Python的LDAP和Active Directory的问题 [英] Python LDAP and Active Directory issue

问题描述

我会尝试包括尽可能多的细节可能的，但考虑这种情况：

I'll try to include as much detail as possible but consider this situation:

有关隐私问题，可以说我有如下所示的Active Directory基础结构：

For privacy concerns lets say I have an Active Directory infrastructure like the following:

microsoft.com
还有一些子域：
csharp.microsoft.com
vb.microsoft.com

microsoft.com
and some child domains:
csharp.microsoft.com
vb.microsoft.com

所有的用户帐户存储在microsoft.com。

All user accounts are stored at microsoft.com.

我开始了我的code具有以下内容：

I start out my code with the following:

import ldap
ldap.set_option(ldap.OPT_REFERRALS,0)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_NEVER)

（我知道，我也许应该有域的证书，但你可以做什么）

(I know I should probably have a certificate for the domain, but what can you do)

我然后进行如下所示的连接：

I then make a connection like the following:

conn = ldap.initialize("ldaps://microsoft.com:636")
conn.simple_bind_s("user","pass")

在我的剧本，我在寻找一个用户帐户，我用以下搜索：

In my script I am searching for a user account, and I use the following search:

result_id = conn.search("DC=microsoft,DC=com",
                                ldap.SCOPE_SUBTREE,
                                "(&(CN=gates)(!(objectClass=contact)))",
                                None)
result_type,result_data = conn.result(result_id,0)

好大，所以这个工程....大部分时间。
当它的工作，我得到的东西的效果：

Ok great, so this works....most of the time.
When it does work I get something to the effect of:

[("CN=gates,OU=Users,DC=microsoft,DC=com", {'sAMAccountName':['gates']}])

然而，似乎在随机的，我会得到像下面这样的结果：

However, it seems at random, that I will get results like the following:

[(None, ['ldaps://csharp.microsoft.com/DC=csharp,DC=microsoft,DC=com'])]

虽然结果是有道理的 - 盖茨在csharp.microsoft.com他microsoft.com上存在DC不存在 - 它仍然是非常令人费解，因为我是在IM pression，使用OPT_REFERRALS设置为0会告诉Python的LDAP模块不使用转介。 为了让事情更有趣的我有时也得到类似的结果如下：

While the result makes sense - gates does not exist at csharp.microsoft.com he exists at microsoft.com DC - it is still very puzzling because I am under the impression that using OPT_REFERRALS setting to 0 will tell the Python LDAP module to NOT use referrals. To make things more interesting I also sometimes get results like the following:

[(None, ['ldaps://ForestDnsZones.microsoft.com/DC=ForestDnsZones,DC=microsoft,DC=com'])]

所以我的问题 - ？有什么我做错了

So my question - is there anything I'm doing wrong?

此外，有人建议，如果我使用的搜索路径，如OU =用户，DC =微软，DC = COM，而不是从根（DC =微软，DC = COM），只是在寻找的LDAP客户端模块将不会尝试使用转介 - 这是准确的。

Also, it has been suggested that if I use a search path like "OU=Users,DC=microsoft,DC=com" instead of just searching from the root ( "DC=microsoft,DC=com" ) that the LDAP client module will not attempt to use referrals - is this accurate?

修改

这个问题被证明不是LDAP相关的，而是一个WSGI错误配置。 使用WSGIDaemonProcess解决了交叉污染的问题，我们正在经历。

The issue turned out to not be LDAP related but rather a WSGI mis-configuration. Using the WSGIDaemonProcess solved the cross contamination issue we were experiencing.

推荐答案

设置ldap.OPT_REFERRALS为0通知服务器不追的推介，即不解决这些问题。

Setting ldap.OPT_REFERRALS to 0 tells the server not to "chase" referrals, i.e. not to resolve them.

与无作为第一要素的结果告诉你的服务器的方式，这是一个推荐，但你告诉我，不要追了下去。至少这是我的理解。

Results with None as the first element are the server's way of telling you "this is a referral, but you told me not to chase it down." At least that's my understanding.

如果你不想下线，只是忽略了与无的第一个元素的结果。

If you don't want referrals, just ignore results with a first element of None.

这篇关于Python的LDAP和Active Directory的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！