Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Suppress Python ldap3 search result referrals

Tags:

python

ldap3

I am using the ldap3 module in Python to connect to a local AD domain (on my machine in vbox, Server 2016 domain controller), how can I stop the search results from returning referrals? I've set what I could find in other posts and from the docs but the referrals are still there.

Code:

#!/usr/bin/env python
from ldap3 import Server, Connection, AUTO_BIND_NO_TLS, SUBTREE, ALL_ATTRIBUTES, ALL, DEREF_NEVER
from pprint import pprint

def get_ldap_info():
    with Connection(Server('dc01.ad.local', port=389, use_ssl=False),
                auto_bind=AUTO_BIND_NO_TLS,
                auto_referrals=False,
                read_only=True,
                check_names=True,
                user='CN=Administrator,CN=Users,dc=ad,dc=local',
                password='XXX') as c:

        results = c.extend.standard.paged_search(search_base='dc=ad,dc=local',
             search_filter='(objectClass=computer)',
             search_scope=SUBTREE,
             attributes=ALL_ATTRIBUTES,
             dereference_aliases=DEREF_NEVER,
             get_operational_attributes=False)


        i = 0
        for item in results:
            print "---------"
            print type(item)
            print("TYPE ATTR: %s" % (item['type']))
            pprint(item)

            i += 1
        print(i)

if __name__ == "__main__":
    get_ldap_info()

Running that yields the following as the first 3 results:

---------
<type 'dict'>
TYPE ATTR: searchResRef
{'type': 'searchResRef',
 'uri': [u'ldap://ad.local/CN=Configuration,DC=ad,DC=local']}
---------
<type 'dict'>
TYPE ATTR: searchResRef
{'type': 'searchResRef',
 'uri': [u'ldap://DomainDnsZones.ad.local/DC=DomainDnsZones,DC=ad,DC=local']}
---------
<type 'dict'>
TYPE ATTR: searchResRef
{'type': 'searchResRef',
 'uri': [u'ldap://ForestDnsZones.ad.local/DC=ForestDnsZones,DC=ad,DC=local']}

The next result is a computer object as it should be:

