Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Suppress Python ldap3 search result referrals

Tags:

python

ldap3

I am using the ldap3 module in Python to connect to a local AD domain (on my machine in vbox, Server 2016 domain controller), how can I stop the search results from returning referrals? I've set what I could find in other posts and from the docs but the referrals are still there.

Code:

#!/usr/bin/env python
from ldap3 import Server, Connection, AUTO_BIND_NO_TLS, SUBTREE, ALL_ATTRIBUTES, ALL, DEREF_NEVER
from pprint import pprint

def get_ldap_info():
    with Connection(Server('dc01.ad.local', port=389, use_ssl=False),
                auto_bind=AUTO_BIND_NO_TLS,
                auto_referrals=False,
                read_only=True,
                check_names=True,
                user='CN=Administrator,CN=Users,dc=ad,dc=local',
                password='XXX') as c:

        results = c.extend.standard.paged_search(search_base='dc=ad,dc=local',
             search_filter='(objectClass=computer)',
             search_scope=SUBTREE,
             attributes=ALL_ATTRIBUTES,
             dereference_aliases=DEREF_NEVER,
             get_operational_attributes=False)


        i = 0
        for item in results:
            print "---------"
            print type(item)
            print("TYPE ATTR: %s" % (item['type']))
            pprint(item)

            i += 1
        print(i)

if __name__ == "__main__":
    get_ldap_info()

Running that yields the following as the first 3 results:

---------
<type 'dict'>
TYPE ATTR: searchResRef
{'type': 'searchResRef',
 'uri': [u'ldap://ad.local/CN=Configuration,DC=ad,DC=local']}
---------
<type 'dict'>
TYPE ATTR: searchResRef
{'type': 'searchResRef',
 'uri': [u'ldap://DomainDnsZones.ad.local/DC=DomainDnsZones,DC=ad,DC=local']}
---------
<type 'dict'>
TYPE ATTR: searchResRef
{'type': 'searchResRef',
 'uri': [u'ldap://ForestDnsZones.ad.local/DC=ForestDnsZones,DC=ad,DC=local']}

The next result is a computer object as it should be:

