Authenticating to Active Directory with python-ldap always returns (97, [])

后端 未结 2 1899
无人共我
无人共我 2021-02-01 08:41

Similar to this question, I am trying to perform simple authentication to a 2003 Active Directory using python ldap (CentOS 6.2 x86_64, Python 2.6.6, python-ldap 2.3.10).

<
2条回答
  •  独厮守ぢ
    2021-02-01 09:24

    Michael Ströder, the author of the python-ldap library, enlightened me thus:

    The 97 is not the LDAP result code. It's the result type ldap.RES_BIND. Normally you don't have to look at the results returned by LDAPObject.simple_bind_s() (unless you want to extract the bind response controls).

    If the LDAP result code is not 0 the accompanying exception is raised like ldap.INVALID_CREDENTIALS in your example.

    So your code should look like this:

    try:
      conn.simple_bind_s('user@domain.com', 'WrongPassword')
    except ldap.INVALID_CREDENTIALS:
      user_error_msg('wrong password provided')
    

    The reason for these results:

    >>> conn.simple_bind_s('', 'CorrectPassword')
    (97, [])
    >>> conn.simple_bind_s('', '')
    (97, [])
    

    is that out of the box 2003 Active Directory allows anonymous binds. So not providing a user id at all will still pass a simple bind check, if the only thing being tested is whether simple_bind_s() throws an error.

    2003 Active Directory does require authentication for any searches that aren't attributes of the rootDSE, so for our internal purposes we added a trivial search to the try: block:

    try:
      conn.simple_bind_s('user@domain.com', 'SubmittedPassword')
      conn.search_st('DC=domain,DC=com', ldap.SCOPE_SUBTREE, '(objectClass=container)', 'name', 0, 30)
    except ldap.INVALID_CREDENTIALS:
      user_error_msg('wrong password provided')
    

提交回复
热议问题