Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Group Membership in Active Directory Query

Reply
Thread Tools

Group Membership in Active Directory Query

 
 
kooch54@gmail.com
Guest
Posts: n/a
 
      02-07-2007
I am trying to write a script to simply query the group members in an
active directory group. I need to use LDAP to make sure I capture any
global > global group nestings that may occur. I already have a
function that uses WinNT provider to capture this info from NT4 or AD
domains and it works beautifully. It just doesn't capture global >
global nestings. I am having great difficulties in getting this to
work on AD though with ldap. I have a multiple domain tree
environment and need to be able to query groups in different domains.
I want to simply make an ldap connection, bind to it, search for the
group and get it's members.
I do the following for eDirectory and it works great but not in AD.

import ldap
l=ldap.open(1.2.3.4,trace_level = 1)
l.simple_bind_s('cn=username,ou=company','password ')
UserRes = UserRes + l.search_s(
o=company,
ldap.SCOPE_SUBTREE, "(|'cn=groupname')

If I do the same thing as above but to an AD source it doesn't work.
I run the open and it seems successful, I run the bind using DN, UPN,
or domain name and password and it seems to bind, I run the query and
it says I must complete a successfull bind operation before doing a
query.

Any help is appreciated.

 
Reply With Quote
 
 
 
 
kooch54@gmail.com
Guest
Posts: n/a
 
      02-07-2007
On Feb 7, 9:22 am, (E-Mail Removed) wrote:
> I am trying to write a script to simply query the group members in an
> active directory group. I need to use LDAP to make sure I capture any
> global > global group nestings that may occur. I already have a
> function that uses WinNT provider to capture this info from NT4 or AD
> domains and it works beautifully. It just doesn't capture global >
> global nestings. I am having great difficulties in getting this to
> work on AD though with ldap. I have a multiple domain tree
> environment and need to be able to query groups in different domains.
> I want to simply make an ldap connection, bind to it, search for the
> group and get it's members.
> I do the following for eDirectory and it works great but not in AD.
>
> import ldap
> l=ldap.open(1.2.3.4,trace_level = 1)
> l.simple_bind_s('cn=username,ou=company','password ')
> UserRes = UserRes + l.search_s(
> o=company,
> ldap.SCOPE_SUBTREE, "(|'cn=groupname')
>
> If I do the same thing as above but to an AD source it doesn't work.
> I run the open and it seems successful, I run the bind using DN, UPN,
> or domain name and password and it seems to bind, I run the query and
> it says I must complete a successfull bind operation before doing a
> query.
>
> Any help is appreciated.




I found an example in the groups here and attempted it but it failed
as well. Below is the code I used and the results.

import ldap, ldapurl

proto = 'ldap'
server = 'domaincontroller.domain.company.com'
port = 389

url = ldapurl.LDAPUrl(urlscheme=proto,
hostport="%s:%s" % (server,
str(port))).initializeUrl()
ldap_obj = ldap.initialize(url)

# !!!password will be on wire in plaintext!!!
ldap_obj = ldap_obj.simple_bind_s('(E-Mail Removed) m',
'password')

base = 'DC=DOMAIN, DC=COMPANY, DC=COM'

scope = ldap.SCOPE_SUBTREE

query = '(objectclass=user)'

res_attrs = ['*']

res = ldap_obj.search_ext_s(base, scope, query, res_attrs)
print res

RESULTS FROM PYTHON SHELL
res=ldap_obj.search_ext_s(base, scope, query, rest_attrs)
AttributeError: 'NoneType' object has no attribute 'search_Ext_s'

 
Reply With Quote
 
 
 
 
Uwe Hoffmann
Guest
Posts: n/a
 
      02-07-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) schrieb:
> ldap_obj = ldap_obj.simple_bind_s('(E-Mail Removed) m',
> 'password')
>
>
> AttributeError: 'NoneType' object has no attribute 'search_Ext_s'
>


dummy = ldap_obj.simple_bind_s('(E-Mail Removed) m',
'password')
or better simply
ldap_obj.simple_bind_s('(E-Mail Removed) m',
'password')
 
Reply With Quote
 
kooch54@gmail.com
Guest
Posts: n/a
 
      02-07-2007
On Feb 7, 11:56 am, Uwe Hoffmann <(E-Mail Removed)> wrote:
> (E-Mail Removed) schrieb:
>
> > ldap_obj = ldap_obj.simple_bind_s('(E-Mail Removed) m',
> > 'password')

>
> > AttributeError: 'NoneType' object has no attribute 'search_Ext_s'

>
> dummy = ldap_obj.simple_bind_s('(E-Mail Removed) m',
> 'password')
> or better simply
> ldap_obj.simple_bind_s('(E-Mail Removed) m',
> 'password')


First and foremost thanks for the feedback. Although I don't
appreciate the slight dig at me.
dummy = ldap_obj.simple_bind......

I tried your second recommendation of using
ldap_obj.simple_bind_s('(E-Mail Removed) m','password')

Now I get the following error even after the bind operation seems to
complete successfully.
result = func(*args,**kwargs)
OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C0905FF, comment:
In order to perform this operation a successful bind must be completed
on the connection., data 0, vece', 'desc': 'Operations error'}

Thanks again...

