14

I'm trying to update some code to python3, using ldap3 version '0.9.7.4'. (https://pypi.python.org/pypi/ldap3)

Previously, I used python-ldap with python2 to authenticate a user like this:

import ldap
address = "ldap://HOST:389"
con = ldap.initialize(address)
base_dn = "ourDN=jjj"
con.protocol_version = ldap.VERSION3
search_filter = "(uid=USERNAME)"
result = con.search_s(base_dn, ldap.SCOPE_SUBTREE, search_filter, None)  
user_dn = result[0][0]  # get the user DN
con.simple_bind_s(user_dn, "PASSWORD")

This properly returns (97, [], 2, []) on correct password, and raises ldap.INVALID_CREDENTIALS on a bind attempt using an incorrect password.

Using ldap3 in python3 I'm doing the following:

from ldap3 import Server, Connection, AUTH_SIMPLE, STRATEGY_SYNC, ALL
s = Server(HOST, port=389, get_info=ALL)
c = Connection(s, authentication=AUTH_SIMPLE, user=user_dn, password=PASSWORD, check_names=True, lazy=False, client_strategy=STRATEGY_SYNC, raise_exceptions=True)
c.open()
c.bind()

It's raising the following exception:

ldap3.core.exceptions.LDAPInvalidCredentialsResult: LDAPInvalidCredentialsResult - 49 - invalidCredentials - [{'dn': '', 'message': '', 'type': 'bindResponse', 'result': 0, 'saslCreds': 'None', 'description': 'success', 'referrals': None}]

I'm using the user_dn value returned by python2's ldap search, since this appears to be working in python2.

How can I get this to bind properly using ldap3 in python3?

(One thing strange, I noticed, is that the ldap3's LDAPInvalidCredentialsResult includes 'description': 'success'. I'm guessing this just means response successfully recieved...)

Bless
  • 5,052
  • 2
  • 40
  • 44
monkut
  • 42,176
  • 24
  • 124
  • 155
  • Ok tested by using the *wrong* password and found that the resulting Exception is different, `ldap3.core.exceptions.LDAPInvalidCredentialsResult: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - None - bindResponse - None` and does not contain `'description': 'success'` ... bug? – monkut Feb 18 '15 at 03:25
  • 1
    I'm running the same commands but getting: `ImportError: cannot import name 'AUTH_SIMPLE' ImportError: cannot import name 'STRATEGY_SYNC'` – A. Man Mar 12 '20 at 12:44
  • This was quite a while ago the library may have been refactored, and locations changed... – monkut Mar 13 '20 at 02:42
  • 2
    Looks like STRATEGY_SYNC -> SYNC – monkut Mar 13 '20 at 02:44
  • 1
    https://ldap3.readthedocs.io/en/latest/changelog.html#changelog – monkut Mar 13 '20 at 02:44
  • Tnx, that worked for me, but now I faced the same issue as you had. see my comment in the answer section – A. Man Mar 13 '20 at 09:06
  • can you check if you faced it? – A. Man Mar 15 '20 at 20:34

2 Answers2

25

I'm the author of ldap3, please set raise_exceptions=False in the Connection definition and check the connection.result after the bind. You should get the reason why your bind() is unsuccessful.

Jon
  • 11,356
  • 5
  • 40
  • 74
cannatag
  • 1,528
  • 11
  • 17
  • Thanks! I checked using `raise_exceptions=False`, but `connection.result` doesn't seem to contain anything useful, that I can tell: `>>> c.result {'dn': '', 'result': 49, 'message': '', 'description': 'invalidCredentials', 'type': 'bindResponse', 'saslCreds': 'None', 'referrals': None} ` – monkut Feb 20 '15 at 01:24
  • Reinstantiating the connection, `c` above with `raise_exceptions=True` still returns `'description': 'success'`, when the given password is correct. – monkut Feb 20 '15 at 01:25
  • Note that the `c.result` content is unchanged if the password is correct, or not, unlike the exception result. – monkut Feb 20 '15 at 01:27
  • 2
    please open an issue on https://github.com/cannatag/ldap3/issues so I can track the problem. I need to know the version of python you're using and the version of the LDAP server you're trying to connect to. – cannatag Feb 20 '15 at 16:56
  • @cannatag could you please have a look on my question? Thanks! https://stackoverflow.com/questions/54225216/convert-ldapsearch-filter-to-python-filter – Joseph Wahba Jan 16 '19 at 21:09
  • @cannatag, can you advise? Python version: 3.6.6 ldap3 version: 2.7 – A. Man Mar 15 '20 at 20:33
  • Invalid credentials means that you’re sending the wrong credentials to the server – cannatag Mar 15 '20 at 21:18
1

Confirm that your DN doesn't need to escape a comma using backslash \.

My organization gives users a CN of "last name, first name", so my DN needed to be "CN=Doe\, Jane, OU=xyz, ..., DC=abc, DC=com"

I realized this by using Active Directory Explorer to navigate to my user object, r-click > view properties to see the distinguished name. I ran into this invalid credential error when using the DN that AD Explorer displays in its Path breadcrumb which omits the escape character.

ThePyGuy
  • 17,779
  • 5
  • 18
  • 45
Michael Nesius
  • 11
  • 1