Python的LDAP和Active Directory的问题 [英] Python LDAP and Active Directory issue
问题描述
我会尝试包括尽可能多的细节可能的,但考虑这种情况:
I'll try to include as much detail as possible but consider this situation:
有关隐私问题,可以说我有如下所示的Active Directory基础结构:
For privacy concerns lets say I have an Active Directory infrastructure like the following:
microsoft.com
还有一些子域:
csharp.microsoft.com
vb.microsoft.com
microsoft.com
and some child domains:
csharp.microsoft.com
vb.microsoft.com
所有的用户帐户存储在microsoft.com。
All user accounts are stored at microsoft.com.
我开始了我的code具有以下内容:
I start out my code with the following:
import ldap
ldap.set_option(ldap.OPT_REFERRALS,0)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_NEVER)
(我知道,我也许应该有域的证书,但你可以做什么)
(I know I should probably have a certificate for the domain, but what can you do)
我然后进行如下所示的连接:
I then make a connection like the following:
conn = ldap.initialize("ldaps://microsoft.com:636")
conn.simple_bind_s("user","pass")
在我的剧本,我在寻找一个用户帐户,我用以下搜索:
In my script I am searching for a user account, and I use the following search:
result_id = conn.search("DC=microsoft,DC=com",
ldap.SCOPE_SUBTREE,
"(&(CN=gates)(!(objectClass=contact)))",
None)
result_type,result_data = conn.result(result_id,0)
好大,所以这个工程....大部分时间。
当它的工作,我得到的东西的效果:
Ok great, so this works....most of the time.
When it does work I get something to the effect of:
[("CN=gates,OU=Users,DC=microsoft,DC=com", {'sAMAccountName':['gates']}])
然而,似乎在随机的,我会得到像下面这样的结果:
However, it seems at random, that I will get results like the following:
[(None, ['ldaps://csharp.microsoft.com/DC=csharp,DC=microsoft,DC=com'])]
虽然结果是有道理的 - 盖茨在csharp.microsoft.com他microsoft.com上存在DC不存在 - 它仍然是非常令人费解,因为我是在IM pression,使用OPT_REFERRALS设置为0会告诉Python的LDAP模块不使用转介。 为了让事情更有趣的我有时也得到类似的结果如下:
While the result makes sense - gates does not exist at csharp.microsoft.com he exists at microsoft.com DC - it is still very puzzling because I am under the impression that using OPT_REFERRALS setting to 0 will tell the Python LDAP module to NOT use referrals. To make things more interesting I also sometimes get results like the following:
[(None, ['ldaps://ForestDnsZones.microsoft.com/DC=ForestDnsZones,DC=microsoft,DC=com'])]
所以我的问题 - ?有什么我做错了
So my question - is there anything I'm doing wrong?
此外,有人建议,如果我使用的搜索路径,如OU =用户,DC =微软,DC = COM,而不是从根(DC =微软,DC = COM),只是在寻找的LDAP客户端模块将不会尝试使用转介 - 这是准确的。
Also, it has been suggested that if I use a search path like "OU=Users,DC=microsoft,DC=com" instead of just searching from the root ( "DC=microsoft,DC=com" ) that the LDAP client module will not attempt to use referrals - is this accurate?
修改
这个问题被证明不是LDAP相关的,而是一个WSGI错误配置。 使用WSGIDaemonProcess解决了交叉污染的问题,我们正在经历。
The issue turned out to not be LDAP related but rather a WSGI mis-configuration. Using the WSGIDaemonProcess solved the cross contamination issue we were experiencing.
推荐答案
设置ldap.OPT_REFERRALS为0通知服务器不追的推介,即不解决这些问题。
Setting ldap.OPT_REFERRALS to 0 tells the server not to "chase" referrals, i.e. not to resolve them.
与无作为第一要素的结果告诉你的服务器的方式,这是一个推荐,但你告诉我,不要追了下去。至少这是我的理解。
Results with None as the first element are the server's way of telling you "this is a referral, but you told me not to chase it down." At least that's my understanding.
如果你不想下线,只是忽略了与无的第一个元素的结果。
If you don't want referrals, just ignore results with a first element of None.
这篇关于Python的LDAP和Active Directory的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!