How to bind (authenticate) a user with ldap3 in python3

Question

I'm trying to update some code to python3, using ldap3 version '0.9.7.4'. (https://pypi.python.org/pypi/ldap3)

Previously, I used python-ldap with python2 to authenticate a user like this:

import ldap
address = "ldap://HOST:389"
con = ldap.initialize(address)
base_dn = "ourDN=jjj"
con.protocol_version = ldap.VERSION3
search_filter = "(uid=USERNAME)"
result = con.search_s(base_dn, ldap.SCOPE_SUBTREE, search_filter, None)  
user_dn = result[0][0]  # get the user DN
con.simple_bind_s(user_dn, "PASSWORD")

This properly returns (97, [], 2, []) on correct password, and raises ldap.INVALID_CREDENTIALS on a bind attempt using an incorrect password.

Using ldap3 in python3 I'm doing the following:

from ldap3 import Server, Connection, AUTH_SIMPLE, STRATEGY_SYNC, ALL
s = Server(HOST, port=389, get_info=ALL)
c = Connection(s, authentication=AUTH_SIMPLE, user=user_dn, password=PASSWORD, check_names=True, lazy=False, client_strategy=STRATEGY_SYNC, raise_exceptions=True)
c.open()
c.bind()

It's raising the following exception:

ldap3.core.exceptions.LDAPInvalidCredentialsResult: LDAPInvalidCredentialsResult - 49 - invalidCredentials - [{'dn': '', 'message': '', 'type': 'bindResponse', 'result': 0, 'saslCreds': 'None', 'description': 'success', 'referrals': None}]

I'm using the user_dn value returned by python2's ldap search, since this appears to be working in python2.

How can I get this to bind properly using ldap3 in python3?

(One thing strange, I noticed, is that the ldap3's LDAPInvalidCredentialsResult includes 'description': 'success'. I'm guessing this just means response successfully recieved...)

Answer 1

I'm the author of ldap3, please set raise_exceptions=False in the Connection definition and check the connection.result after the bind. You should get the reason why your bind() is unsuccessful.

Answer 2

Confirm that your DN doesn't need to escape a comma using backslash \.

My organization gives users a CN of "last name, first name", so my DN needed to be "CN=Doe\, Jane, OU=xyz, ..., DC=abc, DC=com"

I realized this by using Active Directory Explorer to navigate to my user object, r-click > view properties to see the distinguished name. I ran into this invalid credential error when using the DN that AD Explorer displays in its Path breadcrumb which omits the escape character.