我遇到了一个问题,即使我能够通过其他方法获得结果,python-ldap模块也没有返回任何结果。我使用与ldapsearch相同的参数,但是python代码没有任何作用。我搜索了大量主机名时就会发生这种情况。
具体来说,我可以使用以下命令获取主机名返回的有效LDAP数据:
$ [2014][AD-user@host-joined-to-AD:~]$ ldapsearch -x -H ldaps://ldap-host-here.ds.subdomain.net:636 -D "AD-user@ds.subdomain.net” -w ‘password-here' -b "DC=ds,DC=subdomain,DC=net" "(&(objectclass=computer)(cn=hostname-here))” |less
在域上登录Windows系统并通过dsa搜索主机名时,我也看到了该系统的计算机帐户,因此我知道该计算机帐户位于AD / LDAP中。
以下是我的LDAP相关模块。请注意,我知道ldap模块的版本有些旧,但是当我运行RHEL 7.5时,它是最新的,我可以在不导致其他依赖关系中断的情况下进行更新,即,我必须通过RPM安装它。
$ pip freeze | grep ldap
ldap3==2.5.1
python-ldap==2.4.15
我运行我的代码,结果中什么也没显示:
$ ./to-post.py
Initializing LDAP connection object with uri ldaps://ldap-host-here.ds.subdomain.net:636
Binding with username username-here…
LDAP results - []
代码在下面。关于为何即使计算机帐户存在也无法归还任何东西的任何想法?
#!/usr/bin/python
import ldap
#####################################
# IN: cfg, hostname, domain string
# OUT: True or False (if in AD or not)
def CheckIfHostInAD(cfg, hostname, env):
domain = "tld-value-here"
username = 'username-here'
password = 'password-here'
uri = "ldaps://ldap-host-here." + domain + ":636"
(subdomain, tld) = domain.split('.')
## Create instance of LDAP class. No connection has been made yet.
print("Initializing LDAP connection object with uri " + uri )
l = ldap.initialize(uri) #####!!!
results = []
OU_setting = ""
try:
# When we connect, make sure to connect using LDAPv3
l.protocol_version = ldap.VERSION3
#set connection
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
print("Binding with username " + username + "...")
bind = l.simple_bind_s(username, password)
# When we search, the base is the level at which we want to start searching
OU_setting = ""
base = OU_setting + "DC=ds,DC=" + subdomain + ",DC=net"
# When we search, filter results down to ones that have an objectClass of "computer"
criteria = "(&(objectclass=computer)(cn=" + hostname + "))"
attributes = ['name']
print("Getting hostnames in " + domain
+ ", base " + str(base) + ", criteria " + str(criteria) )
# Ok! Search and store the result in the variable "result"
ldap_dump = l.search_s(base, ldap.SCOPE_SUBTREE, criteria, attributes)
print("Found " + len(ldap_dump) + " hostnames in " + domain)
# Print the results to the console
for data_dict in [entry for dn, entry in ldap_dump if isinstance(entry, dict)]:
results.append(data_dict["name"][0])
except Exception as e:
print("error - " + e)
# Now that we're done (failed or not), release the connection
finally:
l.unbind()
print("LDAP results - " + str(results))
return results
cfg = ""
hostname = “short-hostname-here”
env = ""
result = CheckIfHostInAD(cfg, hostname, env)
quit()
正如我之前提到的,如果不需要,我宁愿不升级python-ldap模块。换句话说,除非在较新的版本中出现某些错误导致没有返回数据,否则我不希望升级。
我将初始化更改为更详细的日志级别:
l = ldap.initialize(uri, trace_level=4, trace_file=sys.stderr)
添加了此内容以尝试阻止:
l.set_option(ldap.OPT_REFERRALS, 0)
我还添加了一个属性,所以我知道我是从AD / LDAP专门获取数据的
attributes = ['operatingSystem','name']
然后我重新运行代码,并得到:
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.simple_bind
(('username@domain', 'password-here', None, None), {})
=> result:
1
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.result4
((1, 1, -1, 0, 0, 0), {})
=> result:
(97, [], 1, [])
CheckIfHostInAD - Getting hostnames in dtveng.net, base DC=ds,DC=dtveng,DC=net, criteria (&(objectclass=computer)(cn=d010220021199))
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.search_ext
(('blah=ds,blah=blah,DC=net',
2,
'(&(objectclass=computer)(cn=hostname-here))',
('operatingSystem', 'name'),
0,
None,
None,
-1,
0),
{})
=> result:
2
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.result4
((2, 1, -1, 0, 0, 0), {})
=> result:
(101,
[(u'CN=CN-here,OU=blah,OU=blah2,OU=blah3,OU=blah4,DC=blah5,DC=blah6,DC=blah7',
{u'name': ['hostname-here'],
u'operatingSystem': ['Red Hat Enterprise Linux']}),
(None, [u'ldaps://ldap-host-here/CN=Configuration,DC=blah,DC=blah,DC=blah'])],
2,
[])
*** <ldap.ldapobject.SimpleLDAPObject instance at 0x1115e3950> ldaps://ldap-host-here:636 - SimpleLDAPObject.unbind_ext
((None, None), {})
=> result:
None
为什么代码不返回任何内容,即不返回第二个SimpleLDAPObject.result4输出的结果?