Python LDAP and Active Directory issue(Python LDAP 和 Active Directory 问题)
问题描述
我会尽量包含尽可能多的细节,但请考虑这种情况:
I'll try to include as much detail as possible but consider this situation:
出于隐私考虑,假设我有一个如下所示的 Active Directory 基础架构:
For privacy concerns lets say I have an Active Directory infrastructure like the following:
microsoft.com
和一些子域:
csharp.microsoft.com
vb.microsoft.com
microsoft.com
and some child domains:
csharp.microsoft.com
vb.microsoft.com
所有用户帐户都存储在 microsoft.com.
All user accounts are stored at microsoft.com.
我的代码如下:
import ldap
ldap.set_option(ldap.OPT_REFERRALS,0)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_NEVER)
(我知道我可能应该有一个域的证书,但你能做什么)
(I know I should probably have a certificate for the domain, but what can you do)
然后我建立如下连接:
conn = ldap.initialize("ldaps://microsoft.com:636")
conn.simple_bind_s("user","pass")
在我的脚本中,我正在搜索用户帐户,并使用以下搜索:
In my script I am searching for a user account, and I use the following search:
result_id = conn.search("DC=microsoft,DC=com",
ldap.SCOPE_SUBTREE,
"(&(CN=gates)(!(objectClass=contact)))",
None)
result_type,result_data = conn.result(result_id,0)
好的,所以这行得通......大部分时间.
当它起作用时,我会得到一些效果:
Ok great, so this works....most of the time.
When it does work I get something to the effect of:
[("CN=gates,OU=Users,DC=microsoft,DC=com", {'sAMAccountName':['gates']}])
然而,似乎随机,我会得到如下结果:
However, it seems at random, that I will get results like the following:
[(None, ['ldaps://csharp.microsoft.com/DC=csharp,DC=microsoft,DC=com'])]
虽然结果是有道理的——在 csharp.microsoft.com 上不存在 gates,但在 microsoft.com DC 上存在——这仍然很令人费解,因为我的印象是使用 OPT_REFERRALS 设置为 0 会告诉 Python LDAP 模块不要使用推荐.为了让事情变得更有趣,我有时也会得到如下结果:
While the result makes sense - gates does not exist at csharp.microsoft.com he exists at microsoft.com DC - it is still very puzzling because I am under the impression that using OPT_REFERRALS setting to 0 will tell the Python LDAP module to NOT use referrals. To make things more interesting I also sometimes get results like the following:
[(None, ['ldaps://ForestDnsZones.microsoft.com/DC=ForestDnsZones,DC=microsoft,DC=com'])]
所以我的问题 - 我做错了什么吗?
So my question - is there anything I'm doing wrong?
此外,有人建议,如果我使用OU=Users,DC=microsoft,DC=com"之类的搜索路径,而不是仅从根目录(DC=microsoft,DC=com")搜索LDAP 客户端模块不会尝试使用引用 - 这是否准确?
Also, it has been suggested that if I use a search path like "OU=Users,DC=microsoft,DC=com" instead of just searching from the root ( "DC=microsoft,DC=com" ) that the LDAP client module will not attempt to use referrals - is this accurate?
编辑
结果证明问题与 LDAP 无关,而是与 WSGI 配置错误有关.使用 WSGIDaemonProcess 解决了我们遇到的交叉污染问题.
The issue turned out to not be LDAP related but rather a WSGI mis-configuration. Using the WSGIDaemonProcess solved the cross contamination issue we were experiencing.
推荐答案
将 ldap.OPT_REFERRALS 设置为 0 告诉服务器不要追逐"引用,即不要解决它们.
Setting ldap.OPT_REFERRALS to 0 tells the server not to "chase" referrals, i.e. not to resolve them.
以 None 作为第一个元素的结果是服务器告诉您这是一个推荐,但您告诉我不要追逐它"的方式.至少这是我的理解.
Results with None as the first element are the server's way of telling you "this is a referral, but you told me not to chase it down." At least that's my understanding.
如果您不想要推荐,只需忽略第一个元素为 None 的结果.
If you don't want referrals, just ignore results with a first element of None.
这篇关于Python LDAP 和 Active Directory 问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
