LDAP无法直接在根目录下搜索对象
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了LDAP无法直接在根目录下搜索对象相关的知识,希望对你有一定的参考价值。
我认为这是一个普遍的ldap问题,但我在python中编写了示例代码。
如果我在'root'下面指定一个dn,我可以搜索对象,但如果我尝试在树的顶部搜索,我会收到一个错误:
import ldap
server = '<server address>'
realm = '<realm>'
realm_dn = ','.join(['DC=%s' % part for part in realm.lower().split('.')])
l = ldap.initialize('ldap://%s' % server)
auth_tokens = ldap.sasl.gssapi('')
l.sasl_interactive_bind_s('', auth_tokens)
system = 'CN=System,%s' % realm_dn
print('Containers at system:')
result = l.search_s(system, ldap.SCOPE_ONELEVEL, '(objectCategory=Container)', ['cn'])
for i in result:
print(i[-1]['cn'])
print('Containers at top:')
result = l.search_s(realm_dn, ldap.SCOPE_ONELEVEL, '(objectCategory=Container)', ['cn'])
for i in result:
print(i[-1]['cn'])
第一次搜索成功并打印System中的所有容器。我希望第二次搜索能够找到'System'容器(以及其他容器),但事实并非如此。相反,我得到这个错误:
File "test_ldap_search.py", line 19, in <module>
result = l.search_s(realm_dn, ldap.SCOPE_ONELEVEL, '(objectCategory=Container)', ['cn'])
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 831, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 825, in search_ext_s
return self.result(msgid,all=1,timeout=timeout)[1]
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 717, in result
resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 721, in result2
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 728, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 735, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 308, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 292, in _ldap_call
result = func(*args,**kwargs)
ldap.OPERATIONS_ERROR: {'info': u'000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1771', 'desc': u'Operations error'}
我知道我已通过身份验证。我作为管理员开玩笑了。因此,“为了执行此操作,必须在连接上完成成功绑定”消息具有误导性。
我试图搜索任何类型的对象,它总是在树的根下面成功,并在顶部失败。是否有一些ldap-ism我在这里不理解?
ldap服务器是Windows 2008 R2服务器。
答案
这个搜索使用python ldap3代码。
l = ldap3.Connection(server, user=user, password=password, authentication=ldap3.NTLM, auto_bind=True)
print('Containers at top:')
l.search(realm_dn, '(objectCategory=Container)', search_scope='LEVEL', attributes= ['cn'])
for i in l.entries:
print(i['cn'])
也许这是python-ldap代码中的一个错误?
以上是关于LDAP无法直接在根目录下搜索对象的主要内容,如果未能解决你的问题,请参考以下文章