[python-ldap] simple_bind_s, no exception on empty password

Chris Gray fathed at gmail.com
Sat Dec 8 08:09:40 CET 2012 

Yeah, I sort of was doing that, but in the wrong location. That solution in
theory works for me just fine, as I don't allow accounts with no password.
I may end up doing that regardless, but I think your suggestion to double
check with the whoami_s is good as well, and probably should be done for
correctness even if I check for a blank password.

Thanks again!
Chris


On Fri, Dec 7, 2012 at 11:06 PM, Chaos Eternal <chaoseternal at gmail.com>wrote:

> Another  way is to check whether the password is empty before bind.
> On Dec 8, 2012 3:01 PM, "Chris Gray" <fathed at gmail.com> wrote:
>
>> Hmm, that's handy info. And that seems to work:
>>
>> if ldap_conn.whoami_s().lower() == "u:" + ldap_user.lower():
>>
>> This of course leads to new problems.
>> First, .lower() says it is to be considered deprecated.
>> http://docs.python.org/2/library/string.html
>>
>> After searching the webs, everything I see still uses .lower() or
>> .upper(), even if it says it's written for Python3. So, not really sure if
>> I should be concerned about that for now.
>>
>> And the second issue,
>> type(ldap_conn.whoami_s()) is "str". Everything else I've read suggests
>> that ActiveDirectory is LDAPv3, which should always be unicode.
>> This probably isn't something I really need to be concerned about, but
>> I'd rather solve it now instead of waiting for someone else to have an odd
>> problem.
>>
>> I'm in python 2.7. I tried adding this to top, as I've seen suggested,
>> from __future__ import unicode_literals
>>
>> Doing that does make this string be unicode,  "u:" + ldap_user.lower(),
>> but not the string returned from the whoami_s call.
>> Leaving it out returns both types as "str" (which is to be expected).
>>
>> I guess I would need a python3 version of the python-ldap library to
>> solve that, meaning I should wait for the unicode issue, or try something
>> like this:
>> ldap_conn.whoami_s().decode('unicode_escape').encode('iso8859-1').decode('utf8'),
>> which does set the type to unicode. This does work, just seems messy.
>>
>> Here's the current working version checking the supplied username against
>> the whoami_s, (with deprecated .lower)
>>
>> Thanks Chaos Eternal!
>>
>>
>> from __future__ import unicode_literals
>> import sys
>> import ldap
>> import getpass
>>
>> ldap_user = sys.argv[1]
>> ldap_pass = getpass.getpass()
>>
>> ldap_conn = ldap.initialize('ldap://domaincontroller')
>> ldap_conn.protocol_version = 3
>> ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
>>
>> ldap_domains = ['domain1',
>>                 'domain2',
>>                 'domain3',
>>                 'domain4',
>>                 'domain5',
>>                 'domain6',
>>                 'domain7']
>>
>> for domain in ldap_domains:
>> try:
>>  ldap_user = domain + "\\" + ldap_user
>> ldap_conn.simple_bind_s(ldap_user, ldap_pass)
>>  ldap_who =
>> ldap_conn.whoami_s().decode('unicode_escape').encode('iso8859-1').decode('utf8').lower()
>> if ldap_who == "u:" + ldap_user.lower():
>>  sys.exit(0)
>> except Exception:
>> pass
>>
>> sys.exit(1)
>>
>>
>> On Fri, Dec 7, 2012 at 7:05 PM, Chaos Eternal <chaoseternal at gmail.com>wrote:
>>
>>> Hi, Chris
>>>
>>> This is the RIGHT behavior when the LDAP Server which allows anonymous
>>> bind. According to LDAP rfc, when no password provided to simple_bind,
>>> the bind will be considered anonymous.
>>>
>>> if you really dont want this to be happening , my suggestion is that
>>> you can use whoami_s right after a successful bind to check whether
>>> the DN is desired.
>>>
>>>
>>> On Sat, Dec 8, 2012 at 6:51 AM, Chris Gray <fathed at gmail.com> wrote:
>>> > Hey everyone, I have a question with simple_bind_s.
>>> >
>>> > The code below, if passing in the wrong password, will return 1 as the
>>> exit
>>> > code. It will return 0 if the bind is successful. That's pretty much
>>> all I
>>> > need it to do.
>>> >
>>> > My problem is, if I just hit enter on the getpass() prompt, my exit
>>> code
>>> > ends up being 0 anyway.
>>> >
>>> > Changing the bind line to ldap_conn.simple_bind_s(ldap_user, "") has
>>> the
>>> > same effect, no exception thrown. That seems to do not even try to do
>>> the
>>> > bind, but the lack of exception doesn't seem to be the right behavior
>>> > either.
>>> >
>>> > Variable data is changed to protect... or some reason.
>>> >
>>> > Any suggestions?
>>> > Thanks!
>>> > Chris
>>> >
>>> >
>>> > import sys
>>> > import ldap
>>> > import getpass
>>> >
>>> >
>>> > ldap_user = sys.argv[1]
>>> > ldap_pass = getpass.getpass()
>>> > #if ldap_pass == "":
>>> > # ldap_pass = "badpassword"
>>> >
>>> > ldap_conn = ldap.initialize('ldap://domaincontroller.fqdn')
>>> > ldap_conn.protocol_version = 3
>>> > ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
>>> >
>>> > ldap_domains = ['domain1',
>>> >                 'domain2',
>>> >                 'domain3',
>>> >                 'domain4',
>>> >                 'domain5',
>>> >                 'domain6',
>>> >                 'domain7']
>>> >
>>> > for domain in ldap_domains:
>>> > try:
>>> > ldap_user += '@' + domain
>>> > ldap_conn.simple_bind_s(ldap_user, ldap_pass)
>>> > sys.exit(0)
>>> > except Exception:
>>> > pass
>>> >
>>> > sys.exit(1)
>>> >
>>> > _______________________________________________
>>> > python-ldap mailing list
>>> > python-ldap at python.org
>>> > http://mail.python.org/mailman/listinfo/python-ldap
>>> >
>>>
>>
>>
>>
>> --
>> Intelligence is a matter of opinion.
>>
>


-- 
Intelligence is a matter of opinion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20121207/060e621c/attachment.html>

More information about the python-ldap mailing list