[python-ldap] GSSAPI and Active Directory
Rob McBroom
mailinglist0 at skurfer.com
Fri Sep 2 04:27:14 CEST 2011
On Sep 1, 2011, at 5:10 PM, Michael Ströder wrote:
> Hard to tell. It works for me.
Well, good to know it’s possible in theory.
> Are you sure that ldapsearch -Y GSSAPI works from the very same system and
> using the very same OpenLDAP libs like your Python code?
I don’t usually explicitly give the -Y option, but there’s no place my identity could be coming from other than GSSAPI so, yes. The “same” LDAP libs? Technically, no on the Mac. Same version, but not the same files. Perhaps you remember an [earlier discussion][1] on that.
But that’s clearly not the problem. The error was the same on 10.6, where the libraries were literally the same and on a RHEL5 system where everything is coming from “official” packages.
> Did kinit work?
Of course.
> Does your Python code have access to the TGT cache?
I don’t know how to test that directly, but like I said, it works when searching OpenLDAP so I have to assume it does. And the bind succeeds with the AD server. It’s only when searching that it complains. It seems to act as if the bind never took place. In fact, I just tested the script with the bind statement commented out and the error is the same.
[1]: http://projects.skurfer.com/posts/2011/python_ldap_lion/
--
Rob McBroom
<http://www.skurfer.com/>
More information about the python-ldap
mailing list