By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,180 Members | 1,051 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,180 IT Pros & Developers. It's quick & easy.

Group Membership in Active Directory Query

P: n/a
I am trying to write a script to simply query the group members in an
active directory group. I need to use LDAP to make sure I capture any
global global group nestings that may occur. I already have a
function that uses WinNT provider to capture this info from NT4 or AD
domains and it works beautifully. It just doesn't capture global >
global nestings. I am having great difficulties in getting this to
work on AD though with ldap. I have a multiple domain tree
environment and need to be able to query groups in different domains.
I want to simply make an ldap connection, bind to it, search for the
group and get it's members.
I do the following for eDirectory and it works great but not in AD.

import ldap
l=ldap.open(1.2.3.4,trace_level = 1)
l.simple_bind_s('cn=username,ou=company','password ')
UserRes = UserRes + l.search_s(
o=company,
ldap.SCOPE_SUBTREE, "(|'cn=groupname')

If I do the same thing as above but to an AD source it doesn't work.
I run the open and it seems successful, I run the bind using DN, UPN,
or domain name and password and it seems to bind, I run the query and
it says I must complete a successfull bind operation before doing a
query.

Any help is appreciated.

Feb 7 '07 #1
Share this Question
Share on Google+
7 Replies


P: n/a
On Feb 7, 9:22 am, kooc...@gmail.com wrote:
I am trying to write a script to simply query the group members in an
active directory group. I need to use LDAP to make sure I capture any
global global group nestings that may occur. I already have a
function that uses WinNT provider to capture this info from NT4 or AD
domains and it works beautifully. It just doesn't capture global >
global nestings. I am having great difficulties in getting this to
work on AD though with ldap. I have a multiple domain tree
environment and need to be able to query groups in different domains.
I want to simply make an ldap connection, bind to it, search for the
group and get it's members.
I do the following for eDirectory and it works great but not in AD.

import ldap
l=ldap.open(1.2.3.4,trace_level = 1)
l.simple_bind_s('cn=username,ou=company','password ')
UserRes = UserRes + l.search_s(
o=company,
ldap.SCOPE_SUBTREE, "(|'cn=groupname')

If I do the same thing as above but to an AD source it doesn't work.
I run the open and it seems successful, I run the bind using DN, UPN,
or domain name and password and it seems to bind, I run the query and
it says I must complete a successfull bind operation before doing a
query.

Any help is appreciated.


I found an example in the groups here and attempted it but it failed
as well. Below is the code I used and the results.

import ldap, ldapurl

proto = 'ldap'
server = 'domaincontroller.domain.company.com'
port = 389

url = ldapurl.LDAPUrl(urlscheme=proto,
hostport="%s:%s" % (server,
str(port))).initializeUrl()
ldap_obj = ldap.initialize(url)

# !!!password will be on wire in plaintext!!!
ldap_obj = ldap_obj.simple_bind_s('u*******@domain.company.co m',
'password')

base = 'DC=DOMAIN, DC=COMPANY, DC=COM'

scope = ldap.SCOPE_SUBTREE

query = '(objectclass=user)'

res_attrs = ['*']

res = ldap_obj.search_ext_s(base, scope, query, res_attrs)
print res

RESULTS FROM PYTHON SHELL
res=ldap_obj.search_ext_s(base, scope, query, rest_attrs)
AttributeError: 'NoneType' object has no attribute 'search_Ext_s'

Feb 7 '07 #2

P: n/a
ko*****@gmail.com schrieb:
ldap_obj = ldap_obj.simple_bind_s('u*******@domain.company.co m',
'password')
AttributeError: 'NoneType' object has no attribute 'search_Ext_s'
dummy = ldap_obj.simple_bind_s('u*******@domain.company.co m',
'password')
or better simply
ldap_obj.simple_bind_s('u*******@domain.company.co m',
'password')
Feb 7 '07 #3

P: n/a
On Feb 7, 11:56 am, Uwe Hoffmann <q...@tiscali.dewrote:
kooc...@gmail.com schrieb:
ldap_obj = ldap_obj.simple_bind_s('usern...@domain.company.co m',
'password')
AttributeError: 'NoneType' object has no attribute 'search_Ext_s'

dummy = ldap_obj.simple_bind_s('usern...@domain.company.co m',
'password')
or better simply
ldap_obj.simple_bind_s('usern...@domain.company.co m',
'password')
First and foremost thanks for the feedback. Although I don't
appreciate the slight dig at me.
dummy = ldap_obj.simple_bind......

