<div dir="ltr"><div>I try to use <span style="font-size:14px">digest-md5:</span></div><div><span style="font-size:14px"><br></span></div><div><span style="font-size:14px">source:</span></div><div><span style="font-size:14px"><br></span></div><div><span style="font-size:14px">import ldap</span></div><div><span style="font-size:14px">import ldap.sasl</span></div><div><span style="font-size:14px"><br></span></div><div><span style="font-size:14px">adconn = ldap.initialize('ldap://<a href="http://192.168.1.198:389">192.168.1.198:389</a>')</span></div><div><span style="font-size:14px">adconn.protocol_version = ldap.VERSION3</span></div><div><span style="font-size:14px">sasl_auth = ldap.sasl.sasl(</span></div><div><span style="font-size:14px"> {</span></div><div><span style="font-size:14px"> ldap.sasl.CB_AUTHNAME:"administrator",</span></div><div><span style="font-size:14px"> ldap.sasl.CB_PASS :"",</span></div><div><span style="font-size:14px"> },</span></div><div><span style="font-size:14px"> 'digest-md5'</span></div><div><span style="font-size:14px"> )</span></div><div><span style="font-size:14px">adconn.sasl_interactive_bind_s('', sasl_auth)</span></div><div><br></div><div>result:</div><div><br></div><div>cwh@zopen05:~/gitlab/workonline$ python test_ldap.py</div><div>Traceback (most recent call last):</div><div> File "test_ldap.py", line 13, in <module></div><div> adconn.sasl_interactive_bind_s('', sasl_auth)</div><div> File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 227, in sasl_interactive_bind_s</div><div> return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)</div><div> File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call</div><div> result = func(*args,**kwargs)</div><div>ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1", 'desc': 'Invalid credentials'}</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-08-12 6:52 GMT+08:00 Jun Sheng <span dir="ltr"><<a href="mailto:chaoseternal@gmail.com" target="_blank">chaoseternal@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I remember if GSSAPI is used, a successful kerberos login (kinit) must<br>
be performed before doing ldap_bind, but I am not very sure.<br>
<br>
Still, AD supports digest-md5, I suggest you try that first.<br>
<div class="HOEnZb"><div class="h5"><br>
On Tue, Aug 11, 2015 at 3:50 PM, 陈伟洪 <<a href="mailto:whchen1080@gmail.com">whchen1080@gmail.com</a>> wrote:<br>
> In the Linux environment, I tried to run this script:<br>
><br>
><br>
> import ldap<br>
> import ldap.sasl<br>
><br>
> adconn = ldap.initialize('ldap://<a href="http://192.168.1.198:389" rel="noreferrer" target="_blank">192.168.1.198:389</a>')<br>
> adconn.protocol_version = ldap.VERSION3<br>
> sasl_auth = ldap.sasl.sasl(<br>
> {<br>
> ldap.sasl.CB_AUTHNAME:"",<br>
> ldap.sasl.CB_PASS :"",<br>
> },<br>
> 'GSSAPI'<br>
> )<br>
> adconn.sasl_interactive_bind_s('', sasl_auth)<br>
><br>
> result:<br>
><br>
> root@872d112a0c37:/var/edo/wo# bin/python test_ldap.py<br>
> Traceback (most recent call last):<br>
> File "bin/python", line 275, in <module><br>
> exec(compile(__file__f.read(), __file__, "exec"))<br>
> File "test_ldap.py", line 13, in <module><br>
> adconn.sasl_interactive_bind_s('', sasl_auth)<br>
> File<br>
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",<br>
> line 229, in sasl_interactive_bind_s<br>
> return<br>
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)<br>
> File<br>
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",<br>
> line 99, in _ldap_call<br>
> result = func(*args,**kwargs)<br>
> ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:<br>
> Unspecified GSS failure. Minor code may provide more information (No<br>
> Kerberos credentials available)', 'desc': 'Local error'}<br>
><br>
> Is that python-ldap no support username/password as credentials to login in<br>
> MS AD server which only support GSSAPI?<br>
><br>
> 2015-08-10 23:15 GMT+08:00 Michael Ströder <<a href="mailto:michael@stroeder.com">michael@stroeder.com</a>>:<br>
>><br>
>> 陈伟洪 wrote:<br>
>> > I'm unable to search Active Directory with GSSAPI for some reason.<br>
>> ><br>
>> ><br>
>> > Here's a small test script I've been using.<br>
>> ><br>
>> > import ldap<br>
>> > import ldap.sasl<br>
>> ><br>
>> > adconn = ldap.initialize('ldap://<a href="http://192.168.1.198:389/" rel="noreferrer" target="_blank">192.168.1.198:389/</a>', trace_level=1)<br>
>> > adconn.protocol_version = ldap.VERSION3<br>
>> > sasl_auth = ldap.sasl.sasl(<br>
>> > {<br>
>> > },<br>
>> > 'GSSAPI'<br>
>> > )<br>
>> ><br>
>> > adconn.sasl_interactive_bind_s('', sasl_auth)<br>
>> ><br>
>> ><br>
>> ><br>
>> > It fails every time with<br>
>> ><br>
>> > C:\Users\whchen\Downloads>python test_ldap.py<br>
>><br>
>> It seems you're on Windows.<br>
>><br>
>> I don't know the detailed status of SASL support in current Windows builds<br>
>> of<br>
>> python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially this<br>
>> would require to install Kerberos for Windows and build against that.<br>
>> Current<br>
>> KfW releases seem to be able to make use of the Windows ticket store but I<br>
>> never tried out myself.<br>
>><br>
>> SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built<br>
>> with<br>
>> SASL and Kerberos libs.<br>
>><br>
>> Ciao, Michael.<br>
>><br>
><br>
><br>
</div></div><div class="HOEnZb"><div class="h5">> _______________________________________________<br>
> python-ldap mailing list<br>
> <a href="mailto:python-ldap@python.org">python-ldap@python.org</a><br>
> <a href="https://mail.python.org/mailman/listinfo/python-ldap" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-ldap</a><br>
><br>
</div></div></blockquote></div><br></div>