473,320 Members | 1,802 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

python-ldap: searching without specifying an OU?

I am attempting to pull info from an LDAP server (Active Directory),
but cannot specify an OU. In other words, I need to search users in
all OU's, not a specific one.

Here is what works:

con = ldap.initialize("ldap://server.local")
con.simple_bind_s('user@domain', pass)
result = con.search_ext_s(
'OU=some office, DC=server, DC=local',
ldap.SCOPE_SUBTREE,
"sAMAccountName=username", ['mail']
)[0][1]

for i in result:
print "%s = %s" (i, result[i])

But i really need it to not require an OU. When I remove that part, it
breaks. Or it just won't find the user. Is there a proper syntax for
this that I'm missing? Maybe a different search function?
Jun 27 '08 #1
6 7729
hotani wrote:
I am attempting to pull info from an LDAP server (Active Directory),
but cannot specify an OU. In other words, I need to search users in
all OU's, not a specific one.
If the user you're binding with has the right in AD to search the whole
subtree you can start searching at the domain-level.
con = ldap.initialize("ldap://server.local")
con.simple_bind_s('user@domain', pass)
^^^^^^^^^^^^
Just for the records: A simple bind with userPrincipalName only works on
AD. It's not a LDAPv3 compliant bind request then (which requires a full
DN).
result = con.search_ext_s(
'OU=some office, DC=server, DC=local',
ldap.SCOPE_SUBTREE,
"sAMAccountName=username", ['mail']
)[0][1]

for i in result:
print "%s = %s" (i, result[i])

But i really need it to not require an OU.
It should work. I'm doing this quite often.
When I remove that part, it breaks.
What does "it breaks" mean? Any exception raised by python-ldap?
Maybe a different search function?
Nope.

Ciao, Michael.
Jun 27 '08 #2
It seems the only way I can bind is by using this format:
simple_bind_s('u***@server.local','password')

If I try using a DN, it fails every time. This will not work:
simple_bind_s('cn=user,dc=server,dc=local', 'password')

Errors out with "invalid credentials": ldap.INVALID_CREDENTIALS:
{'info': '80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid
credentials'}
If I put the *wrong* credentials in the first format, it will fail -
which seems to indicate the bind is working. With that
'successful' (?) bind, it is returning the bind error from my earlier
post only when I leave out the OU when searching.
Jun 27 '08 #3
This fixed it!
http://peeved.org/blog/2007/11/20/

By adding this line after 'import ldap', I was able to search from the
root level:
ldap.set_option(ldap.OPT_REFERRALS, 0)
Jun 27 '08 #4
hotani wrote:
It seems the only way I can bind is by using this format:
simple_bind_s('u***@server.local','password')
Believe me: This is not true.
If I try using a DN, it fails every time. This will not work:
simple_bind_s('cn=user,dc=server,dc=local', 'password')
Check the DN you're using. Maybe you should search this particular user
entry with filter (us********************@server.local)

Ciao, Michael.
Jun 27 '08 #5
hotani wrote:
This fixed it!
http://peeved.org/blog/2007/11/20/

By adding this line after 'import ldap', I was able to search from the
root level:
ldap.set_option(ldap.OPT_REFERRALS, 0)
Uumh, yes. I'm always switching off OpenLDAP client lib's internal
referral chasing.

But be prepared to also handle (at least ignore) the search
continuations (LDAP URL) in the search results you will probably
receive. These are not regular search entries.

Ciao, Michael.
Jun 27 '08 #6
hotani wrote:
http://peeved.org/blog/2007/11/20/
BTW: This blog entry claims that LDAP_SERVER_DOMAIN_SCOPE_OID control
cannot be used with python-ldap. But support for such simple LDAPv3
extended controls was added to python-ldap way back in 2005.

Actually it's easy (relevant code excerpt):

----------------------------------------------------------------
import ldap
from ldap.controls import BooleanControl
LDAP_SERVER_DOMAIN_SCOPE_OID='1.2.840.113556.1.4.1 339'
[..]
l = ldap.initialize(ldap_uri,trace_level=trace_level)
# Switch off chasing referrals within OpenLDAP's libldap
l.set_option(ldap.OPT_REFERRALS, 0)
# Simple bind with user's DN and password
l.simple_bind_s(dn,password)
res = l.search_ext_s(
'DC=dom,DC=example,DC=com',
ldap.SCOPE_ONELEVEL,
'(objectClass=subentry)',
['*'],
serverctrls = [
BooleanControl(
LDAP_SERVER_DOMAIN_SCOPE_OID,
criticality=0,controlValue=1
)
]
)
----------------------------------------------------------------

Strange enough it has no effect. And setting criticality=1 raises an
error indicating that this control is not supported although this
control is explicitly mentioned in attribute 'supportedControl' of the
server's rootDSE:

ldap.UNAVAILABLE_CRITICAL_EXTENSION: {'info': '00000057: LdapErr:
DSID-0C09068F, comment: Error processing control, data 0, vece', 'desc':
'Critical extension is unavailable'}

Might depend on the domain functional level AD is running with...

Ciao, Michael.
Jun 27 '08 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

28
by: Erik Johnson | last post by:
This is somewhat a NEWBIE question... My company maintains a small RDBS driven website. We currently generate HTML using PHP. I've hacked a bit in Python, and generally think it is a rather...
0
by: Irmen de Jong | last post by:
QOTW: "Giving full access rights to a secretary or new programmer ought to insure an occasional random file deletion." -- Raymond Hettinger "I always use join, but that's probably because that...
0
by: Irmen de Jong | last post by:
QOTW: "Confronting the Martellibot is like flirting with an encyclopedia, I'd rather not do it myself, but I respect those who do, because it produces knowledge." -- Anton...
0
by: Irmen de Jong | last post by:
QOTW: "To make the instructions even friendlier it would also help if 'but Whatever You Do DON'T UNZIP THE FREAKIN' THING - This Means YOU John Latter!' were in large, bold, and underlined type. ...
0
by: Irmen de Jong | last post by:
QOTW: "What can I do with Python that I can't do with C#? You can go home on time at the end of the day." -- Daniel Klein "Python lends itself to playing with it and to discussing the merits of...
220
by: Brandon J. Van Every | last post by:
What's better about Ruby than Python? I'm sure there's something. What is it? This is not a troll. I'm language shopping and I want people's answers. I don't know beans about Ruby or have...
0
by: Irmen de Jong | last post by:
QOTW: "The best use for a bug report on comp.lang.python is as an object lesson for your grandchildren: 40 years from now you can search the archives for it, and tell the little darlings 'see? ...
0
by: Raymond Hettinger | last post by:
QOTW: "You're only overlooking the consequences of an infinite amount of information <wink>." -- Tim Peters on why the bitwise-not operator is equivalent to -(n+1). "Perl, Python, Ruby and Tcl...
0
by: Raymond Hettinger | last post by:
QOTW: "All that rigid type safety and data hiding is like wearing army boots on the beach: nothing can bite your toes, but golly don't it feel good to just toss 'em and run barefoot." -- David...
14
by: Tim Parkin | last post by:
Terry Ready said: > YUCK< YUCK< YUCK. > <snip> > The pollenation site is one of the worst I have seen. The mockup page > has teeny type that IE will not enlarge. > <snip> > I care that the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.