it's
unpossible to help.

> Here are the relevant portions of the code:

Again I'm not sure whether I fully understand what you're trying to achieve.

> ...
>     user   = request.POST["username"].strip()
>     cut    = user.find("@gallaudet.edu")
>     if cut > 0: user = user[:cut]         # username, not e-mail

There's no else clause here.

>     passwd = request.POST["password"]
>     token  = ldap.sasl.digest_md5(user,passwd)
>     try:
>         con.sasl_interactive_bind_s("",token)
>     except ldap.INVALID_CREDENTIALS, e:
>         return HttpResponseRedirect("/.../login/")

Note that there are some issues with SASL DIGEST-MD5 and MS AD regarding the
use of non-ASCII chars in usernames. Not sure about passwords.

I'd recommend to set trace_level/trace_file and look at what python-ldap
really sends and receives:

http://www.python-ldap.org/doc/html/ldap.html#ldapobject-classes

In most strange cases like this using trace_level=2 helped a lot. ;-)

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2398 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20130907/e50ba116/attachment.bin>

More information about the python-ldap mailing list