Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to bind (authenticate) a user with ldap3 in python3

I'm trying to update some code to python3, using ldap3 version '0.9.7.4'. (https://pypi.python.org/pypi/ldap3)

Previously, I used python-ldap with python2 to authenticate a user like this:

import ldap
address = "ldap://HOST:389"
con = ldap.initialize(address)
base_dn = "ourDN=jjj"
con.protocol_version = ldap.VERSION3
search_filter = "(uid=USERNAME)"
result = con.search_s(base_dn, ldap.SCOPE_SUBTREE, search_filter, None)  
user_dn = result[0][0]  # get the user DN
con.simple_bind_s(user_dn, "PASSWORD")

This properly returns (97, [], 2, []) on correct password, and raises ldap.INVALID_CREDENTIALS on a bind attempt using an incorrect password.

Using ldap3 in python3 I'm doing the following:

from ldap3 import Server, Connection, AUTH_SIMPLE, STRATEGY_SYNC, ALL
s = Server(HOST, port=389, get_info=ALL)
c = Connection(s, authentication=AUTH_SIMPLE, user=user_dn, password=PASSWORD, check_names=True, lazy=False, client_strategy=STRATEGY_SYNC, raise_exceptions=True)
c.open()
c.bind()

It's raising the following exception:

ldap3.core.exceptions.LDAPInvalidCredentialsResult: LDAPInvalidCredentialsResult - 49 - invalidCredentials - [{'dn': '', 'message': '', 'type': 'bindResponse', 'result': 0, 'saslCreds': 'None', 'description': 'success', 'referrals': None}]

I'm using the user_dn value returned by python2's ldap search, since this appears to be working in python2.

How can I get this to bind properly using ldap3 in python3?

(One thing strange, I noticed, is that the ldap3's LDAPInvalidCredentialsResult includes 'description': 'success'. I'm guessing this just means response successfully recieved...)

like image 767
monkut Avatar asked Feb 18 '15 03:02

monkut


2 Answers

I'm the author of ldap3, please set raise_exceptions=False in the Connection definition and check the connection.result after the bind. You should get the reason why your bind() is unsuccessful.

like image 120
cannatag Avatar answered Oct 28 '22 13:10

cannatag


Confirm that your DN doesn't need to escape a comma using backslash \.

My organization gives users a CN of "last name, first name", so my DN needed to be "CN=Doe\, Jane, OU=xyz, ..., DC=abc, DC=com"

I realized this by using Active Directory Explorer to navigate to my user object, r-click > view properties to see the distinguished name. I ran into this invalid credential error when using the DN that AD Explorer displays in its Path breadcrumb which omits the escape character.

like image 1
Michael Nesius Avatar answered Oct 28 '22 15:10

Michael Nesius