using Kerberos to authenticate to Active Directory from python ldap

Olivier Sessink oliviersessink at
Fri Apr 10 14:45:22 CEST 2009

2009/4/10 Michael Ströder <michael at>:
> Olivier Sessink wrote:
>> 2009/4/10 Michael Ströder <michael at>:
>>> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you
>>> obtained a valid TGT with kinit before (just like with command-line tool
>>> ldapsearch).
>> thanks, that's what I need to know.
>> I can't get it to work though..
>> ld = ldap.initialize('ldap://foobar')
>> sasl = ldap.sasl.gssapi()
>> ld.sasl_interactive_bind_s('', sasl)
>> ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member'])
>> ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627,
>> comment: In order to perform this operation a successful bind must be
>> completed on the connection., data 0, vece', 'desc': 'Operations
>> error'}
>> this shell command works:
>> ldapsearch -YGSSAPI  -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member
>> I've tried different ldap URL's, but from an ldapsearch strace I'm
>> pretty sure I use the right ldap server.
> Hmm, this should simply work just like the ldapsearch usage. Since
> you're searching from domain level it would be worth to try to
> explicitly switch off referral chasing within libldap:
> ld = ldap.initialize('ldap://foobar')
> ld.set_option(ldap.OPT_REFERRALS,0)

you saved my day!

it works.

sorry for my limited knowledge, but what does "referrals should be
automatically chased" mean?

many thanks


More information about the python-ldap mailing list