 <type 'dict'>
    TYPE ATTR: searchResEntry
    {'attributes': {u'primaryGroupID': 515, u'isCriticalSystemObject': False, u'logonCount': 22, u'cn': u'DY-WIN10VM01', u'countryCode': 0, u'dSCorePropagationData': [datetime.datetime(1601, 1, 1, 0, 0, tzinfo=OffsetTzInfo(offset=0, name='UTC'))], u'objectClass': [u'top', u'person', u'organizationalPerson', u'user', u'computer'], u'dNSHostName': u'DY-WIN10VM01.ad.local', u'lastLogonTimestamp': datetime.datetime(2019, 6, 3, 12, 55, 32, 164865, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'instanceType': 4, u'distinguishedName': u'CN=DY-WIN10VM01,CN=Computers,DC=ad,DC=local', u'sAMAccountType': 805306369, u'localPolicyFlags': 0, u'msDS-SupportedEncryptionTypes': 28, u'objectSid': 'S-1-5-21-626995883-1503940790-4148029712-1108', u'whenCreated': datetime.datetime(2019, 6, 3, 12, 55, 31, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'uSNCreated': 32998, u'badPasswordTime': datetime.datetime(1601, 1, 1, 0, 0, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'pwdLastSet': datetime.datetime(2019, 6, 3, 12, 55, 31, 977390, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'sAMAccountName': u'DY-WIN10VM01$', u'objectCategory': u'CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=local', u'objectGUID': '{43917324-e70f-4cb4-8a5a-43fde8a04b39}', u'whenChanged': datetime.datetime(2019, 6, 3, 12, 56, 36, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'badPwdCount': 0, u'accountExpires': datetime.datetime(9999, 12, 31, 23, 59, 59, 999999), u'operatingSystemVersion': u'10.0 (17763)', u'name': u'DY-WIN10VM01', u'codePage': 0, u'userAccountControl': 4096, u'lastLogon': datetime.datetime(2019, 6, 3, 15, 57, 15, 624474, tzinfo=OffsetTzInfo(offset=0, name='UTC')), u'uSNChanged': 33010, u'servicePrincipalName': [u'RestrictedKrbHost/DY-WIN10VM01', u'HOST/DY-WIN10VM01', u'RestrictedKrbHost/DY-WIN10VM01.ad.local', u'HOST/DY-WIN10VM01.ad.local'], u'operatingSystem': u'Windows 10 Enterprise Evaluation', u'lastLogoff': datetime.datetime(1601, 1, 1, 0, 0, tzinfo=OffsetTzInfo(offset=0, name='UTC'))},
     'dn': u'CN=DY-WIN10VM01,CN=Computers,DC=ad,DC=local',
     'raw_attributes': {u'primaryGroupID': ['515'], u'isCriticalSystemObject': ['FALSE'], u'logonCount': ['22'], u'cn': ['DY-WIN10VM01'], u'countryCode': ['0'], u'dSCorePropagationData': ['16010101000000.0Z'], u'objectClass': ['top', 'person', 'organizationalPerson', 'user', 'computer'], u'dNSHostName': ['DY-WIN10VM01.ad.local'], u'lastLogonTimestamp': ['132040401321648651'], u'instanceType': ['4'], u'distinguishedName': ['CN=DY-WIN10VM01,CN=Computers,DC=ad,DC=local'], u'sAMAccountType': ['805306369'], u'localPolicyFlags': ['0'], u'msDS-SupportedEncryptionTypes': ['28'], u'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xab2_%\xb6P\xa4Y\x10\xe9=\xf7T\x04\x00\x00'], u'whenCreated': ['20190603125531.0Z'], u'uSNCreated': ['32998'], u'badPasswordTime': ['0'], u'pwdLastSet': ['132040401319773897'], u'sAMAccountName': ['DY-WIN10VM01$'], u'objectCategory': ['CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=local'], u'objectGUID': ['$s\x91C\x0f\xe7\xb4L\x8aZC\xfd\xe8\xa0K9'], u'whenChanged': ['20190603125636.0Z'], u'badPwdCount': ['0'], u'accountExpires': ['9223372036854775807'], u'operatingSystemVersion': ['10.0 (17763)'], u'name': ['DY-WIN10VM01'], u'codePage': ['0'], u'userAccountControl': ['4096'], u'lastLogon': ['132040510356244744'], u'uSNChanged': ['33010'], u'servicePrincipalName': ['RestrictedKrbHost/DY-WIN10VM01', 'HOST/DY-WIN10VM01', 'RestrictedKrbHost/DY-WIN10VM01.ad.local', 'HOST/DY-WIN10VM01.ad.local'], u'operatingSystem': ['Windows 10 Enterprise Evaluation'], u'lastLogoff': ['0']},
     'raw_dn': 'CN=DY-WIN10VM01,CN=Computers,DC=ad,DC=local',
     'type': 'searchResEntry'}

I believe I could check item['type'] first and react based on that but am wondering if there's any way of just not getting those referrals back.

There are questions here posed about this same issue in the ldap module (such as this and this), and a bit in the docs here, but nothing for ldap3 that I have been able to find.

Thanks in advance

Python version:

DY-MBP-2:bin home$ python --version
Python 2.7.16
like image 725
DYoung Avatar asked Nov 07 '22 16:11

DYoung


1 Answers

When LDAP searching Active Directory you likely want to use referrals. See this link for more details: https://learn.microsoft.com/en-us/windows/win32/ad/referrals

This list comprehension will return items from the list that contain the entries you are looking for:

[i for i in results if i['type'] == 'searchResEntry']

like image 197
screff Avatar answered Nov 23 '22 05:11

screff