authentication with python-ldap

[avaz...@grm.uci.cu]

import ldap
conn = ldap.initialize("ldap://ldap.uci.cu")
conn.protocol_version = ldap.VERSION3
conn.simple_bind_s( "uid=xxx,dc=uci,dc=cu", "xxx" )

Result:

Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line
207, in simple_bind_s
return self.result(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line
422, in result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line
426, in result2
res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line
432, in result3
ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line
96, in _ldap_call
result = func(*args,**kwargs)
INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}



what is my mistake ????

[dieter]

You are accessing a protected operation of the LDAP server
and it (the server) rejects it due to invalid credentials.
You may have forgotten to pass on credentials (e.g. a password)
or the credentials do not fit to the specified user
(maybe the user does not exist at all).

[Jorge Alberto Diaz Orozco]

I have been doing the same thing and I tried to use java for testing the credentials and they are correct. It works perfectly with java.
I really don´t know what we´re doing wrong.

You are accessing a protected operation of the LDAP server
and it (the server) rejects it due to invalid credentials.
You may have forgotten to pass on credentials (e.g. a password)
or the credentials do not fit to the specified user
(maybe the user does not exist at all).

http://www.uci.cu

[Joseph L. Casale]

Depending on the directory (which we don't know) and the code as well, the way you auth
might be the problem. Possibly Java met the directory requirements with the methods you
used whereas they did not with Python given your code.

For example, certain operations in AD require specific transports to be used...

jlc

[Dieter Maurer]

Jorge Alberto Diaz Orozco wrote at 2013-5-25 14:00 -0400:
>I have been doing the same thing and I tried to use java for testing the credentials and they are correct. It works perfectly with java.
>I really don�t know what we�re doing wrong.

Neither do I.

But the error message definitely originates from the LDAP server.
This means that the server sees different things for the
(successful) Java connection and the (unsuccessful) Python connection.
Maybe, you can convince your LDAP server administrator to configure
a form of logging that allows you to compare the two requests
(this may not be easy - because sensitive information is involved).
Comparing the requests may provide valuable clues towards the cause
of the problem.

One may also try some guesswork: There is an important difference
between Java and Python 2. Java uses unicode as the typical type
for text variables while in Python 2, you use normally the type "str"
for text. "str" means no unicode but encoded text.
When the Java-LDAP bridge passes text to the LDAP server, it must
encode the text - and maybe, it uses the correct encoding
(the one the LDAP server expects). The Python-LDAP bridge, on the other
hand, does not get unicode but "str" and likely passes the "str"
values directly. Thus, if your "str" values do not use the correct
encoding (the one expected by the LDAP server), things will not
work out correctly.

I expect the LDAP server to expect the "utf-8" encoding.
In this case, problems could be expected when the data
passed on to the LDAP server contains non ascii characters
while all ascii data should not see problems.



--
Dieter