Group Membership in Active Directory Query

Discussion in 'Python' started by kooch54@gmail.com, Feb 7, 2007.

  1. Guest

    I am trying to write a script to simply query the group members in an
    active directory group. I need to use LDAP to make sure I capture any
    global > global group nestings that may occur. I already have a
    function that uses WinNT provider to capture this info from NT4 or AD
    domains and it works beautifully. It just doesn't capture global >
    global nestings. I am having great difficulties in getting this to
    work on AD though with ldap. I have a multiple domain tree
    environment and need to be able to query groups in different domains.
    I want to simply make an ldap connection, bind to it, search for the
    group and get it's members.
    I do the following for eDirectory and it works great but not in AD.

    import ldap
    l=ldap.open(1.2.3.4,trace_level = 1)
    l.simple_bind_s('cn=username,ou=company','password')
    UserRes = UserRes + l.search_s(
    o=company,
    ldap.SCOPE_SUBTREE, "(|'cn=groupname')

    If I do the same thing as above but to an AD source it doesn't work.
    I run the open and it seems successful, I run the bind using DN, UPN,
    or domain name and password and it seems to bind, I run the query and
    it says I must complete a successfull bind operation before doing a
    query.

    Any help is appreciated.
     
    , Feb 7, 2007
    #1
    1. Advertising

  2. Guest

    On Feb 7, 9:22 am, wrote:
    > I am trying to write a script to simply query the group members in an
    > active directory group. I need to use LDAP to make sure I capture any
    > global > global group nestings that may occur. I already have a
    > function that uses WinNT provider to capture this info from NT4 or AD
    > domains and it works beautifully. It just doesn't capture global >
    > global nestings. I am having great difficulties in getting this to
    > work on AD though with ldap. I have a multiple domain tree
    > environment and need to be able to query groups in different domains.
    > I want to simply make an ldap connection, bind to it, search for the
    > group and get it's members.
    > I do the following for eDirectory and it works great but not in AD.
    >
    > import ldap
    > l=ldap.open(1.2.3.4,trace_level = 1)
    > l.simple_bind_s('cn=username,ou=company','password')
    > UserRes = UserRes + l.search_s(
    > o=company,
    > ldap.SCOPE_SUBTREE, "(|'cn=groupname')
    >
    > If I do the same thing as above but to an AD source it doesn't work.
    > I run the open and it seems successful, I run the bind using DN, UPN,
    > or domain name and password and it seems to bind, I run the query and
    > it says I must complete a successfull bind operation before doing a
    > query.
    >
    > Any help is appreciated.




    I found an example in the groups here and attempted it but it failed
    as well. Below is the code I used and the results.

    import ldap, ldapurl

    proto = 'ldap'
    server = 'domaincontroller.domain.company.com'
    port = 389

    url = ldapurl.LDAPUrl(urlscheme=proto,
    hostport="%s:%s" % (server,
    str(port))).initializeUrl()
    ldap_obj = ldap.initialize(url)

    # !!!password will be on wire in plaintext!!!
    ldap_obj = ldap_obj.simple_bind_s('',
    'password')

    base = 'DC=DOMAIN, DC=COMPANY, DC=COM'

    scope = ldap.SCOPE_SUBTREE

    query = '(objectclass=user)'

    res_attrs = ['*']

    res = ldap_obj.search_ext_s(base, scope, query, res_attrs)
    print res

    RESULTS FROM PYTHON SHELL
    res=ldap_obj.search_ext_s(base, scope, query, rest_attrs)
    AttributeError: 'NoneType' object has no attribute 'search_Ext_s'
     
    , Feb 7, 2007
    #2
    1. Advertising

  3. Uwe Hoffmann Guest

    schrieb:
    > ldap_obj = ldap_obj.simple_bind_s('',
    > 'password')
    >
    >
    > AttributeError: 'NoneType' object has no attribute 'search_Ext_s'
    >


    dummy = ldap_obj.simple_bind_s('',
    'password')
    or better simply
    ldap_obj.simple_bind_s('',
    'password')
     
    Uwe Hoffmann, Feb 7, 2007
    #3
  4. Guest

    On Feb 7, 11:56 am, Uwe Hoffmann <> wrote:
    > schrieb:
    >
    > > ldap_obj = ldap_obj.simple_bind_s('',
    > > 'password')

    >
    > > AttributeError: 'NoneType' object has no attribute 'search_Ext_s'

    >
    > dummy = ldap_obj.simple_bind_s('',
    > 'password')
    > or better simply
    > ldap_obj.simple_bind_s('',
    > 'password')


    First and foremost thanks for the feedback. Although I don't
    appreciate the slight dig at me.
    dummy = ldap_obj.simple_bind......

    I tried your second recommendation of using
    ldap_obj.simple_bind_s('','password')

    Now I get the following error even after the bind operation seems to
    complete successfully.
    result = func(*args,**kwargs)
    OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C0905FF, comment:
    In order to perform this operation a successful bind must be completed
    on the connection., data 0, vece', 'desc': 'Operations error'}

    Thanks again...
     
