Trying to Search 2 Folders for Users in LDAP

Question

#Users Accounts path
bind_dn = "cn="+user+",ou=" +user[0]+",OU=Useraccounts,OU=Mtp,DC=us,DC=bosch,DC=com" and "cn="+user+",ou=" +user[0]+",OU=Useraccounts,OU=Ca1,DC=br,DC=bosch,DC=com"
bind_pass = password

If i do "and" it will only search the second folder

#Users Accounts path
bind_dn = "cn="+user+",ou=" +user[0]+",OU=Useraccounts,OU=Mtp,DC=us,DC=bosch,DC=com" or "cn="+user+",ou=" +user[0]+",OU=Useraccounts,OU=Ca1,DC=br,DC=bosch,DC=com"
bind_pass = password

When I do "or" it only searches the first folder

This is for LDAP authentication it is going in these folders to search for usernames to make sure they exist. Is there a function i can use to have this bind_dn search both folders for users instead of just one or the other.

Function to connect LDAP

def connect_ldap(user, password):

#CHANGE TO YOUR LDAP SERVER HERE
#LDAP Server
ldap_server = "bosch.com"

#CHANGE TO YOUR BIND_DN PATH HERE
#Users Accounts path
bind_dn = "cn="+user+",ou=" +user[0]+",OU=Useraccounts,OU=Mtp,DC=us,DC=bosch,DC=com" and "cn="+user+",ou=" +user[0]+",OU=Useraccounts,OU=Ca1,DC=br,DC=bosch,DC=com"
bind_pass = password

#Config the server and connection
server = Server(ldap_server, port=int(636), use_ssl=bool(True))
conn = Connection(server=server, user=bind_dn, password=bind_pass)

#First make a touchbase in the LDAP Server with the credentials to authenticate
connection_status = conn.bind()
print("Status: ",connection_status)

# If the user and pass is correct it will continue the script
if connection_status == True:

    #Filter the search to Groups
    search_filter = '(objectClass=group)'
    try:
        #CHANGE TO YOUR GROUP SEARCH HERE
        #This search will return a members list of the selected group
        conn.search("CN=CI/OSR-NA Staff,OU=Recipients,OU=MAIL34,OU=DL,OU=MSX,DC=us,DC=bosch,DC=com",
        search_filter, search_scope=SUBTREE, attributes=['member'])
        members = []

        #Set the list in a variable
        for entry in conn.entries:
            members = entry.member.values

        print("\nGroup Members: \n\n", members, "\n")        
        status = "Permission Denied"        

        #Check if the user is part of the group                        
        for member in members:

            #If the user is part of the group it will return "Permission Allowed" and terminate the script. 
            if user.lower() in member.lower() or user.upper() in member.upper():
                status = "Permission Allowed" 
                return status

        #If the user is not part of the group it will return "Permission Denied" and terminate the script.        
        if status == "Permission Denied":
            return status
    except Exception as e:
        return e

# If the user and pass is incorrect it will return "False" and terminate the script.
elif connection_status == False:        
    return "Connection error"

score 0 · Answer 1 · answered Jun 17 '20 at 21:47

0

bind_dn is a string, so it's converting whatever you have on the right to a single string. The reason for the difference in using and or or is because of how those keywords operate on strings.

a and b

means: If string a has a value, then use string b. In your case, because the first string is a constant string, it always has a value, so the result is always the second string.

a or b

means: If string a has a value, use that. Otherwise, use string b. In your case, because the first string is a constant string, it always has a value so that first string is always used.

This syntax is pointless with static strings, since the result will always be the same. You would usually use this syntax with variables. You can read this answer to read about cases where this is quite useful.

You will need to set that to a single string without and or or. You haven't shown the code where you use these variables, and I can't figure it out from the python-ldap documentation. But if you're using base_dn to authenticate, then what you do will depend on what your LDAP server is running. If you're using Active Directory, I know it will accept just the username - you don't need the full DN. So if you are using AD, you can just do this:

