[Samba] Searching samba ldap without authentication

Jean-François Morcillo jfmorcillo at mandriva.com
Mon Feb 2 02:04:35 MST 2015


I'm writing a set of python scripts that need to consult samba ldap
database without authentication.
I've set up 2 machines, the first as PDC, the second as BDC.
I run my scripts on both and while they run fine on the PDC they end
with error on the BDC.
Here is the minimal example that behave this way:

import ldap
LDAP_URI = "ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap_priv%2fldapi"

l = ldap.initialize(LDAP_URI, trace_level=1)
entries = l.search_s('dc=mon,dc=dom', ldap.SCOPE_SUBTREE)

it ends with: ldap.OPERATIONS_ERROR: {'info': '00002020: Operation
unavailable without authentication', 'desc': 'Operations error'}

What is very disturbing is that the equivalent using the ldapsearch
command works well (ldapsearch -x -H
ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap_priv%2Fldapi -b

I've straced all commands (I could provide the log if required)
basically here what they showed :
-There is nearly no difference (nothing significant) between the traces
of the scripts on the PDC and the DBC.
-The diff between the trace of the script and the trace of the command
line tool shows this:
    - on both side: connect(3, {sa_family=AF_LOCAL,
sun_path="/var/lib/samba/private/ldap_priv/ldapi"}, 110) = 0
    - then later, only in the script trace: connect(4,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("")}, 16) = 0

So the reason for the script to end with an error is that it tries to
connect to the PDC while the command line tool does not do this.
The question is why do they behave differently and most important how to
make my script work?
I've been stuck with this for more than two days so I would really
appreciate help.


- no title specified


More information about the samba mailing list