[python-ldap] python-ldap code returns no data, conflicts with ldap-search results

Burvilwork Chang burvilwork2 at gmail.com
Fri Oct 12 14:02:29 EDT 2018

I’m having an issue where the python-ldap module is returning no results,
even though I am able to get results through other methods. I use the same
parameters as ldapsearch, but the python code turns up nothing. This
happens with a large number of hostnames that I search for.

Specifically, I am able to get valid LDAP data returned for a hostname with
the following:

$ [2014][AD-user at host-joined-to-AD:~]$ ldapsearch -x -H ldaps://
ldap-host-here.ds.subdomain.net:636 -D "AD-user at ds.subdomain.net” -w
‘password-here' -b "DC=ds,DC=subdomain,DC=net"
"(&(objectclass=computer)(cn=hostname-here))” |less
I also see a computer account for this system when logging into a Windows
system on the domain and searching for the hostname via dsa, so I know the
computer account is in AD/LDAP.

The following are my LDAP related modules. Note that I know the ldap module
version is a little old, but as I’m running RHEL 7.5, it’s the newest I can
make it without causing other dependencies to break, i.e. I had to install
this via RPM.

$ pip freeze | grep ldap
I run my code, and it shows nothing in the results:

$ ./to-post.py
Initializing LDAP connection object with uri ldaps://
Binding with username username-here…
LDAP results - []
The code is below. Any thoughts on why I’m not getting anything returned,
even though the computer account exists?


import ldap

# IN: cfg, hostname, domain string
# OUT: True or False (if in AD or not)
def CheckIfHostInAD(cfg, hostname, env):

    domain = "tld-value-here"
    username = 'username-here'
    password = 'password-here'
    uri = "ldaps://ldap-host-here." + domain + ":636"

    (subdomain, tld) = domain.split('.')
    ## Create instance of LDAP class. No connection has been made yet.
    print("Initializing LDAP connection object with uri " + uri )
    l = ldap.initialize(uri)   #####!!!
    results = []
    OU_setting = ""

        # When we connect, make sure to connect using LDAPv3
        l.protocol_version = ldap.VERSION3
        #set connection
        l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

        print("Binding with username " + username + "...")
        bind = l.simple_bind_s(username, password)

        # When we search, the base is the level at which we want to start
        OU_setting = ""
        base = OU_setting + "DC=ds,DC=" + subdomain + ",DC=net"

        # When we search, filter results down to ones that have an
objectClass of "computer"
        criteria = "(&(objectclass=computer)(cn=" + hostname + "))"

        attributes = ['name']

        print("Getting hostnames in " + domain
                +  ", base " + str(base) + ", criteria " + str(criteria) )
        # Ok! Search and store the result in the variable "result"
        ldap_dump = l.search_s(base, ldap.SCOPE_SUBTREE, criteria,
        print("Found " + len(ldap_dump) + " hostnames in " + domain)

        # Print the results to the console
        for data_dict in [entry for dn, entry in ldap_dump if
isinstance(entry, dict)]:

    except Exception as e:
        print("error - " + e)
    # Now that we're done (failed or not), release the connection
        print("LDAP results - " + str(results))
        return results

cfg = ""
hostname = “short-hostname-here”
env = ""
result = CheckIfHostInAD(cfg, hostname, env)

As I noted earlier, I'd prefer not to upgrade the python-ldap module if not
needed. In other words, unless there's something in a newer version where a
bug resulting in no data being returned, I'd prefer not to upgrade.

I found verbose settings for python-ldap at
https://helpful.knobs-dials.com/index.php/Python-ldap_notes and
http://lpetr.org/blog/archives/how-to-enable-logging-in-python-ldap, but
using those didn't help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20181012/53f41c43/attachment.html>

More information about the python-ldap mailing list