Hallo Michael. > -----Original Message----- > Markus Zapke-Gründemann wrote: > > > > A few days ago I tried the first time a subtree search starting at > > the root of an Active Directory on a Windows 2003 Server. > > This returns no results (if authenticated). So there's no point trying > that. You should rather read namingContexts or > defaultNamingContext from > rootDSE (base search) to determine the search root on a particular DC. This is a good suggestion. I will try it.
> > Operations error > > 00000000: LdapErr: DSID-0C090627, comment: In order to perform this > > operation a successful bind must be completed on the connection., > > data 0, vece > > Then you tried to connect anonymously which is prohibited in AD's > default configuration. This is also what I read on this error code. But when I use the same credentials on a diffenrent DN below the root everything works. This makes me wonder. > > I did also a test with the ldp client of the Microsoft Support Tools > > package[1], just to verify that all privileges are correct. > With this > > client a search with the same filter from the root of the directory > > is working. > > And what did the client return as results? It returned the results as I expected it. I did a subtree search with the following filter: (&(!(userAccountControl=514))(&(company=*))(&(|(cn=*e*)(sn=*e*)(givenName=*e*)(mail=*e*)(telephoneNumber=*e*)(otherTelephone=*e*)(facsimileTelephoneNumber=*e*)(mobile=*e*)(memberOf=*e*)(physicalDeliveryOfficeName=*e*)(title=*e*)))(objectClass=person)) > Maybe ldp.exe is using SASL/GSSAPI bind based on your Windows > workstation logon seamless without you taking notice of it. And maybe > ldp.exe also looks at defaultNamingContext in the rootDSE... I connected and bound to the LDAP server manually using ldp.exe. My workstation is in a different domain. So I think there are no other credentials which could be used. > Best thing to find out what a client really does it using Wireshark. This is a good idea. Maybe there is something happening under the hood... Thank you for your hints. With kind regards Markus ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
