search

cannatag / ldap3

a strictly RFC 4510 conforming LDAP V3 pure Python client. The same codebase works with Python 2. Python 3, PyPy and PyPy3
Other
881 stars 273 forks source link

LDAP invalidCredentials Error #709

Closed anees30 closed 5 years ago

anees30 commented 5 years ago

Using Python 3.6.7 and ldap3-2.6 The following code raises invalidCredentials when proper user DN and password are used.

from ldap3 import Server, Connection, ALL, NTLM
server = Server('192.168.55.73', get_info=ALL)
conn = Connection(server, 'uid=username@domain.com,OU=IT,OU=Office Users,OU=RUG,OU=Accounts,DC=domain,DC=com', 'password411', auto_bind=False)
if not conn.bind():
    print('error in bind', conn.result)
else:
    print('Connection Successful', conn.result)

Here is the error error in bind {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'} Please guide what is missing...? For more information here is the screen short... LDAP Binding failed

fpatterson55 commented 5 years ago

What if you use the cn naming rather than uid? sAMAccountName value as the cn value

cn=rsmith,ou=IT,ou=Office Users,ou=accounts,dc=domain,dc=com

Does your bind work with Apache Directory Studio?

On Tue, Jun 25, 2019 at 8:57 AM anees30 notifications@github.com wrote:

Using Python 3.6.7 and ldap3-2.6 The following code raises invalidCredentials when proper user DN and password are used.

from ldap3 import Server, Connection, ALL, NTLM server = Server('192.168.55.73', get_info=ALL) conn = Connection(server, 'uid=username@domain.com,OU=IT,OU=Office Users,OU=RUG,OU=Accounts,DC=domain,DC=com', 'password411', auto_bind=False) if not conn.bind(): print('error in bind', conn.result) else: print('Connection Successful', conn.result)

Here is the error error in bind {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'} Please guide what is missing...? For more information here is the screen short... [image: LDAP Binding failed] https://user-images.githubusercontent.com/46647705/60099891-3ea2f680-9761-11e9-9c48-8b3aa53c359c.png

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cannatag/ldap3/issues/709?email_source=notifications&email_token=AJMZJW5ODRNPXYT4IOWK2ATP4II3XA5CNFSM4H3IAYG2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G3RI6JQ, or mute the thread https://github.com/notifications/unsubscribe-auth/AJMZJW33RYALQLRCN4MPPUDP4II3XANCNFSM4H3IAYGQ .

anees30 commented 5 years ago

@fpatterson55 I tried with cn but same result.

>>> conn = Connection(server, 'cn=9999,OU=IT,OU=Office Users,OU=RUG,OU=Accounts,DC=domainr,DC=com', 'password4111', auto_bind=True)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/anees/.local/lib/python3.6/site-packages/ldap3/core/connection.py", line 325, in __init__
    self.do_auto_bind()
  File "/home/anees/.local/lib/python3.6/site-packages/ldap3/core/connection.py", line 353, in do_auto_bind
    raise LDAPBindError(self.last_error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials

cn=9999 or cn=9999@domain.com which is correct. "Does your bind work with Apache Directory Studio?"... no idea about this...

fpatterson55 commented 5 years ago

Sorry, that is what I get for not using NTLM for a long time.

https://ldap3.readthedocs.io/bind.html#ntlm

Go to the ntlm section, looks like you use the SISCILY format (not LDAP rfc, but hey it is MS)

import class and constantsfrom ldap3 import Server, Connection,

SIMPLE, SYNC, ALL, SASL, NTLM

define the server and the connections = Server('servername',

get_info=ALL)c = Connection(s, user="AUTHTEST\Administrator", password="password", authentication=NTLM)# perform the Bind operationif not c.bind():

All joking aside, I am impressed with MicroSoft's choices to be more open to the opensource communities. I have listened to quite a few python podcasts indicating as much.

On Tue, Jun 25, 2019 at 9:53 AM anees30 notifications@github.com wrote:

@fpatterson55 https://github.com/fpatterson55 I tried with cn but same result.

conn = Connection(server, 'cn=9999,OU=IT,OU=Office Users,OU=RUG,OU=Accounts,DC=domainr,DC=com', 'password4111', auto_bind=True) Traceback (most recent call last): File "", line 1, in File "/home/anees/.local/lib/python3.6/site-packages/ldap3/core/connection.py", line 325, in init self.do_auto_bind() File "/home/anees/.local/lib/python3.6/site-packages/ldap3/core/connection.py", line 353, in do_auto_bind raise LDAPBindError(self.last_error) ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials

cn=9999 or cn=9999@domain.com which is correct. "Does your bind work with Apache Directory Studio?"... no idea about this...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cannatag/ldap3/issues/709?email_source=notifications&email_token=AJMZJW6MNWQVAKR672VNHL3P4IPPDA5CNFSM4H3IAYG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYQKF3A#issuecomment-505455340, or mute the thread https://github.com/notifications/unsubscribe-auth/AJMZJW3HHJAH5M7J6FD2RV3P4IPPDANCNFSM4H3IAYGQ .

anees30 commented 5 years ago

@fpatterson55 This code is working but without DN parameters passed...

