Reputation: 1940
ldapsearch works but python-ldap doesn't
The following works and returns a list of all users
ldapsearch -x -b "ou=lunchbox,dc=office,dc=lbox,dc=com" -D "OFFICE\Administrator" -h ad.office.lbox.com -p 389 -W "(&(objectcategory=person)(objectclass=user))"
I'm trying to do the same in Python and I'm getting Invalid credentials
#!/usr/bin/env python
import ldap
dn = "cn=Administrator,dc=office,dc=lbox,dc=com"
pw = "**password**"
con = ldap.initialize('ldap://ad.office.lbox.com')
con.simple_bind_s( dn, pw )
base_dn = 'ou=lunchbox,dc=office,dc=lbox,dc=com'
filter = '(objectclass=person)'
attrs = ['sn']
con.search_s( base_dn, ldap.SCOPE_SUBTREE, filter, attrs )
Any suggestions to make this work would be great. I'm trying to learn python-ldap Thanks
EDIT
This is the full error I get:
`ldap.INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}`
The LDAP server is an Active Directory on Windows Server 2008 R2
Upvotes: 1
Views: 4530
Answers (2)
Reputation: 10191
The python-ldap library does not parse the user name, neither does ldapsearch. In you code, simply use the same username OFFICE\Administrator and let Active Directory handle it.
Also it is not uncommon for ActiveDirectory to refuse simple bind over ldap. You must use LDAPS. Add this line to bypass certificat checking:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
So the whole code might look like this:
#!/usr/bin/env python
import ldap
dn = "OFFICE\Administrator"
pw = "**password**"
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
con = ldap.initialize('ldaps://ad.office.lbox.com')
con.simple_bind_s( dn, pw )
base_dn = 'ou=lunchbox,dc=office,dc=lbox,dc=com'
filter = '(objectclass=person)'
attrs = ['sn']
con.search_s( base_dn, ldap.SCOPE_SUBTREE, filter, attrs )
Upvotes: 0
Reputation: 94849
You're using different credentials for the bind from the command line and the python script.
The command line is using the bind dn of OFFICE\Administrator while the script is using the bind dn of cn=Administrator,dc=office,dc=lbox,dc=com
On Active Directory, the built-in account Administrator doesn't reside at the top-level of the AD forest, it typically resides under at least the Users OU, so the dn you probably should be using is: CN=Administrator,CN=Users,dc=office,dc=lbox,dc=com.
The easiest way to find the proper entry for the user is to actually use account name in a search from the command line e.g.
ldapsearch -x -b "ou=lunchbox,dc=office,dc=lbox,dc=com" -D "OFFICE\Administrator" -h ad.office.lbox.com -p 389 -W '(samaccountname=Administrator)' dn
and use the dn returned from the command line query in your python code as the dn for the bind.
Upvotes: 2
Related Questions
- Facing Issues with LDAP-Login when using in Python
- Python ldap3 search creates an empty entry
- python-ldap unable to do any basic search queries on open server
- Python LDAP "Can't contact LDAP server"
- Python LDAP Search
- Error while Searching LDAP
- Python LDAP: LDAPObject.search_s() works, but LDAPObject.search() doesn't
- python ldap3 search LDAPOperationsErrorResult
- ldapsearch does not return when ldaps is used
- python ldap "Bad search filter" error