    , Feb 7, 2007
    #4
  5. alex23 Guest

    On Feb 8, 4:27 am, wrote:
    > First and foremost thanks for the feedback. Although I don't
    > appreciate the slight dig at me.
    > dummy = ldap_obj.simple_bind......


    I _really_ don't think Uwe was intending any slight, 'dummy' generally
    means 'dummy variable' ie it's just there to catch the value but it's
    never used after that :)

    If you're doing a lot of AD work, I highly recommend Tim Golden's
    active_directory module: http://timgolden.me.uk/python/
    active_directory.html

    His WMI module has also been a godsend on a number of occasions.

    - alex23
     
    alex23, Feb 8, 2007
    #5
  6. Kooch54 Guest

    On Feb 7, 7:52 pm, "alex23" <> wrote:
    > On Feb 8, 4:27 am, wrote:
    >
    > > First and foremost thanks for the feedback. Although I don't
    > > appreciate the slight dig at me.
    > > dummy = ldap_obj.simple_bind......

    >
    > I _really_ don't think Uwe was intending any slight, 'dummy' generally
    > means 'dummy variable' ie it's just there to catch the value but it's
    > never used after that :)
    >
    > If you're doing a lot of AD work, I highly recommend Tim Golden's
    > active_directory module:http://timgolden.me.uk/python/
    > active_directory.html
    >
    > His WMI module has also been a godsend on a number of occasions.
    >
    > - alex23


    Alex-
    Thanks for your response and Uwe I apologize if I misunderstood
    and misinterpreted your comments. I am sorry.
    I have tried Tim's module called active_directory and it works really
    well. But I can't figure out how to connect to a specific group is I
    know the common name for it but not the DN and then return it's
    members. Example.... I know the group name is domain1\sharedaccess.
    How do I bind to that group and get the members. The domain isn't
    necessarily the defaultnamingcontext. It could be another domain in
    the forest. I need to be able to connect to any domain group and get
    it's members. Thanks again.
     
    Kooch54, Feb 8, 2007
    #6
  7. Kooch54 Guest

    On Feb 8, 8:44 am, "Kooch54" <> wrote:
    > On Feb 7, 7:52 pm, "alex23" <> wrote:
    >
    >
    >
    > > On Feb 8, 4:27 am, wrote:

    >
    > > > First and foremost thanks for the feedback. Although I don't
    > > > appreciate the slight dig at me.
    > > > dummy = ldap_obj.simple_bind......

    >
    > > I _really_ don't think Uwe was intending any slight, 'dummy' generally
    > > means 'dummy variable' ie it's just there to catch the value but it's
    > > never used after that :)

    >
    > > If you're doing a lot of AD work, I highly recommend Tim Golden's
    > > active_directory module:http://timgolden.me.uk/python/
    > > active_directory.html

    >
    > > His WMI module has also been a godsend on a number of occasions.

    >
    > > - alex23

    >
    > Alex-
    > Thanks for your response and Uwe I apologize if I misunderstood
    > and misinterpreted your comments. I am sorry.
    > I have tried Tim's module called active_directory and it works really
    > well. But I can't figure out how to connect to a specific group is I
    > know the common name for it but not the DN and then return it's
    > members. Example.... I know the group name is domain1\sharedaccess.
    > How do I bind to that group and get the members. The domain isn't
    > necessarily the defaultnamingcontext. It could be another domain in
    > the forest. I need to be able to connect to any domain group and get
    > it's members. Thanks again.


    Bump
     
    Kooch54, Feb 16, 2007
    #7
  8. Tim Golden Guest

    Kooch54 wrote:
    >> Thanks for your response and Uwe I apologize if I misunderstood
    >> and misinterpreted your comments. I am sorry.
    >> I have tried Tim's module called active_directory and it works really
    >> well. But I can't figure out how to connect to a specific group is I
    >> know the common name for it but not the DN and then return it's
    >> members.


    For the simple "group in my domain" situation, as
    far as I can see you can do something like this:

    <code>
    import active_directory
    for group in active_directory.search (
    "sAMAccountName='sharedaccess'",
    "objectClass='group'"
    ):
    print group
    for member in group.members:
    print member

    </code>

    (I'm not on an AD-connected machine just now, but I
    think that'll do it).

    As to finding it another domain, I'm not sure. I suspect
    that if you simply issue the above query, you'll get
    the groups back from all domains in the forest. But I'm
    not sure about that. In essence this isn't a Python question
    as such. If you can find out from any source how to formulate
    the query in an AD way, I'm quite sure we can translate that
    easily into Python.

    I'm afraid that my AD module is a very lightweight wrapper
    over the LDAP:// object system and offers very little support
    (and gets very little attention from me). Hopefully I can
    have a boost of energy & time and give it some help.

    TJG
     
    Tim Golden, Feb 16, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?bGFuZW0=?=
    Replies:
    0
    Views:
    744
    =?Utf-8?B?bGFuZW0=?=
    Oct 21, 2005
  2. Replies:
    0
    Views:
    408
  3. Andy
    Replies:
    1
    Views:
    505
  4. moi
    Replies:
    0
    Views:
    628
  5. moi
    Replies:
    1
    Views:
    558
    Cowboy \(Gregory A. Beamer\)
    May 5, 2006
Loading...

Share This Page