>>> from ldap3 import Server, Connection, SIMPLE, SYNC, ALL, SASL, NTLM
>>> c = Connection(s, user="AUTHTEST\\adminuser", password="adminpwd", authentication=NTLM)
>>> if not c.bind():
...     print('error in bind', c.result)
... else:
...     print('Connection Successful', c.result)
Connection Successful {'result': 0, 'description': 'success', 'dn': '', 'message': '', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}

But what I am looking for is LDAP base and filter. This information is required to use in an ERP application to login and authenticate with Windows Active Directory users.... Please see the pic where the LDPA information required in our ERP system.. Please guide how to get all there LDAP parameters required from AD shown in this pic from our AD...

ladapsettings

anees30 commented 5 years ago

These are my settings in our ERP System LDAP base = CN=Users,DC=domain,DC=com LDAP filter = sAMAccountName=%s

When I login with AD user getting following error....

2019-06-25 14:50:30,114 1999 ERROR hrdemo odoo.addons.auth_ldap.models.res_company_ldap: LDAP bind failed.

Any idea what could be the base and filter? and how to get it from AD?

fpatterson55 commented 5 years ago

since odoo is being used, you may want to contact them. I don't know what their filter would be wanting to look at. Although your settings may be right, they would know best what calls are being made. You could setup a packet trace, but you might have to decode the TLS communication.

AD might have a LDAP trace option, but I am not familiar with it if they do.

You might try to connect with apache directory studio to confirm your bind is successful over LDAP.

If you are Linux based you might be able to use an ldapsearch command for NTLM.

On Tue, Jun 25, 2019 at 11:10 AM anees30 notifications@github.com wrote:

These are my settings in our ERP System LDAP base = CN=Users,DC=thimar,DC=com LDAP filter = sAMAccountName=%s

When I login with AD user getting following error....

2019-06-25 14:50:30,114 1999 ERROR hrdemo odoo.addons.auth_ldap.models.res_company_ldap: LDAP bind failed.

Any idea what could be the base and filter? and how to get it from AD?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cannatag/ldap3/issues/709?email_source=notifications&email_token=AJMZJWYTFXIFPVAQMZVMO5DP4IYPBA5CNFSM4H3IAYG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYQSLUI#issuecomment-505488849, or mute the thread https://github.com/notifications/unsubscribe-auth/AJMZJW2GAF4VY2WWBOVX3S3P4IYPBANCNFSM4H3IAYGQ .

anees30 commented 5 years ago

I am not Linux based. Could you please share the ldapsearch syntax.

fpatterson55 commented 5 years ago

https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities

I am not aware of a windows based install. So you may want to stick with apache directory studio or other ldap based utilities to test authentication.

On Tue, Jun 25, 2019 at 4:30 PM anees30 notifications@github.com wrote:

I am not Linux based. Could you please share the ldapsearch syntax.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cannatag/ldap3/issues/709?email_source=notifications&email_token=AJMZJW5XJ5BBSE5BOEN5NQ3P4J57PA5CNFSM4H3IAYG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYRQB3Q#issuecomment-505610478, or mute the thread https://github.com/notifications/unsubscribe-auth/AJMZJWYYM4T7J6BMFXX6YPDP4J57PANCNFSM4H3IAYGQ .

anees30 commented 5 years ago

Where to install apache directory studio. On the Windows Active Directory Server? Or any computer in the same network? I have a Virtual Machine running Ubuntu in the same network? apache directory studio will it list our existing Windows AD users. What information apache directory studio need to list AD? Thanks.

anees30 commented 5 years ago

@fpatterson55 I have installed apache directory studio on a computer in the network. Given host, Bind User and Bind password. It connected successfully. Now what information I can get from it to solve my problem? apache Thanks

anees30 commented 5 years ago

Now I am getting a different error when logging to odoo erp..

2019-06-26 06:25:11,330 2156 ERROR hrdemo odoo.addons.auth_ldap.models.res_company_ldap: An LDAP exception occurred: {'desc': "Can't contact LDAP server", 'errno': 107, 'info': 'Transport endpoint is not connected'}

What could be the reason...