 
Reply With Quote
 
alex23
Guest
Posts: n/a
 
      02-08-2007
On Feb 8, 4:27 am, (E-Mail Removed) wrote:
> First and foremost thanks for the feedback. Although I don't
> appreciate the slight dig at me.
> dummy = ldap_obj.simple_bind......


I _really_ don't think Uwe was intending any slight, 'dummy' generally
means 'dummy variable' ie it's just there to catch the value but it's
never used after that

If you're doing a lot of AD work, I highly recommend Tim Golden's
active_directory module: http://timgolden.me.uk/python/
active_directory.html

His WMI module has also been a godsend on a number of occasions.

- alex23

 
Reply With Quote
 
Kooch54
Guest
Posts: n/a
 
      02-08-2007
On Feb 7, 7:52 pm, "alex23" <(E-Mail Removed)> wrote:
> On Feb 8, 4:27 am, (E-Mail Removed) wrote:
>
> > First and foremost thanks for the feedback. Although I don't
> > appreciate the slight dig at me.
> > dummy = ldap_obj.simple_bind......

>
> I _really_ don't think Uwe was intending any slight, 'dummy' generally
> means 'dummy variable' ie it's just there to catch the value but it's
> never used after that
>
> If you're doing a lot of AD work, I highly recommend Tim Golden's
> active_directory module:http://timgolden.me.uk/python/
> active_directory.html
>
> His WMI module has also been a godsend on a number of occasions.
>
> - alex23


Alex-
Thanks for your response and Uwe I apologize if I misunderstood
and misinterpreted your comments. I am sorry.
I have tried Tim's module called active_directory and it works really
well. But I can't figure out how to connect to a specific group is I
know the common name for it but not the DN and then return it's
members. Example.... I know the group name is domain1\sharedaccess.
How do I bind to that group and get the members. The domain isn't
necessarily the defaultnamingcontext. It could be another domain in
the forest. I need to be able to connect to any domain group and get
it's members. Thanks again.


 
Reply With Quote
 
Kooch54
Guest
Posts: n/a
 
      02-16-2007
On Feb 8, 8:44 am, "Kooch54" <(E-Mail Removed)> wrote:
> On Feb 7, 7:52 pm, "alex23" <(E-Mail Removed)> wrote:
>
>
>
> > On Feb 8, 4:27 am, (E-Mail Removed) wrote:

>
> > > First and foremost thanks for the feedback. Although I don't
> > > appreciate the slight dig at me.
> > > dummy = ldap_obj.simple_bind......

>
> > I _really_ don't think Uwe was intending any slight, 'dummy' generally
> > means 'dummy variable' ie it's just there to catch the value but it's
> > never used after that

>
> > If you're doing a lot of AD work, I highly recommend Tim Golden's
> > active_directory module:http://timgolden.me.uk/python/
> > active_directory.html

>
> > His WMI module has also been a godsend on a number of occasions.

>
> > - alex23

>
> Alex-
> Thanks for your response and Uwe I apologize if I misunderstood
> and misinterpreted your comments. I am sorry.
> I have tried Tim's module called active_directory and it works really
> well. But I can't figure out how to connect to a specific group is I
> know the common name for it but not the DN and then return it's
> members. Example.... I know the group name is domain1\sharedaccess.
> How do I bind to that group and get the members. The domain isn't
> necessarily the defaultnamingcontext. It could be another domain in
> the forest. I need to be able to connect to any domain group and get
> it's members. Thanks again.


Bump

 
Reply With Quote
 
Tim Golden
Guest
Posts: n/a
 
      02-16-2007
Kooch54 wrote:
>> Thanks for your response and Uwe I apologize if I misunderstood
>> and misinterpreted your comments. I am sorry.
>> I have tried Tim's module called active_directory and it works really
>> well. But I can't figure out how to connect to a specific group is I
>> know the common name for it but not the DN and then return it's
>> members.


For the simple "group in my domain" situation, as
far as I can see you can do something like this:

<code>
import active_directory
for group in active_directory.search (
"sAMAccountName='sharedaccess'",
"objectClass='group'"
):
print group
for member in group.members:
print member

</code>

(I'm not on an AD-connected machine just now, but I
think that'll do it).

As to finding it another domain, I'm not sure. I suspect
that if you simply issue the above query, you'll get
the groups back from all domains in the forest. But I'm
not sure about that. In essence this isn't a Python question
as such. If you can find out from any source how to formulate
the query in an AD way, I'm quite sure we can translate that
easily into Python.

I'm afraid that my AD module is a very lightweight wrapper
over the LDAP:// object system and offers very little support
(and gets very little attention from me). Hopefully I can
have a boost of energy & time and give it some help.

TJG
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
@ Change password with Active Directory Membership : how to protect clear text ? HTTPS ? moi ASP .Net 0 04-25-2006 08:49 AM
Possible? Authentication using Windows/Active directory, but access SQL Server using Membership class Andy ASP .Net 1 04-15-2006 08:48 PM
Membership and Roles Question Active Directory or Database? needin4mation@gmail.com ASP .Net 0 03-22-2006 04:22 PM
Active Directory Membership provider - can you use roles? =?Utf-8?B?bGFuZW0=?= ASP .Net 0 10-21-2005 01:53 PM
Help - Setting Up Authentication via Active Directory (Group Membership) for IPSEC and WebVPN Clients on VPN3K webspider Cisco 3 12-15-2004 04:35 AM



Advertisments