bind_dn = user

answered Jun 17 '20 at 21:47

Gabriel Luci

38,328
4
55
84

I've added my entire code underneath for you to see how i am using it. bind_dn = user wont work in my case – Faraz Gul Jun 18 '20 at 17:08
@FarazGul Is the server Active Directory? – Gabriel Luci Jun 18 '20 at 17:25
The server isn't directory linked to the entire active directory. But it is using a folders inside Active Directory. – Faraz Gul Jun 18 '20 at 17:41
If it's AD, then you can use `bind_dn = user`. If you need to restrict your application to only users in one of those two OUs, then you can search for the username after you connect (`"(sAMAccountName=" + user + ")"`) and look at the `distinguishedName` to verify the account is in one of those two OUs. This is the only way to do it, because if you want to provide a full DN in the `bind_dn`, then you have to know which OU the user is in before you connect, which you have no way of knowing. – Gabriel Luci Jun 18 '20 at 18:00
The users that i need are in those two different OUs which are stated above in those OUs i need all the users that are there. There is no way to have the LDAP code search both entire OUs without putting in user names? – Faraz Gul Jun 19 '20 at 14:04
This is for authentication right? The user gives you their username in `user` and their `password` and you are using those credentials to authenticate to LDAP, correct? If that's true, then you don't know which OU the user is in before you authenticate. So just use `bind_dn = user` and it won't matter which OU the user is in. – Gabriel Luci Jun 19 '20 at 15:15
I've tried using bind_dn = user and it does not work. But if i provide a specific OU then it will work using a certain folder. But it will not allow me to find people in two separate folders. Both folder paths are shown in the code above and the users that i need belong in both of those folders I have access to be able to view them and see their user names in the folders. – Faraz Gul Jun 22 '20 at 14:18
Is the user's `sAMAccountName` (also called "pre-Windows 2000 username) the same as the `cn` (the value in the DN)? It sounds like they might be different. AD allows you to authenticate with either the `sAMAccountName`, the `userPrincipalName`, or the full distinguished name. – Gabriel Luci Jun 22 '20 at 14:28
They are different. The user accounts in the CN are different users then the windows 2000 username. The user names that i need are in the two folder paths above in the code. I just need the LDAP code to be able to access both folder paths to read and confirm all usernames within those folders. Because as of right now it only allows the code to read one or the other not both. – Faraz Gul Jun 22 '20 at 16:11
If the user only gives you their CN (which is odd - no other authentication method works like this) then the only thing you can do is try one, then if it fails, try the other. – Gabriel Luci Jun 22 '20 at 16:21
the user enters their username and the username is stored in the folder path that is shown above. The issue that i am having is that my usernames for authentication are stored in these seperate folders bind_dn = "cn="+user+",ou=" +user[0]+",OU=Useraccounts,OU=Mtp,DC=us,DC=bosch,DC=com" and "cn="+user+",ou=" +user[0]+",OU=Useraccounts,OU=Ca1,DC=br,DC=bosch,DC=com" – Faraz Gul Jun 22 '20 at 20:17
And the users that have access are added to this folder/group so once the username is entered it searches the above code to confirm it is there. conn.search("CN=CI/OSR-NA Staff,OU=Recipients,OU=MAIL34,OU=DL,OU=MSX,DC=us,DC=bosch,DC=com", – Faraz Gul Jun 22 '20 at 20:18
You are confusing some terms. The "username" refers to either the `sAMAccountName` or the `userPrincipalName`. The CN is the "common name", or just the "name" (it's stored in the `cn` and `name` attributes). The `sAMAccountName`, `userPrincipalName` and `cn` can all be different. What you are calling "folder path" is called an "organizational unit" (OU). – Gabriel Luci Jun 22 '20 at 20:27
If your users are in one of two OUs, then you have two options: 1. Make sure your users provide their actual username (`sAMAccountName` or `userPrincipalName`) to login and use that. Then after successfully connecting, search for their account and verify the OU they are in. Or 2. If they must give you their `cn`, then construct that into a DN assuming one of the OUs (the same way you are now), and if that doesn't work, try the other OU. – Gabriel Luci Jun 22 '20 at 20:29
its not a sAMAccountName and im not sure if its a userPrincipalName they are usernames stored in the above directories that I have listed and that is what im trying to access all i am trying to do is have the code read into both instead of just one. There is no way for me to be able to do that? would you be able to read through my code above i posted the entire code and see where i am coming from. Thank you – Faraz Gul Jun 22 '20 at 21:21
I understand what you're trying to do :) You just cannot do that because you don't know which OU the user is in before you authenticate. So you will have to use option 2 in my comment above: try one OU, and if that fails, try the other. – Gabriel Luci Jun 22 '20 at 21:36
would you be able to give me a sample of the two options just so I can see it for reference? – Faraz Gul Jun 23 '20 at 14:20

Trying to Search 2 Folders for Users in LDAP

Function to connect LDAP

1 Answers1