python-ldap代码不返回任何数据,与ldap搜索结果冲突

时间:2018-10-11 12:24:47

标签: python ldap python-ldap

我遇到了一个问题,即使我能够通过其他方法获得结果,python-ldap模块也没有返回任何结果。我使用与ldapsearch相同的参数,但是python代码没有任何作用。我搜索了大量主机名时就会发生这种情况。

具体来说,我可以使用以下命令获取主机名返回的有效LDAP数据:

$ [2014][AD-user@host-joined-to-AD:~]$ ldapsearch -x -H ldaps://ldap-host-here.ds.subdomain.net:636 -D "AD-user@ds.subdomain.net” -w ‘password-here' -b "DC=ds,DC=subdomain,DC=net"  "(&(objectclass=computer)(cn=hostname-here))” |less

在域上登录Windows系统并通过dsa搜索主机名时,我也看到了该系统的计算机帐户,因此我知道该计算机帐户位于AD / LDAP中。

以下是我的LDAP相关模块。请注意,我知道ldap模块的版本有些旧,但是当我运行RHEL 7.5时,它是最新的,我可以在不导致其他依赖关系中断的情况下进行更新,即,我必须通过RPM安装它。

$ pip freeze | grep ldap
ldap3==2.5.1
python-ldap==2.4.15

我运行我的代码,结果中什么也没显示:

$ ./to-post.py
Initializing LDAP connection object with uri ldaps://ldap-host-here.ds.subdomain.net:636
Binding with username username-here…
LDAP results - []

代码在下面。关于为何即使计算机帐户存在也无法归还任何东西的任何想法?

#!/usr/bin/python

import ldap

#####################################
# IN: cfg, hostname, domain string
# OUT: True or False (if in AD or not)
def CheckIfHostInAD(cfg, hostname, env):

    domain = "tld-value-here"
    username = 'username-here'
    password = 'password-here'
    uri = "ldaps://ldap-host-here." + domain + ":636"

    (subdomain, tld) = domain.split('.')
    ## Create instance of LDAP class. No connection has been made yet.
    print("Initializing LDAP connection object with uri " + uri )
    l = ldap.initialize(uri)   #####!!!
    results = []
    OU_setting = ""

    try:
        # When we connect, make sure to connect using LDAPv3
        l.protocol_version = ldap.VERSION3
        #set connection
        l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

        print("Binding with username " + username + "...")
        bind = l.simple_bind_s(username, password)

        # When we search, the base is the level at which we want to start searching
        OU_setting = ""
        base = OU_setting + "DC=ds,DC=" + subdomain + ",DC=net"

        # When we search, filter results down to ones that have an objectClass of "computer"
        criteria = "(&(objectclass=computer)(cn=" + hostname + "))"

        attributes = ['name']

        print("Getting hostnames in " + domain
                +  ", base " + str(base) + ", criteria " + str(criteria) )
        # Ok! Search and store the result in the variable "result"
        ldap_dump = l.search_s(base, ldap.SCOPE_SUBTREE, criteria, attributes)
        print("Found " + len(ldap_dump) + " hostnames in " + domain)

        # Print the results to the console
        for data_dict in [entry for dn, entry in ldap_dump if isinstance(entry, dict)]:
            results.append(data_dict["name"][0])

    except Exception as e:
        print("error - " + e)
    # Now that we're done (failed or not), release the connection
    finally:
        l.unbind()
        print("LDAP results - " + str(results))
        return results


cfg = ""
hostname = “short-hostname-here”
env = ""
result = CheckIfHostInAD(cfg, hostname, env)
quit()

正如我之前提到的,如果不需要,我宁愿不升级python-ldap模块。换句话说,除非在较新的版本中出现某些错误导致没有返回数据,否则我不希望升级。

我将初始化更改为更详细的日志级别:

l = ldap.initialize(uri, trace_level=4, trace_file=sys.stderr)

添加了此内容以尝试阻止:

l.set_option(ldap.OPT_REFERRALS, 0)

我还添加了一个属性,所以我知道我是从AD / LDAP专门获取数据的

attributes = ['operatingSystem','name'] 

然后我重新运行代码,并得到:

*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.simple_bind
(('username@domain', 'password-here', None, None), {})
=> result:
1
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.result4
((1, 1, -1, 0, 0, 0), {})
=> result:
(97, [], 1, [])
CheckIfHostInAD - Getting hostnames in dtveng.net, base DC=ds,DC=dtveng,DC=net, criteria (&(objectclass=computer)(cn=d010220021199))
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.search_ext
(('blah=ds,blah=blah,DC=net',
2,
'(&(objectclass=computer)(cn=hostname-here))',
('operatingSystem', 'name'),
0,
None,
None,
-1,
0),
{})
=> result:
2
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.result4
((2, 1, -1, 0, 0, 0), {})
=> result:
(101,
[(u'CN=CN-here,OU=blah,OU=blah2,OU=blah3,OU=blah4,DC=blah5,DC=blah6,DC=blah7',
 {u'name': ['hostname-here'],
 u'operatingSystem': ['Red Hat Enterprise Linux']}),
 (None, [u'ldaps://ldap-host-here/CN=Configuration,DC=blah,DC=blah,DC=blah'])],
 2,
 [])
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.unbind_ext
((None, None), {})
=> result:
None

为什么代码不返回任何内容,即不返回第二个SimpleLDAPObject.result4输出的结果?

0 个答案:

没有答案