pyad - cannot connect to another ldap controller

Question

I cannot connect myself to another Active Directory through pyad libary. i want to do a query but everything i try i get following error:

def ad_query_bwae(attribute, value):
    pyad.adbase.set_defaults(ldap_server="AD03.domain.com", username="XXXX", password="XXX", ldap_port=389)
    query = pyad.adquery.ADQuery()

    query.execute_query(
        attributes = ["sAmAccountName", "facsimileTelephoneNumber", "mail", "cn"],
        base_dn = "DC=b-w-automotive, DC=com",
        where_clause = attribute + "='" + value + "'"
    )


    for row in query.get_results():
        print(row)
        return row   

Provides following error Message:

Traceback (most recent call last):
  File "C:\Users\fiku\Desktop\Lizenz_Projekt\neue_Lizenzabfrage\new_script.py", line 259, in <module>
    ad_query_bwae("sAmAccountName","fiku")
  File "C:\Users\fiku\Desktop\Lizenz_Projekt\neue_Lizenzabfrage\new_script.py", line 232, in ad_query_bwae
    query = pyad.adquery.ADQuery()
  File "c:\users\fiku\appdata\local\programs\python\python37-32\lib\site-packages\pyad\adquery.py", line 39, in __init__
    self.__adodb_conn.Open("Provider=ADSDSOObject")
  File "<COMObject ADODB.Connection>", line 0, in Open
  File "c:\users\fiku\appdata\local\programs\python\python37-32\lib\site-packages\win32com\client\dynamic.py", line 287, in _ApplyTypes_
    result = self._oleobj_.InvokeTypes(*(dispid, LCID, wFlags, retType, argTypes) + args)
pywintypes.com_error: (-2147352567, 'Ausnahmefehler aufgetreten.', (0, 'Microsoft OLE DB Service Components', 'Falscher Parameter.', None, 0, -2147024809), None)

the error message is in german but it says "wrong parameters"

Answer 1

First ensure you set default credentials for querying LDAP with ADQuery :

pyad.set_defaults(ldap_server="example.com", username="manager", password="password")

Then, I think the base dn syntax may be wrong : the string 'DC=b-w-automotive, DC=com' contains a white space between the rdn separator (,) and the rdn DC=com, so you may want to double check the actual dn string of the domain component "b-w-automotive" to see if it really contains that white space (it's quite unusual - but allowed - so it could be intentional) :

Implementations MUST allow [...] whitespace characters to be present on either side of the comma or semicolon. (RFC-2253 - 2.1)

... but it's also possible that the dn' string representation fooled you when you read it because of line wrapping issue or something similar, thus the error when you try to use the "virtual"/invalid dn.

It is often desirable to line-wrap overly long DN strings in presentations. Line wrapping should be done by inserting whitespace after the RDN separator character or, if necessary, after the AVA separator character. It should be noted to the user that the inserted whitespace is not part of the DN string and is to be removed before use in LDAP. (RFC-4514 - Appendix A)

---

If your issue is not related to the base dn, it must be that either attribute and/or value is/are invalid, eg. from the logs in your post : "sAmAccountName" is wrong if your backend schema is set to be case sensitive (not sure for this in AD), the correct case is "sAMAccountName".

It may be helpful to log these variables and compare their values with the final ldap request (AD side) to check if the query remains consistent with the original where_clause or if there is any encoding/escaping issue.

See LDAP search filter definition & escaping in RFC-4515.

One last thing : if any of the requested attributes misses from the database (or are misspelled...) it could lead to an error. If you are not sure and to prevent any issue, use an empty array, or ['*'] to request all non-internal attributes.