possible bug(s) in python-ldap sasl code

Michael Ströder michael at stroeder.com
Fri May 4 23:09:57 CEST 2007 

Ino Heatwave wrote:
> 
> Im currently testing out python-ldap and Im connecting to an active
> directory service.
> 
> Binding works ok, but searching usually (usually as in I cant remember
> if it has worked at one point in time or not) ends with an error
> ("00000000: LdapErr: DSID-0C090627, comment: In order to perform this
> operation a successful bind must be completed on the connection., data
> 0, vece").

Yes. For most entries there is no anonymous access allowed in the
default installation of Active Directory.

> The data, however is received when I use the library
> asynchronously.
>( I.e it sends me the search results, then raises the
> exception).

Some entries are accessible even with anon access. But without knowing
how your code looks like it's hard to tell what happens.

> I could provide sample code that gives me this behaviour.

Yes, please provide simple test code demonstrating your issue.

> Writing a custom search method that masks this error works great though,
> but feels kinda ugly...

???

> But my main problem is: I cant bind with two different LDAPObjects on
> the same server.

Are your sure? I'm doing this all the time with web2ldap.

> E.g creating two connections to the same server, using
> sasl bind (digest-md5). The latter bind operation always raises
> "ldap.INVALID_CREDENTIALS: {'info': '00090313: LdapErr: DSID-0C09043E,
> comment: AcceptSecurityContext error, data 0, vece', 'desc': 'Invalid
> credentials'}", even though the username/password are identical. Again,
> I could provide some sample code that shows this behaviour if you're
> interested.

Please provide a simple example demostrating the problem.

The following code works for me with OpenLDAP 2.3.35:

--------------------------- snip ---------------------------
import ldap,ldap.sasl

trace_level=2

ldapcon1 = ldap.initialize('ldap://localhost:1390',trace_level=trace_level)
#ldapcon1.simple_bind_s('cn=Fred
Feuerstein,ou=Testing,dc=stroeder,dc=de','fredsecret')
sasl_auth = ldap.sasl.sasl({
      ldap.sasl.CB_AUTHNAME    :'fred',
      ldap.sasl.CB_PASS        :'fredsecret',
},'DIGEST-MD5')
ldapcon1.sasl_interactive_bind_s("", sasl_auth)
ldapcon1.search_s('',ldap.SCOPE_BASE)

ldapcon2 = ldap.initialize('ldap://localhost:1390',trace_level=trace_level)
#ldapcon2.simple_bind_s('uid=anna,ou=Testing,dc=stroeder,dc=de','annasecret')
sasl_auth = ldap.sasl.sasl({
      ldap.sasl.CB_AUTHNAME    :'anna',
      ldap.sasl.CB_PASS        :'annasecret',
},'DIGEST-MD5')
ldapcon2.sasl_interactive_bind_s("", sasl_auth)
ldapcon1.search_s('',ldap.SCOPE_BASE)
--------------------------- snip ---------------------------

> Any ideas?

Use trace_level to examine what your code really does... ;-)

Ciao, Michael.

More information about the python-ldap mailing list