[ANNOUNCE] python-ad

David Leonard d at adaptive-enterprises.com.au
Tue Dec 11 15:08:13 CET 2007



Michael Ströder wrote:
> Geert Jansen wrote:
>   
>> Michael Ströder wrote:
>>
>>     
>>> I saw that kinit is started as a shell sub-process.
>>>       
>> Actually Python-AD comes with a C module that wraps the required
>> Kerberos functions (see lib/ad/protocol/krb5.c). What you probably saw
>> is the use of kinit in the test suite, where I use it to verify the
>> credentials acquired by the C module.
>>     
>
> Ah, ok. Interesting. Why don't you separate the krb5 module into another
> project. I guess some people might be interested in that.
>
> Especially my dream would be to support HTTP-Authentication based on
> SPNEGO/GSSAPI in web2ldap. But not only authenticating the user at the
> web server. I would rather like forward the service ticket requested for
> a particular LDAP service to the LDAP server in a SASL/GSSAPI
> BindRequest. Do you think that's feasible?
>   
there is pykerberos from 
http://trac.calendarserver.org/projects/calendarserver/browser/PyKerberos/

I am interested in a better GSSAPI binding for Python.. and have some 
incomplete code locally if anyone else is interested.
To do credential forwarding, the gss is currently kind of crappy about 
how to extract creds portably, but if you know it's kerberos and you can 
set KRB5CCNAME to a temporary file you can stash a delegated TGT into a 
temp ccache so that SASL/GSS can find it when you talk ldap.


-- 
David Leonard                           d at adaptive-enterprises.com.au
                                        Ph:+61 404 844 850

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20071212/47a6a1d5/attachment.html>


More information about the python-ldap mailing list