Group Membership in Active Directory Query
I am trying to write a script to simply query the group members in an
active directory group. I need to use LDAP to make sure I capture any
global > global group nestings that may occur. I already have a
function that uses WinNT provider to capture this info from NT4 or AD
domains and it works beautifully. It just doesn't capture global >
global nestings. I am having great difficulties in getting this to
work on AD though with ldap. I have a multiple domain tree
environment and need to be able to query groups in different domains.
I want to simply make an ldap connection, bind to it, search for the
group and get it's members.
I do the following for eDirectory and it works great but not in AD.
import ldap
l=ldap.open(1.2.3.4,trace_level = 1)
l.simple_bind_s('cn=username,ou=company','password')
UserRes = UserRes + l.search_s(
o=company,
ldap.SCOPE_SUBTREE, "(|'cn=groupname')
If I do the same thing as above but to an AD source it doesn't work.
I run the open and it seems successful, I run the bind using DN, UPN,
or domain name and password and it seems to bind, I run the query and
it says I must complete a successfull bind operation before doing a
query.
Any help is appreciated.
--
http://mail.python.org/mailman/listinfo/python-list
Re: Group Membership in Active Directory Query
On Feb 7, 9:22 am, [EMAIL PROTECTED] wrote:
> I am trying to write a script to simply query the group members in an
> active directory group. I need to use LDAP to make sure I capture any
> global > global group nestings that may occur. I already have a
> function that uses WinNT provider to capture this info from NT4 or AD
> domains and it works beautifully. It just doesn't capture global >
> global nestings. I am having great difficulties in getting this to
> work on AD though with ldap. I have a multiple domain tree
> environment and need to be able to query groups in different domains.
> I want to simply make an ldap connection, bind to it, search for the
> group and get it's members.
> I do the following for eDirectory and it works great but not in AD.
>
> import ldap
> l=ldap.open(1.2.3.4,trace_level = 1)
> l.simple_bind_s('cn=username,ou=company','password')
> UserRes = UserRes + l.search_s(
> o=company,
> ldap.SCOPE_SUBTREE, "(|'cn=groupname')
>
> If I do the same thing as above but to an AD source it doesn't work.
> I run the open and it seems successful, I run the bind using DN, UPN,
> or domain name and password and it seems to bind, I run the query and
> it says I must complete a successfull bind operation before doing a
> query.
>
> Any help is appreciated.
I found an example in the groups here and attempted it but it failed
as well. Below is the code I used and the results.
import ldap, ldapurl
proto = 'ldap'
server = 'domaincontroller.domain.company.com'
port = 389
url = ldapurl.LDAPUrl(urlscheme=proto,
hostport="%s:%s" % (server,
str(port))).initializeUrl()
ldap_obj = ldap.initialize(url)
# !!!password will be on wire in plaintext!!!
ldap_obj = ldap_obj.simple_bind_s('[EMAIL PROTECTED]',
'password')
base = 'DC=DOMAIN, DC=COMPANY, DC=COM'
scope = ldap.SCOPE_SUBTREE
query = '(objectclass=user)'
res_attrs = ['*']
res = ldap_obj.search_ext_s(base, scope, query, res_attrs)
print res
RESULTS FROM PYTHON SHELL
res=ldap_obj.search_ext_s(base, scope, query, rest_attrs)
AttributeError: 'NoneType' object has no attribute 'search_Ext_s'
--
http://mail.python.org/mailman/listinfo/python-list
Re: Group Membership in Active Directory Query
On Feb 7, 11:56 am, Uwe Hoffmann <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] schrieb:
>
> > ldap_obj = ldap_obj.simple_bind_s('[EMAIL PROTECTED]',
> > 'password')
>
> > AttributeError: 'NoneType' object has no attribute 'search_Ext_s'
>
> dummy = ldap_obj.simple_bind_s('[EMAIL PROTECTED]',
>'password')
> or better simply
> ldap_obj.simple_bind_s('[EMAIL PROTECTED]',
>'password')
First and foremost thanks for the feedback. Although I don't
appreciate the slight dig at me.
dummy = ldap_obj.simple_bind..
I tried your second recommendation of using
ldap_obj.simple_bind_s('[EMAIL PROTECTED]','password')
Now I get the following error even after the bind operation seems to
complete successfully.
result = func(*args,**kwargs)
OPERATIONS_ERROR: {'info': ': LdapErr: DSID-0C0905FF, comment:
In order to perform this operation a successful bind must be completed
on the connection., data 0, vece', 'desc': 'Operations error'}
Thanks again...
--
http://mail.python.org/mailman/listinfo/python-list
Re: Group Membership in Active Directory Query
On Feb 7, 7:52 pm, "alex23" <[EMAIL PROTECTED]> wrote: > On Feb 8, 4:27 am, [EMAIL PROTECTED] wrote: > > > First and foremost thanks for the feedback. Although I don't > > appreciate the slight dig at me. > > dummy = ldap_obj.simple_bind.. > > I _really_ don't think Uwe was intending any slight, 'dummy' generally > means 'dummy variable' ie it's just there to catch the value but it's > never used after that :) > > If you're doing a lot of AD work, I highly recommend Tim Golden's > active_directory module:http://timgolden.me.uk/python/ > active_directory.html > > His WMI module has also been a godsend on a number of occasions. > > - alex23 Alex- Thanks for your response and Uwe I apologize if I misunderstood and misinterpreted your comments. I am sorry. I have tried Tim's module called active_directory and it works really well. But I can't figure out how to connect to a specific group is I know the common name for it but not the DN and then return it's members. Example I know the group name is domain1\sharedaccess. How do I bind to that group and get the members. The domain isn't necessarily the defaultnamingcontext. It could be another domain in the forest. I need to be able to connect to any domain group and get it's members. Thanks again. -- http://mail.python.org/mailman/listinfo/python-list
Re: Group Membership in Active Directory Query
On Feb 8, 8:44 am, "Kooch54" <[EMAIL PROTECTED]> wrote: > On Feb 7, 7:52 pm, "alex23" <[EMAIL PROTECTED]> wrote: > > > > > On Feb 8, 4:27 am, [EMAIL PROTECTED] wrote: > > > > First and foremost thanks for the feedback. Although I don't > > > appreciate the slight dig at me. > > > dummy = ldap_obj.simple_bind.. > > > I _really_ don't think Uwe was intending any slight, 'dummy' generally > > means 'dummy variable' ie it's just there to catch the value but it's > > never used after that :) > > > If you're doing a lot of AD work, I highly recommend Tim Golden's > > active_directory module:http://timgolden.me.uk/python/ > > active_directory.html > > > His WMI module has also been a godsend on a number of occasions. > > > - alex23 > > Alex- > Thanks for your response and Uwe I apologize if I misunderstood > and misinterpreted your comments. I am sorry. > I have tried Tim's module called active_directory and it works really > well. But I can't figure out how to connect to a specific group is I > know the common name for it but not the DN and then return it's > members. Example I know the group name is domain1\sharedaccess. > How do I bind to that group and get the members. The domain isn't > necessarily the defaultnamingcontext. It could be another domain in > the forest. I need to be able to connect to any domain group and get > it's members. Thanks again. Bump -- http://mail.python.org/mailman/listinfo/python-list