 <type 'dict'>
    TYPE ATTR: searchResEntry
    {'attributes': {u'primaryGroupID': 515, u'isCriticalSystemObject': False, u'logonCount': 22, u'cn': u'DY-WIN10VM01', u'countryCode': 0, u'dSCorePropagationData': [datetime.datetime(1601, 1, 1, 0, 0, tzinfo=OffsetTzInfo(offset=0, name='UTC'))], u'objectClass': [u'top', u'person', u'organizationalPerson', u'user', u'computer'], u'dNSHostName': u'DY-WIN10VM01.ad.local', u'lastLogonTimestamp': datetime.datetime(2019, 6, 3, 12, 55, 32, 164865, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'instanceType': 4, u'distinguishedName': u'CN=DY-WIN10VM01,CN=Computers,DC=ad,DC=local', u'sAMAccountType': 805306369, u'localPolicyFlags': 0, u'msDS-SupportedEncryptionTypes': 28, u'objectSid': 'S-1-5-21-626995883-1503940790-4148029712-1108', u'whenCreated': datetime.datetime(2019, 6, 3, 12, 55, 31, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'uSNCreated': 32998, u'badPasswordTime': datetime.datetime(1601, 1, 1, 0, 0, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'pwdLastSet': datetime.datetime(2019, 6, 3, 12, 55, 31, 977390, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'sAMAccountName': u'DY-WIN10VM01$', u'objectCategory': u'CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=local', u'objectGUID': '{43917324-e70f-4cb4-8a5a-43fde8a04b39}', u'whenChanged': datetime.datetime(2019, 6, 3, 12, 56, 36, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'badPwdCount': 0, u'accountExpires': datetime.datetime(9999, 12, 31, 23, 59, 59, 999999), u'operatingSystemVersion': u'10.0 (17763)', u'name': u'DY-WIN10VM01', u'codePage': 0, u'userAccountControl': 4096, u'lastLogon': datetime.datetime(2019, 6, 3, 15, 57, 15, 624474, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'uSNChanged': 33010, u'servicePrincipalName': [u'RestrictedKrbHost/DY-WIN10VM01', u'HOST/DY-WIN10VM01', u'RestrictedKrbHost/DY-WIN10VM01.ad.local', u'HOST/DY-WIN10VM01.ad.local'], u'operatingSystem': u'Windows 10 Enterprise Evaluation', u'lastLogoff': datetime.datetime(1601, 1, 1, 0, 0, tzinfo=OffsetTzInfo(offset=0, name='UTC'))},
     'dn': u'CN=DY-WIN10VM01,CN=Computers,DC=ad,DC=local',
     'raw_attributes': {u'primaryGroupID': ['515'], u'isCriticalSystemObject': ['FALSE'], u'logonCount': ['22'], u'cn': ['DY-WIN10VM01'], u'countryCode': ['0'], u'dSCorePropagationData': ['16010101000000.0Z'], u'objectClass': ['top', 'person', 'organizationalPerson', 'user', 'computer'], u'dNSHostName': ['DY-WIN10VM01.ad.local'], u'lastLogonTimestamp': ['132040401321648651'], u'instanceType': ['4'], u'distinguishedName': ['CN=DY-WIN10VM01,CN=Computers,DC=ad,DC=local'], u'sAMAccountType': ['805306369'], u'localPolicyFlags': ['0'], u'msDS-SupportedEncryptionTypes': ['28'], u'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xab2_%\xb6P\xa4Y\x10\xe9=\xf7T\x04\x00\x00'], u'whenCreated': ['20190603125531.0Z'], u'uSNCreated': ['32998'], u'badPasswordTime': ['0'], u'pwdLastSet': ['132040401319773897'], u'sAMAccountName': ['DY-WIN10VM01$'], u'objectCategory': ['CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=local'], u'objectGUID': ['$s\x91C\x0f\xe7\xb4L\x8aZC\xfd\xe8\xa0K9'], u'whenChanged': ['20190603125636.0Z'], u'badPwdCount': ['0'], u'accountExpires': ['9223372036854775807'], u'operatingSystemVersion': ['10.0 (17763)'], u'name': ['DY-WIN10VM01'], u'codePage': ['0'], u'userAccountControl': ['4096'], u'lastLogon': ['132040510356244744'], u'uSNChanged': ['33010'], u'servicePrincipalName': ['RestrictedKrbHost/DY-WIN10VM01', 'HOST/DY-WIN10VM01', 'RestrictedKrbHost/DY-WIN10VM01.ad.local', 'HOST/DY-WIN10VM01.ad.local'], u'operatingSystem': ['Windows 10 Enterprise Evaluation'], u'lastLogoff': ['0']},
     'raw_dn': 'CN=DY-WIN10VM01,CN=Computers,DC=ad,DC=local',
     'type': 'searchResEntry'}

I believe I could check item['type'] first and react based on that but am wondering if there's any way of just not getting those referrals back.

There are questions here posed about this same issue in the ldap module (such as this and this), and a bit in the docs here, but nothing for ldap3 that I have been able to find.

Thanks in advance

Python version:

DY-MBP-2:bin home$ python --version
Python 2.7.16
like image 725
DYoung Avatar asked Nov 07 '22 16:11

DYoung

1 Answers

When LDAP searching Active Directory you likely want to use referrals. See this link for more details: https://learn.microsoft.com/en-us/windows/win32/ad/referrals

This list comprehension will return items from the list that contain the entries you are looking for:

[i for i in results if i['type'] == 'searchResEntry']

like image 197
screff Avatar answered Nov 23 '22 05:11

screff
Sign in to Comment

Related questions

Python: How to unwrap circular data to remove discontinuities?
Use uuid.uuid4() or secrets.token_urlsafe() for hard to guess url and quick select in Postgresql?
How to properly update a model in spaCy?
Getting TypeError: ord() expected string of length 1, but int found error
How can we get Spyder to pause execution after an error has occurred?
Python locally suppress warnings in thread-safe way
How can I validate the segment_ids argument of tf.unsorted_segments_max?
perform groupby to find cumulative count on assignment Id between a range of dates
Contours tuple must have length 2 or 3, otherwise opencv changed their cv.findcontours signature yet again
OSMnx: plot a network on an interactive web map with different colours per infrastructure
Why am I getting an exception when using a Range Join hint?
How to rewrite a tensorflow graph to use CPU for all operations
How to get validate DNSSEC with python?
How to modify the duplicate form in the database manager?
How to get original value for binary encoding using category_encoder package
Python multiprocessing: print() inside apply_async()
Error occurred when running pip install mysql-python: "python setup.py egg_info" failed with error code 1
PyTorch most efficient Jacobian/Hessian calculation
How to hold keys down with pynput?
Python 3D polynomial surface fit, order dependent

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!