[python-ldap] GSSAPI and Active Directory
Rob McBroom
mailinglist0 at skurfer.com
Thu Sep 1 16:30:01 CEST 2011
I'm unable to search Active Directory with GSSAPI for some reason.
The behavior described below doesn't seem to be version dependent. It's exactly the same on a RHEL5 box (Python 2.4.3, python-ldap 2.2.0, OpenLDAP 2.3.43) or an up-to-date Mac OS X box (Python 2.7.1, python-ldap 2.4.3, OpenLDAP 2.4.23).
Here's a small test script I've been using.
import ldap
import ldap.sasl
adconn = ldap.initialize('ldap://employer.com')
auth_tokens = ldap.sasl.gssapi()
adconn.sasl_interactive_bind_s('', auth_tokens)
ad_search = adconn.search_s(
'dc=employer,dc=com',
ldap.SCOPE_SUBTREE,
'(&(objectClass=user)(sn=McBroom))',
['sAMAccountName', 'userPrincipalName']
)
It fails every time with
ldap.OPERATIONS_ERROR: {'info': '000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0', 'desc': 'Operations error'}
The same script works if I point it at one of our OpenLDAP servers. The command-line tools like `ldapwhoami` and `ldapsearch` work with both AD and OpenLDAP. Based on some digging with WireShark, the bind to the AD server is successful. The AD and OpenLDAP connections look about the same up to that point. But when `search_s` gets called, against OpenLDAP everything is encrypted in "SASL GSS-API Privacy" packets from then on. Against AD, the search is sent in the clear.
Any ideas? Is it not using the existing (authenticated) connection or something?
On a related note, the contents of `auth_tokens` appears to be identical whether a Kerberos ticket is available or not. I'd like to be able to test this *before* a bind (to fall back on simple authentication, SASL external, etc). Is there a way to tell (besides something clunky like calling `klist -s`)?
Thanks.
--
Rob McBroom
<http://www.skurfer.com/>
More information about the python-ldap
mailing list