[GRLUG] Looking for LDAP/ActiveDirectory coders.

Ben DeMott ben.demott at gmail.com
Thu Jul 2 22:30:37 EDT 2009


The biggest problem I've encountered with accessing Ldap Servers seeem to be
Chicken and Egg issues.
Some ldap drivers require the domain you want to connect to. I don't want to
connect to a Domain I want to connect to a Server -
And ask the server what domains it has present - this is different across
most AD servers.

When you Bind to Active Directory through LDAP there is no way of knowing if
the server isn't running ldap services, your bind failed, or the user
doesn't exist.
So you have to have a USER that you KNOW exists and that you KNOW has
credentials to the server - if that user cannot bind you can assume the
server is unavailable or in fault - they all seem to deal with this issue a
bit differently as well (microsoft AD deals with it the poorest).
You also have to know a DOMAIN that exists and a user that belongs to that
domain.

For security reasons its nice to know when someone tried to login 10 times
to their own account with the wrong password, vs 1000 attempts to random
user accounts or random domains that didn't exist.

I suppose DBMS have the same issue - how do you query information schema for
a list of databases without connecting to a database - thats why most
databases implement some sort of standard database that is always present
(in the case of PostgreSQL the database postgre is always present)

(almost none of this would be the same across Microsoft, IBM, Novell, Sun,
and other directory servers)

And samaaccountname Really Microsoft? From NT4 are you serious?

  $accountSettings['accountName'] = $result[0]["samaccountname"][0];
  $accountSettings['firstName'] = $result[0]["givenName"][0];
  $accountSettings['lastName'] = $result[0]["sn"][0];
  $accountSettings['fullName'] = $result[0]["displayName"][0];
  $accountSettings['email'] = $result[0]["mail"][0];
  $accountSettings['homeFolder'] = $result[0]["homeDirectory"][0];
  $accountSettings['homeDrive'] = $result[0]["homeDrive"][0];
  $accountSettings['mailboxStore'] = $result[0]["homeMDB"][0];
  $accountSettings['logonScript'] = $result[0]["scriptPath"][0];
  $accountSettings['dialin'] = $result[0]["msNPAllowDialin"][0];
  $accountSettings['object'] = $result[0]["objectCategory"][0];
  $accountSettings['logonLast'] = $result[0]["lastlogon"][0];
  $accountSettings['logonCount'] = $result[0]["logonCount"][0];
  $accountSettings['modified'] = $result[0]["whenChanged"][0];
  $accountSettings['created'] = $result[0]["whenCreate"][0];
  $accountSettings['passwordSet'] = $result[0]["pwdLastSet"][0];
  $accountSettings['passwordAttempts'] = $result[0]["badPwdCount"][0];

On Thu, Jul 2, 2009 at 10:08 PM, Adam Tauno Williams <awilliam at whitemice.org
> wrote:

> > > I'm actually going to be diong some LDAP work with (what was formely
> known
> > > as) Fedora Directory Server and using python's ldap interface for the
> first
> > > time - not sure what you are looking for exactly but if you need some
> code
> > > examples I would be happy to help ??
> > These are the two tasks that currently exist...
> > http://rosettacode.org/wiki/Connect_to_Active_Directory
> > http://rosettacode.org/wiki/Search_for_a_User_in_Active_Directory
> > They're currently only solved in VBScript and Tcl.  Python (and any
> > other language) examples would be awesome.  As would be some more
> > practical task suggestions in the LDAP/ActiveDirectory domain.
>
> Both these tasks should be generic LDAP provided you have SASL binding.
>
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shinobu.grlug.org/pipermail/grlug/attachments/20090702/663563f6/attachment.htm 


More information about the grlug mailing list