We will provide the bind dn and password in addition to the address of the LDAP server address, as the input arguments.
Listing 11.7 elaborates how to make an LDAP bind:
#!/usr/bin/env python # Python Network Programming Cookbook, Second Edition
-- Chapter - 11 # This program is optimized for Python 2.7.12 and
Python 3.5.2. # It may run on any other version with/without
modifications. import argparse from ldap3 import Server, Connection, ALL, core def main(address, dn, password): # Create the Server object with the given address. server = Server(address, get_info=ALL) #Create a connection object, and bind with the
given DN and password. try: conn = Connection(server, dn, password, auto_bind=True) print('LDAP Bind Successful.') print(conn) except core.exceptions.LDAPBindError as e: # If the LDAP bind failed for reasons such
as authentication failure. print('LDAP Bind Failed: ', e) if __name__ == '__main__': parser = argparse.ArgumentParser(description='Query LDAP Server') parser.add_argument('--address', action="store",
dest="address", default='ldap.forumsys.com') parser.add_argument('--dn', action="store",
dest="dn", default='cn=read-only-admin,dc=example,dc=com') parser.add_argument('--password', action="store",
dest="password", default='password') given_args = parser.parse_args() address = given_args.address dn = given_args.dn password = given_args.password main (address, dn, password)
We will first test the recipe with a correct dn and password:
$ python 11_7_query_ldap_server.py --address=ldap.forumsys.com --dn=cn=read-only-admin,dc=example,dc=com --password=password LDAP Bind Successful. ldap://ldap.forumsys.com:389 - cleartext - user: cn=read-only-admin,dc=example,dc=com - not lazy - bound - open - <local: 109.141.39.196:60340 - remote: 54.196.176.103:389> - tls not started - listening - SyncStrategy - internal decoder
Now again with a wrong combination of dn and password:
$ python 11_7_query_ldap_server.py --address=ldap.forumsys.com --dn=ou=mathematicians,dc=example,dc=com --password=password1 LDAP Bind Failed: automatic bind not successful - invalidCredentials
The LDAP bind will fail with the invalidCredentials error if the dn does not exist, or if the password is incorrect. The authentication error message does not differentiate these two cases, as a security best practice, thus not letting an attacker narrow down on their attacks.
To actually query the entries, we need to perform a search. We slightly modify our recipe as listed in 11_7_query_ldap_server_b.py for this. The following segment elaborates the changes in Listing 11.7:
try:
conn = Connection(server, dn, password, auto_bind=True)
print('LDAP Bind Successful.')
# Perform a search for a pre-defined criteria.
# Mention the search filter / filter type and attributes.
conn.search('dc=example,dc=com', '(&(uid=euler))' ,
attributes=['sn'])
# Print the resulting entries.
print(conn.entries[0])
except core.exceptions.LDAPBindError as e:
# If the LDAP bind failed for reasons such
as authentication failure.
print('LDAP Bind Failed: ', e)
We run the modified recipe to produce the following output:
$ python3 11_7_query_ldap_server_b.py --address=ldap.forumsys.com --dn=cn=read-only-admin,dc=example,dc=com --password=password
LDAP Bind Successful.
DN: uid=euler,dc=example,dc=com - STATUS: Read - READ TIME: 2017-07-26T22:57:48.011791
sn: Euler
Here we elaborated how the LDAP can be queried by providing the filter type and the attributes. Providing an invalid attribute type will result in an error. For example, seeking invalid attribute type of krbLastPwdChange in place of sn in the preceding code produces the following error message:
ldap3.core.exceptions.LDAPAttributeError: invalid attribute type krbLastPwdChange
Similarly, an invalid filter throws the following error:
ldap3.core.exceptions.LDAPInvalidFilterError: invalid filter