I've successful by patch the ldap_auth.py after search google.
conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) conn.set_option(ldap.OPT_REFERRALS, 0) # this line is the KEY, but I don't know why On 6月7日, 下午2時49分, dlin <[email protected]> wrote: > I'm trying AD auth. But, failed. > > After insert some debug print code in the ldap_auth.py. > I found it got Except LDAPError after 'serach_ext_s()' called. > > Is there any clue? > > On 5月18日, 下午11時49分, mdipierro <[email protected]> wrote: > > > > > Can you please email this to me as an attachment? > > > On May 18, 10:25 am, Nico de Groot <[email protected]> wrote: > > > > I tried out theldaplogin using an Active Directory server using the > > > directions fromhttp://web2py.com/book/default/section/8/1. I had to > > > make some small changes to get it running when using 'username' for > > > login. > > > > change 1: if @ is missing (like in the case of using 'username') > > > username_bare is undefined in 'con.search_ext_s(...)'. Proposed > > > solution: add a else: to to repair this > > > > change 2: con.simple_bind_s(username, password) fails when username is > > > just a username without '@[domainname]'. As we are allready searching > > > theAD, I added the attribute 'distinguishedName' in > > > con.search_ext_s(') and used that to construct the DN. The DN can also > > > be used in con.simple_bind_s() > > > > This seems to work, can anyone confirm the problem and check the > > > solutions? > > > > In my test application I had to relax the FK constraints to get the > > > inserts in auth_table, auth_membership and auth_events working and > > > prevent FK constraint-errors. (I'm using MS-SQLServer 2005). Is it a > > > solution to commit the insert in auth_user first? See, in tools.py, > > > line 1078 > > > > Nico de Groot > > > > From gluon/contrib/login_methods/ldap_auth.py > > > current----------- > > > 64 if ldap_mode == 'ad': > > > # Microsoft Active Directory > > > con.set_option(ldap.OPT_PROTOCOL_VERSION, 3) > > > if ldap_binddn: > > > # need to search directory with an admin account > > > 1st > > > con.simple_bind_s(ldap_binddn, ldap_bindpw) > > > else: > > > # credentials should be in the form of > > > [email protected] > > > con.simple_bind_s(username, password) > > > if "@" in username: > > > username_bare = username.split("@")[0] > > > # this will throw an index error if the account is not > > > found > > > # in the ldap_basedn > > > result = con.search_ext_s( > > > ldap_basedn,ldap.SCOPE_SUBTREE, > > > "sAMAccountName=%s" % username_bare, > > > ["sAMAccountName","distinguishedName"])[0][1] > > > if ldap_binddn: > > > # We know the user exists & is in the correct OU > > > # so now we just check the password > > > con.simple_bind_s(username, password) > > > > proposed--------------- > > > 64: if ldap_mode == 'ad': > > > # Microsoft Active Directory > > > con.set_option(ldap.OPT_PROTOCOL_VERSION, 3) > > > if ldap_binddn: > > > # need to search directory with an admin account > > > 1st > > > con.simple_bind_s(ldap_binddn, ldap_bindpw) > > > else: > > > # credentials should be in the form of > > > [email protected] > > > con.simple_bind_s(username, password) > > > if "@" in username: > > > username_bare = username.split("@")[0] > > > #patch ncdg1 > > > else: > > > username_bare = username > > > #/patch ncdg1 > > > # this will throw an index error if the account is not > > > found > > > # in the ldap_basedn > > > #patch ncdg2 > > > result = con.search_ext_s( > > > ldap_basedn,ldap.SCOPE_SUBTREE, > > > "sAMAccountName=%s" % username_bare, > > > ["sAMAccountName","distinguishedName"])[0][1] > > > if ldap_binddn: > > > # We know the user exists & is in the correct OU > > > # so now we just check the password > > > ldap_userdn=result["distinguishedName"][0] > > > con.simple_bind_s(ldap_userdn, password) > > > #/patch ncdg2
