using Kerberos to authenticate to Active Directory from python ldap

Olivier Sessink oliviersessink at gmail.com
Fri Apr 10 14:45:22 CEST 2009


2009/4/10 Michael Ströder <michael at stroeder.com>:
> Olivier Sessink wrote:
>> 2009/4/10 Michael Ströder <michael at stroeder.com>:
>>> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you
>>> obtained a valid TGT with kinit before (just like with command-line tool
>>> ldapsearch).
>>
>> thanks, that's what I need to know.
>>
>> I can't get it to work though..
>>
>> ld = ldap.initialize('ldap://foobar')
>> sasl = ldap.sasl.gssapi()
>> ld.sasl_interactive_bind_s('', sasl)
>> ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member'])
>>
>> ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627,
>> comment: In order to perform this operation a successful bind must be
>> completed on the connection., data 0, vece', 'desc': 'Operations
>> error'}
>>
>> this shell command works:
>>
>> ldapsearch -YGSSAPI  -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member
>>
>> I've tried different ldap URL's, but from an ldapsearch strace I'm
>> pretty sure I use the right ldap server.
>
> Hmm, this should simply work just like the ldapsearch usage. Since
> you're searching from domain level it would be worth to try to
> explicitly switch off referral chasing within libldap:
>
> ld = ldap.initialize('ldap://foobar')
> ld.set_option(ldap.OPT_REFERRALS,0)

you saved my day!

it works.

sorry for my limited knowledge, but what does "referrals should be
automatically chased" mean?

many thanks

Olivier




More information about the python-ldap mailing list