using Kerberos to authenticate to Active Directory from python ldap

Michael Ströder michael at stroeder.com
Fri Apr 10 14:24:50 CEST 2009


Olivier Sessink wrote:
> 2009/4/10 Michael Ströder <michael at stroeder.com>:
>> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you
>> obtained a valid TGT with kinit before (just like with command-line tool
>> ldapsearch).
> 
> thanks, that's what I need to know.
> 
> I can't get it to work though..
> 
> ld = ldap.initialize('ldap://foobar')
> sasl = ldap.sasl.gssapi()
> ld.sasl_interactive_bind_s('', sasl)
> ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member'])
> 
> ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627,
> comment: In order to perform this operation a successful bind must be
> completed on the connection., data 0, vece', 'desc': 'Operations
> error'}
> 
> this shell command works:
> 
> ldapsearch -YGSSAPI  -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member
> 
> I've tried different ldap URL's, but from an ldapsearch strace I'm
> pretty sure I use the right ldap server.

Hmm, this should simply work just like the ldapsearch usage. Since
you're searching from domain level it would be worth to try to
explicitly switch off referral chasing within libldap:

ld = ldap.initialize('ldap://foobar')
ld.set_option(ldap.OPT_REFERRALS,0)

Note that automatic referral chasing within libldap was always using
anonymous bind.

> However, this is on a suse linux enterprise box, which has python-ldap
> 2.0.11. Could it be that this is too old?

Glancing over CHANGES there were no related fixes to SASL but maybe the
default for ldap.OPT_REFERRALS was changed. But you should upgrade
anyway for various reasons...

Ciao, Michael.



More information about the python-ldap mailing list