search

noirello / bonsai

Simple Python 3 module for LDAP, using libldap2 and winldap C libraries.
MIT License
116 stars 32 forks source link

AuthenticationError when connecting with user having attribute 'pwdLastSet = 0' #70

Closed ImapUkua closed 1 year ago

ImapUkua commented 1 year ago

When connecting to an Active Directory LDAP server with a user having the attribute 'pwdLastSet = 0', bonsai throws an AuthenticationError. This behaviour is different from the ldap3 library where the bind succeeds.

The attribute 'pwdLastSet = 0' indicates that the user must change their password upon the next succesfull login, so the currently entered credentials should still be valid when connecting. More info on pwdLastSet: https://ldapwiki.com/wiki/Pwd-Last-Set%20attribute

Minimal code snippet with ldap3:

import ldap3

if __name__ == "__main__":
    server = ldap3.Server("localhost", use_ssl=True)
    conn = ldap3.Connection(server, user="username", password="password", read_only=False)
    conn.bind()
    print("ldap3 ok")

Minimal code snippet with bonsai:

import bonsai

if __name__ == "__main__":
    client = bonsai.LDAPClient("ldaps://localhost")
    client.set_credentials("SIMPLE", "username", "password")
    conn = client.connect()
    print("bonsai ok")

Resulting stack trace: 

Traceback (most recent call last):
  File "D:\tmp.py", line 7, in <module>
    conn = client.connect()
  File "C:\Python\Python310\lib\site-packages\bonsai\ldapclient.py", line 675, in connect
    return LDAPConnection(self).open(timeout)
  File "C:\Python\Python310\lib\site-packages\bonsai\ldapconnection.py", line 297, in open
    return super().open(timeout)
  File "C:\Python\Python310\lib\site-packages\bonsai\ldapconnection.py", line 53, in open
    return self._evaluate(super().open(), timeout)
  File "C:\Python\Python310\lib\site-packages\bonsai\ldapconnection.py", line 246, in _evaluate
    return self.get_result(msg_id, timeout)
bonsai.errors.AuthenticationError: Invalid Credentials. (0x0031 [49])
noirello commented 1 year ago

Are you sure that the bind with ldap3 is successful?

When I tried to run your ldap3 example code the conn.result property also contained an authentication error for me.

ImapUkua commented 1 year ago

You're right, my bad. The ldap3 code just didn't raise an exception, but the result contains the same error.