[python-ldap] python-ldap code returns no data, conflicts with ldap-search results
Burvilwork Chang
burvilwork2 at gmail.com
Fri Oct 12 14:02:29 EDT 2018
I’m having an issue where the python-ldap module is returning no results,
even though I am able to get results through other methods. I use the same
parameters as ldapsearch, but the python code turns up nothing. This
happens with a large number of hostnames that I search for.
Specifically, I am able to get valid LDAP data returned for a hostname with
the following:
$ [2014][AD-user at host-joined-to-AD:~]$ ldapsearch -x -H ldaps://
ldap-host-here.ds.subdomain.net:636 -D "AD-user at ds.subdomain.net” -w
‘password-here' -b "DC=ds,DC=subdomain,DC=net"
"(&(objectclass=computer)(cn=hostname-here))” |less
I also see a computer account for this system when logging into a Windows
system on the domain and searching for the hostname via dsa, so I know the
computer account is in AD/LDAP.
The following are my LDAP related modules. Note that I know the ldap module
version is a little old, but as I’m running RHEL 7.5, it’s the newest I can
make it without causing other dependencies to break, i.e. I had to install
this via RPM.
$ pip freeze | grep ldap
ldap3==2.5.1
python-ldap==2.4.15
I run my code, and it shows nothing in the results:
$ ./to-post.py
Initializing LDAP connection object with uri ldaps://
ldap-host-here.ds.subdomain.net:636
Binding with username username-here…
LDAP results - []
The code is below. Any thoughts on why I’m not getting anything returned,
even though the computer account exists?
#!/usr/bin/python
import ldap
#####################################
# IN: cfg, hostname, domain string
# OUT: True or False (if in AD or not)
def CheckIfHostInAD(cfg, hostname, env):
domain = "tld-value-here"
username = 'username-here'
password = 'password-here'
uri = "ldaps://ldap-host-here." + domain + ":636"
(subdomain, tld) = domain.split('.')
## Create instance of LDAP class. No connection has been made yet.
print("Initializing LDAP connection object with uri " + uri )
l = ldap.initialize(uri) #####!!!
results = []
OU_setting = ""
try:
# When we connect, make sure to connect using LDAPv3
l.protocol_version = ldap.VERSION3
#set connection
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
print("Binding with username " + username + "...")
bind = l.simple_bind_s(username, password)
# When we search, the base is the level at which we want to start
searching
OU_setting = ""
base = OU_setting + "DC=ds,DC=" + subdomain + ",DC=net"
# When we search, filter results down to ones that have an
objectClass of "computer"
criteria = "(&(objectclass=computer)(cn=" + hostname + "))"
attributes = ['name']
print("Getting hostnames in " + domain
+ ", base " + str(base) + ", criteria " + str(criteria) )
# Ok! Search and store the result in the variable "result"
ldap_dump = l.search_s(base, ldap.SCOPE_SUBTREE, criteria,
attributes)
print("Found " + len(ldap_dump) + " hostnames in " + domain)
# Print the results to the console
for data_dict in [entry for dn, entry in ldap_dump if
isinstance(entry, dict)]:
results.append(data_dict["name"][0])
except Exception as e:
print("error - " + e)
# Now that we're done (failed or not), release the connection
finally:
l.unbind()
print("LDAP results - " + str(results))
return results
cfg = ""
hostname = “short-hostname-here”
env = ""
result = CheckIfHostInAD(cfg, hostname, env)
quit()
As I noted earlier, I'd prefer not to upgrade the python-ldap module if not
needed. In other words, unless there's something in a newer version where a
bug resulting in no data being returned, I'd prefer not to upgrade.
I found verbose settings for python-ldap at
https://helpful.knobs-dials.com/index.php/Python-ldap_notes and
http://lpetr.org/blog/archives/how-to-enable-logging-in-python-ldap, but
using those didn't help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20181012/53f41c43/attachment.html>
More information about the python-ldap
mailing list