Python LDAP module --- must I always run "whoami_s()" to successfully authenticate?

StackOverflow https://stackoverflow.com/questions/19943751

  •  30-07-2022
  •  | 
  •  

Question

Fortunately this code is just for testing, and is short enough to just copy/paste here in it's entirety. Basically, I need to bind to a dn in order to get the specific details of my search. Otherwise if not bound, it binds anonymously and then I can only get barebones information. I can't seem to successfully bind unless I explicitly run whoami_s() after binding.

Code which does not work (binds anonymously):

l = ldap.initialize("ldap://myldapserver")
l.simple_bind("cn=test,ou=profile,dc=site,dc=com", "abc123")
basedn = "ou=people,dc=site,dc=com"
filter = "uid=bob"
results = l.search_st(basedn, ldap.SCOPE_SUBTREE, filter)
for entry in results:
   print entry

Code which does work (successfully binds and provides all possible details):

l = ldap.initialize("ldap://myldapserver")
l.simple_bind("cn=test,ou=profile,dc=site,dc=com", "abc123")
l.whoami_s()  ### <---- This is the only difference ###
basedn = "ou=people,dc=site,dc=com"
filter = "uid=bob"
results = l.search_st(basedn, ldap.SCOPE_SUBTREE, filter)
for entry in results:
   print entry

I find the documentation on the LDAP module quite lacking (for example, I can't find anything which details the exact differences between bind, bind_s, simple_bind, and simple_bind_s, but that's a question for another day.). I can't find anything that explicitly says you need to finalize the bind with whoami_s() or anything. Should I just accept it, or should I be worried?

Python: 2.6.9
LDAP module: 2.4.13
Était-ce utile?

La solution

Figured this out just by trial and error. First of all, after more searching, I found a site that explicitly states the differences between bind, bind_s, simple_bind, and simple_bind_s: http://www.packtpub.com/article/installing-and-configuring-the-python-ldap-library-and-binding-to-an-ldap-directory

The methods without the "s" at the end are asynchronous --- the code continues on whether or not the operation has completed. The methods with the "s" at the end are synchronous --- the code stops and waits for the operation to complete.

So what I was facing here was a race conditon of sorts. I put a "time.sleep(1)" in place of the "whoami_s()", and that solved the problem. This led me to realize that I needed to change from "simple_bind" to "simple_bind_s". I was getting to the LDAP query code too quickly, before I was properly bound, so it was executing anonymously.

Autres conseils

This is odd. In the simplest case, a client must:

  • Connect to the server.
  • If connection is successful, change the authorization state of the connection as required with the BIND request (of which there are two kinds, simple and SASL).
  • If the BIND was successful, transmit other LDAP requests, for example, search, compare, modify, modify DN, and so forth; interpreting the server's responses as they arrive. LDAPv3 clients can also BIND again, which will change the authorization state of the connection.

I do not know what whoami_s does (although there is an LDAP extended operation called WHO AM I), but it would not be necessary. At first glance, the first code example should work. Assuming connection works and BIND was successful, that is all that is required. If there is more than that, then the API is broken.

Not really an answer, sorry.

see also

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top