Python LDAP write attribute to Active Directory

Question

I am able to bind and query Active Directory via python-ldap without any issues except when it comes to adding or modifying attributes on AD. I can add the attribute but the encoding seems to be way off as all the text is garbled.

I've tried encoding my string with utf8 and a few others with no luck.

I've also tried binding with a Domain Admin account along with binding with the user account to which I will be changing an attribute, same result regardless.

Here is the method I use to update an attribute:

class LdapHelpers:

def __init__(self):
    import ldap

    # set globals
    self.server = 'LDAP://dc.mycompany.com'
    self.admin_dn = 'CN=Administrator,CN=users,DC=mycompany,DC=com'
    self.admin_pass = 'coolpassword'

    # init LDAP connection
    #ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, 0)
    ldap.set_option(ldap.OPT_REFERRALS, 0)
    ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
    ldap.protocol_version = ldap.VERSION3
    self.ldap = ldap.initialize(self.server)

def update_attribute(self, attrib, value):
    try:
        import ldap
        conn = self.ldap
        conn.simple_bind_s(self.admin_dn, self.admin_pass)
        mod_attrs = [( ldap.MOD_REPLACE, "mobile", "6306564123")]

        # I have tried other variations of the above
        # mod_attrs = [( ldap.MOD_REPLACE, "mobile", "6306564123".encode('utf-8)]

        conn.modify_s('CN=Mike Smith,OU=GoogleApps,DC=company,DC=com', mod_attrs)
        print 'record updated'

    except ldap.LDAPError as e:
        return e.message

Doing a ldapsearch via terminal this is what the attribute looks like:

mobile:: MC8sAQAAAAAQNA==

This is what 'Hello World' looks like when I set mobile to it:

mobile:: 77+9ehsCAAAAABDvv70V

I've checked MSDN and it says that ldap attribute is just a Unicode string.

System: Ubuntu 15.10 64bit Python: 2.7.10 python-ldap==2.4.21

As a side note I can search AD without any issues and parse/display returned user attributes, the issue only seems to be with creating or modifying attributes that this encoding issue comes in to play.

Answer 1

The '=' at the end is often an indicator that it is Base64 encoding. Python has a standard library for encoding/decoding base64 (The link is for Python 3, but Python 2 also has the library). LDAP does indeed use Base64 for something. See The LDAP Data Interchange Format (LDIF) .

Answer 2

Take a look at the code from pyad to clarify what to do: https://pypi.python.org/pypi/pyad

It's Python-based.

Another example at already answered question: Use Python script to manage remote LDAP server

Answer 3

Ok I found out what was going on, I was using PyPy 4.0.1 as the interpreter and for some reason this was either causing issues with the python-ldap library and/or encoding for strings.

I switched back to Python 2.7.10 for the interpreter and now the very same modify commands up above work as expected using the python-ldap library. So definitely a word of caution if using PyPy and this particular library....