python-ldap: searching without specifying an OU?

Re: python-ldap: searching without specifying an OU?

hotani wrote:If the user you're binding with has the right in AD to search the whole
subtree you can start searching at the domain-level.
^^^^^^^^^^^^
Just for the records: A simple bind with userPrincipalNa me only works on
AD. It's not a LDAPv3 compliant bind request then (which requires a full
DN).
It should work. I'm doing this quite often.
What does "it breaks" mean? Any exception raised by python-ldap?
Nope.

Ciao, Michael.

Re: python-ldap: searching without specifying an OU?

It seems the only way I can bind is by using this format:
simple_bind_s(' user@server.loc al','password')

If I try using a DN, it fails every time. This will not work:
simple_bind_s(' cn=user,dc=serv er,dc=local', 'password')

Errors out with "invalid credentials": ldap.INVALID_CR EDENTIALS:
{'info': '80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityC ontext error, data 525, vece', 'desc': 'Invalid
credentials'}


If I put the *wrong* credentials in the first format, it will fail -
which seems to indicate the bind is working. With that
'successful' (?) bind, it is returning the bind error from my earlier
post only when I leave out the OU when searching.

Re: python-ldap: searching without specifying an OU?

This fixed it!


By adding this line after 'import ldap', I was able to search from the
root level:
ldap.set_option (ldap.OPT_REFER RALS, 0)

Re: python-ldap: searching without specifying an OU?

hotani wrote:Believe me: This is not true.
Check the DN you're using. Maybe you should search this particular user
entry with filter (userPrincipalN ame=user@server .local)

Ciao, Michael.

Re: python-ldap: searching without specifying an OU?

hotani wrote:Uumh, yes. I'm always switching off OpenLDAP client lib's internal
referral chasing.

But be prepared to also handle (at least ignore) the search
continuations (LDAP URL) in the search results you will probably
receive. These are not regular search entries.

Ciao, Michael.

Re: python-ldap: searching without specifying an OU?

hotani wrote:BTW: This blog entry claims that LDAP_SERVER_DOM AIN_SCOPE_OID control
cannot be used with python-ldap. But support for such simple LDAPv3
extended controls was added to python-ldap way back in 2005.

Actually it's easy (relevant code excerpt):

----------------------------------------------------------------
import ldap
from ldap.controls import BooleanControl
LDAP_SERVER_DOM AIN_SCOPE_OID=' 1.2.840.113556. 1.4.1339'
[..]
l = ldap.initialize (ldap_uri,trace _level=trace_le vel)
# Switch off chasing referrals within OpenLDAP's libldap
l.set_option(ld ap.OPT_REFERRAL S, 0)
# Simple bind with user's DN and password
l.simple_bind_s (dn,password)
res = l.search_ext_s(
'DC=dom,DC=exam ple,DC=com',
ldap.SCOPE_ONEL EVEL,
'(objectClass=s ubentry)',
['*'],
serverctrls = [
BooleanControl(
LDAP_SERVER_DOM AIN_SCOPE_OID,
criticality=0,c ontrolValue=1
)
]
)
----------------------------------------------------------------

Strange enough it has no effect. And setting criticality=1 raises an
error indicating that this control is not supported although this
control is explicitly mentioned in attribute 'supportedContr ol' of the
server's rootDSE:

ldap.UNAVAILABL E_CRITICAL_EXTE NSION: {'info': '00000057: LdapErr:
DSID-0C09068F, comment: Error processing control, data 0, vece', 'desc':
'Critical extension is unavailable'}

Might depend on the domain functional level AD is running with...

Ciao, Michael.