I tried your second recommendation of using
ldap_obj.simple_bind_s('usern...@domain.company.co m','password')

Now I get the following error even after the bind operation seems to
complete successfully.
result = func(*args,**kwargs)
OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C0905FF, comment:
In order to perform this operation a successful bind must be completed
on the connection., data 0, vece', 'desc': 'Operations error'}

Thanks again...

Feb 7 '07 #4

P: n/a
On Feb 8, 4:27 am, kooc...@gmail.com wrote:
First and foremost thanks for the feedback. Although I don't
appreciate the slight dig at me.
dummy = ldap_obj.simple_bind......
I _really_ don't think Uwe was intending any slight, 'dummy' generally
means 'dummy variable' ie it's just there to catch the value but it's
never used after that :)

If you're doing a lot of AD work, I highly recommend Tim Golden's
active_directory module: http://timgolden.me.uk/python/
active_directory.html

His WMI module has also been a godsend on a number of occasions.

- alex23

Feb 8 '07 #5

P: n/a
On Feb 7, 7:52 pm, "alex23" <wuwe...@gmail.comwrote:
On Feb 8, 4:27 am, kooc...@gmail.com wrote:
First and foremost thanks for the feedback. Although I don't
appreciate the slight dig at me.
dummy = ldap_obj.simple_bind......

I _really_ don't think Uwe was intending any slight, 'dummy' generally
means 'dummy variable' ie it's just there to catch the value but it's
never used after that :)

If you're doing a lot of AD work, I highly recommend Tim Golden's
active_directory module:http://timgolden.me.uk/python/
active_directory.html

His WMI module has also been a godsend on a number of occasions.

- alex23
Alex-
Thanks for your response and Uwe I apologize if I misunderstood
and misinterpreted your comments. I am sorry.
I have tried Tim's module called active_directory and it works really
well. But I can't figure out how to connect to a specific group is I
know the common name for it but not the DN and then return it's
members. Example.... I know the group name is domain1\sharedaccess.
How do I bind to that group and get the members. The domain isn't
necessarily the defaultnamingcontext. It could be another domain in
the forest. I need to be able to connect to any domain group and get
it's members. Thanks again.
Feb 8 '07 #6

P: n/a
On Feb 8, 8:44 am, "Kooch54" <kooc...@gmail.comwrote:
On Feb 7, 7:52 pm, "alex23" <wuwe...@gmail.comwrote:
On Feb 8, 4:27 am, kooc...@gmail.com wrote:
First and foremost thanks for the feedback. Although I don't
appreciate the slight dig at me.
dummy = ldap_obj.simple_bind......
I _really_ don't think Uwe was intending any slight, 'dummy' generally
means 'dummy variable' ie it's just there to catch the value but it's
never used after that :)
If you're doing a lot of AD work, I highly recommend Tim Golden's
active_directory module:http://timgolden.me.uk/python/
active_directory.html
His WMI module has also been a godsend on a number of occasions.
- alex23

Alex-
Thanks for your response and Uwe I apologize if I misunderstood
and misinterpreted your comments. I am sorry.
I have tried Tim's module called active_directory and it works really
well. But I can't figure out how to connect to a specific group is I
know the common name for it but not the DN and then return it's
members. Example.... I know the group name is domain1\sharedaccess.
How do I bind to that group and get the members. The domain isn't
necessarily the defaultnamingcontext. It could be another domain in
the forest. I need to be able to connect to any domain group and get
it's members. Thanks again.
Bump

Feb 16 '07 #7

P: n/a
Kooch54 wrote:
> Thanks for your response and Uwe I apologize if I misunderstood
and misinterpreted your comments. I am sorry.
I have tried Tim's module called active_directory and it works really
well. But I can't figure out how to connect to a specific group is I
know the common name for it but not the DN and then return it's
members.
For the simple "group in my domain" situation, as
far as I can see you can do something like this:

<code>
import active_directory
for group in active_directory.search (
"sAMAccountName='sharedaccess'",
"objectClass='group'"
):
print group
for member in group.members:
print member

</code>

(I'm not on an AD-connected machine just now, but I
think that'll do it).

As to finding it another domain, I'm not sure. I suspect
that if you simply issue the above query, you'll get
the groups back from all domains in the forest. But I'm
not sure about that. In essence this isn't a Python question
as such. If you can find out from any source how to formulate
the query in an AD way, I'm quite sure we can translate that
easily into Python.

I'm afraid that my AD module is a very lightweight wrapper
over the LDAP:// object system and offers very little support
(and gets very little attention from me). Hopefully I can
have a boost of energy & time and give it some help.

TJG
Feb 16 '07 #8

This discussion thread is closed

Replies have been disabled for this discussion.