[python-ldap] simple_bind_s, no exception on empty password

Chris Gray fathed at gmail.com
Sat Dec 8 08:01:59 CET 2012 

Hmm, that's handy info. And that seems to work:

if ldap_conn.whoami_s().lower() == "u:" + ldap_user.lower():

This of course leads to new problems.
First, .lower() says it is to be considered deprecated.
http://docs.python.org/2/library/string.html

After searching the webs, everything I see still uses .lower() or .upper(),
even if it says it's written for Python3. So, not really sure if I should
be concerned about that for now.

And the second issue,
type(ldap_conn.whoami_s()) is "str". Everything else I've read suggests
that ActiveDirectory is LDAPv3, which should always be unicode.
This probably isn't something I really need to be concerned about, but I'd
rather solve it now instead of waiting for someone else to have an odd
problem.

I'm in python 2.7. I tried adding this to top, as I've seen suggested,
from __future__ import unicode_literals

Doing that does make this string be unicode,  "u:" + ldap_user.lower(), but
not the string returned from the whoami_s call.
Leaving it out returns both types as "str" (which is to be expected).

I guess I would need a python3 version of the python-ldap library to solve
that, meaning I should wait for the unicode issue, or try something like
this:
ldap_conn.whoami_s().decode('unicode_escape').encode('iso8859-1').decode('utf8'),
which does set the type to unicode. This does work, just seems messy.

Here's the current working version checking the supplied username against
the whoami_s, (with deprecated .lower)

Thanks Chaos Eternal!


from __future__ import unicode_literals
import sys
import ldap
import getpass

ldap_user = sys.argv[1]
ldap_pass = getpass.getpass()

ldap_conn = ldap.initialize('ldap://domaincontroller')
ldap_conn.protocol_version = 3
ldap_conn.set_option(ldap.OPT_REFERRALS, 0)

ldap_domains = ['domain1',
                'domain2',
                'domain3',
                'domain4',
                'domain5',
                'domain6',
                'domain7']

for domain in ldap_domains:
try:
ldap_user = domain + "\\" + ldap_user
ldap_conn.simple_bind_s(ldap_user, ldap_pass)
ldap_who =
ldap_conn.whoami_s().decode('unicode_escape').encode('iso8859-1').decode('utf8').lower()
if ldap_who == "u:" + ldap_user.lower():
sys.exit(0)
except Exception:
pass

sys.exit(1)


On Fri, Dec 7, 2012 at 7:05 PM, Chaos Eternal <chaoseternal at gmail.com>wrote:

> Hi, Chris
>
> This is the RIGHT behavior when the LDAP Server which allows anonymous
> bind. According to LDAP rfc, when no password provided to simple_bind,
> the bind will be considered anonymous.
>
> if you really dont want this to be happening , my suggestion is that
> you can use whoami_s right after a successful bind to check whether
> the DN is desired.
>
>
> On Sat, Dec 8, 2012 at 6:51 AM, Chris Gray <fathed at gmail.com> wrote:
> > Hey everyone, I have a question with simple_bind_s.
> >
> > The code below, if passing in the wrong password, will return 1 as the
> exit
> > code. It will return 0 if the bind is successful. That's pretty much all
> I
> > need it to do.
> >
> > My problem is, if I just hit enter on the getpass() prompt, my exit code
> > ends up being 0 anyway.
> >
> > Changing the bind line to ldap_conn.simple_bind_s(ldap_user, "") has the
> > same effect, no exception thrown. That seems to do not even try to do the
> > bind, but the lack of exception doesn't seem to be the right behavior
> > either.
> >
> > Variable data is changed to protect... or some reason.
> >
> > Any suggestions?
> > Thanks!
> > Chris
> >
> >
> > import sys
> > import ldap
> > import getpass
> >
> >
> > ldap_user = sys.argv[1]
> > ldap_pass = getpass.getpass()
> > #if ldap_pass == "":
> > # ldap_pass = "badpassword"
> >
> > ldap_conn = ldap.initialize('ldap://domaincontroller.fqdn')
> > ldap_conn.protocol_version = 3
> > ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
> >
> > ldap_domains = ['domain1',
> >                 'domain2',
> >                 'domain3',
> >                 'domain4',
> >                 'domain5',
> >                 'domain6',
> >                 'domain7']
> >
> > for domain in ldap_domains:
> > try:
> > ldap_user += '@' + domain
> > ldap_conn.simple_bind_s(ldap_user, ldap_pass)
> > sys.exit(0)
> > except Exception:
> > pass
> >
> > sys.exit(1)
> >
> > _______________________________________________
> > python-ldap mailing list
> > python-ldap at python.org
> > http://mail.python.org/mailman/listinfo/python-ldap
> >
>



-- 
Intelligence is a matter of opinion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20121207/cc8da28d/attachment.html>

More information about the python-ldap mailing list