[python-ldap] Can't get a more specific exception when binding to LDAP server
Mihai Tabara
mihait.upb at gmail.com
Mon Oct 29 12:25:23 CET 2012
On Fri, Oct 26, 2012 at 8:26 PM, Michael Ströder <michael at stroeder.com>wrote:
> Using -e ppolicy with OpenLDAP command-line tool sends the password policy
> control along with the (simple) bind request.
>
> Check out Demo/pyasn1/ppolicy.py in recent python-ldap source distribution
> to
> learn how to do that with python-ldap 2.4.6+.
>
> Ciao, Michael.
>
>
Hi Michael,
Thanks a lot for your answer.
I have found the indicated script, within full-explanation about the
password policy control, but, unfortunately I am still unable to get what I
want.
By the way, I'll make sure I'll read the CHANGES file next time, actually
found a lot of useful information in it :)
The scenario is at follows:
1. Say, my account in expiring in 3000 seconds
===
(sandbox)root at debian:/tmp# python ppolicy.py ldap://localhost:389/
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7fbafa623cf8>
ldap://localhost:389 - SimpleLDAPObject.set_option
((17, 3), {})
=> result:
None
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7fbafa623cf8>
ldap://localhost:389 - SimpleLDAPObject.simple_bind
(('uid=mihait,ou=Users,dc=example,dc=com',
'secret',
[('1.3.6.1.4.1.42.2.27.8.5.1', False, None)],
None),
{})
=> result:
1
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7fbafa623cf8>
ldap://localhost:389 - SimpleLDAPObject.result4
((1, 1, -1, 0, 0, 0), {})
=> result:
(97,
[],
1,
[('1.3.6.1.4.1.42.2.27.8.5.1', 0, '0\x07\xa0\x05\x80\x03\x07|\xb1')])
PasswordPolicyControl
error None
timeBeforeExpiration 3000
graceAuthNsRemaining None
===
2. Say my account is expired
===
(sandbox)root at debian:/tmp# python ppolicy.py ldap://localhost:389/
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7f8b02482c68>
ldap://localhost:389 - SimpleLDAPObject.set_option
((17, 3), {})
=> result:
None
Password for None:
Password:
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7f8b02482c68>
ldap://localhost:389 - SimpleLDAPObject.simple_bind
(('uid=mihait,ou=Users,dc=example,dc=com',
'secret',
[('1.3.6.1.4.1.42.2.27.8.5.1', False, None)],
None),
{})
=> result:
1
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x7f8b02482c68>
ldap://localhost:389 - SimpleLDAPObject.result4
((1, 1, -1, 0, 0, 0), {})
=> LDAPError - INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
Simple bind failed: {'desc': 'Invalid credentials'}
===
Quick observations:
* for testing, I'm changing the pwdChangedType attribute via Apache
Directory Studio
* I have used the indicated script (Demo/pyasn1/ppolicy.py), but hardcoded
the ldap_url.who and ldap_url.cred directly into the bind operation within
line 18.
===
ldap_url =
ldapurl.LDAPUrl(sys.argv[1],
who="uid=mihait,ou=Users,dc=example,dc=com", cred="secret")
===
The INVALID_CREDENTIALS returned response in case of password expiration
shouldn't have had some extra info describing the cause ? (e.g. password
expired, account locked)
I suppose I am using something wrong.
Can you please assist me with this too ?
Thanks a lot,
Mihai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20121029/30bd4514/attachment.html>
More information about the python-ldap
mailing list