1

I encountered following issue while working with LDAP3 package: When I am passing wrong credentials (wrong username and wrong password), I am getting same Microsoft Active Directory LDAP Result Codes sub-codes for Bind Response, as when only password is invalid.

My code:

from ldap3 import Connection, Server, NONE, NTLM

server = Server(url, use_ssl=True, get_info=NONE)
con = Connection(server, user='ValidID', password='ValidPassword')
con.bind()
con.unbind()
print(con.result)

Result I am getting here:

{'result': 0, 'description': 'success', 'dn': '', 'message': '', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}

Nothing wrong with that. But...

con = Connection(server, user='InvalidID', password='InvalidPassword')
con.bind()
con.unbind()
print(con.result)

Gives me following result:

{'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\x00', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}

According to ldap wiki:

52e - ERROR_LOGON_FAILURE

Returns when username is valid but password/credential is invalid. Will prevent most other er from being displayed as noted.

In that case I shouldn't be getting "data 52e" message, because username is not valid.

Or I am getting something wrong? Another thing coming to my head, it might be the ldap server fault, and it is sending wrong messages

w8eight
  • 605
  • 1
  • 6
  • 21

1 Answers1

1

That happens, because you should bind port after initialization of server connection and unbind after manipulations Should look like this example

ldap_server = ldap3.Server(SERVER, get_info=ldap3.ALL)
    conn = ldap3.Connection(
        server=ldap_server,
        user='user_principal_name',
        password='password'
    )
    conn.bind()
    ldap3.extend.microsoft.modifyPassword.ad_modify_password(
        conn,
        'user_distinguished_name',
        new_secret,
        old_secret,
        controls=None
    )
    conn.unbind()
Allo
  • 57
  • 6
  • autobind dosen't unbind, to my sorry – Allo Aug 22 '22 at 05:49
  • That's an old question, but in my case I didn't do any manipulations, just got wrong error code when trying to connect with invalid credentials. Looking at it after some time, probably server was misconfigured, and didn't handle it properly – w8eight Oct 27 '22 at 06:51