SASL/GSSAPI problems

Wido Depping wido.depping at gmail.com
Sat Oct 30 02:07:55 CEST 2004 

Hi All,
some users of Luma ( http://luma.sf.net ) have problems with binding
to a directory using the SASL/GSSAPI method. All these people have a
working Kerberos environment and using SASL/MD5 work flawlessly.
Here's the output they get from the console:

SASL/GSSAPI authentication started
Error during LDAP bind request
Reason: {'info': 'SASL(0): successful result: ', 'desc': 'Local error'}

Unfortunately I'm not able to test this myself since it would take to
much time to set up such an environment. And currently I'm busy with
my exams.
For integrating SASL support into Luma I used the example code from
python-ldap. Here is the 'bind()' function from Luma and maybe you
have an idea what is going wrong:

def bind(self):
        try:
            urlschemeVal = "ldap"
            if self.serverMeta.tls:
                urlschemeVal = "ldaps"
              
            whoVal = None
            credVal = None
            if not (self.serverMeta.bindAnon):
                whoVal = self.serverMeta.bindDN
                credVal = self.serverMeta.bindPassword
                
            url = ldapurl.LDAPUrl(urlscheme=urlschemeVal, 
                hostport = self.serverMeta.host + ":" +
str(self.serverMeta.port),
                dn = self.serverMeta.baseDN, who = whoVal,
                cred = credVal)
            
            self.ldapServerObject = ldap.initialize(url.initializeUrl())
            self.ldapServerObject.protocol_version = 3
            
            if self.serverMeta.bindAnon:
                self.ldapServerObject.simple_bind()
            elif self.serverMeta.authMethod == u"Simple":
                self.ldapServerObject.simple_bind(whoVal, credVal)
            elif u"SASL" in self.serverMeta.authMethod:
                sasl_cb_value_dict = None
                if not u"GSSAPI" in self.serverMeta.authMethod:
                    sasl_cb_value_dict =
{ldap.sasl.CB_AUTHNAME:whoVal, ldap.sasl.CB_PASS:credVal}
                    
                sasl_mech = None
                if self.serverMeta.authMethod == u"SASL Plain":
                    sasl_mech = "PLAIN"
                elif self.serverMeta.authMethod == u"SASL CRAM-MD5":
                    sasl_mech = "CRAM-MD5"
                elif self.serverMeta.authMethod == u"SASL DIGEST-MD5":
                    sasl_mech = "DIGEST-MD5"
                elif self.serverMeta.authMethod == u"SASL Login":
                    sasl_mech = "LOGIN"
                elif self.serverMeta.authMethod == u"SASL GSSAPI":
                    sasl_mech = "GSSAPI"
                    
                sasl_auth = ldap.sasl.sasl(sasl_cb_value_dict,sasl_mech)
                self.ldapServerObject.sasl_interactive_bind_s("", sasl_auth)
                
        except ldap.LDAPError, e:
            print "Error during LDAP bind request"
            print "Reason: " + str(e)


Maybe someone with a Kerberos environment can test Luma. So far I'm
pretty lost what is going on.

mfg.
  Wido
-- 
Wido Depping
ICQ: 51303067    AIM: wido3379
Jabber: wido at jabber.ccc.de
Blog: http://widoww.blogspot.com

More information about the python-ldap mailing list