Open scossu opened 3 years ago
hi @scossu ! so it's not searching for the user, it's searching the root DSE as the user. this is actually in accordance with RFCs 4511 and 4512 - the root DSE contains information such as support LDAP versions, supported SASL mechanisms for authentication, etc. which can be important to read before authenticating. it also includes things such as supported controls, and schema information
the library does read this info by default, so it can provide better validation for client actions
it seems like your test environment is restricting reads to the root DSE. this is fine, and can be worked around as you described. we can definitely try to update the docs to explain the root DSE a bit better, when it's read, what it impacts, etc. - I just wanted to explain why it's working for one and not the other. it's relatively standard to allow unauthenticated searches of the root DSE, and many clients (not just ldap3) will try to read it to determine supported auth mechanisms before authenticating. so if you're going to use other clients too, it's something to be aware of
I am setting up a GLAuth LDAP server to test an application in a self-contained CI environment.
I set up some mock users and a default search base, and if I test the environment with
ldapsearch
, I can get an admin user to list all other users:However, a similar request with ldap3 results in a failure reporting that the searchDN is empty:
The
bind()
command fails with the exceptionldap3.core.exceptions.LDAPInsufficientAccessRightsResult: LDAPInsufficientAccessRightsResult - 50 - insufficientAccessRights - None - None - searchResDone - None
GLAuth logs:
It seems like GLAuth is performing a search for the user after binding, and it's failing because I did not specify a search base. I did not see any parameter in the
Connection()
constructor nor in thebind()
method.However, I found an undocumented
read_server_info
parameter forbind()
which, if set toFalse
, seems to prevent the extra search step and results in a successful operation.This problem does not occur with my LDAP production server (I believe OpenLDAP) where I am able to use the
auto_bind
option.Can this special case and the
read_server_info
option be documented (if that is indeed the best way to solve this)? Thanks.