[python-ldap] GSSAPI and Active Directory

Michael Ströder michael at stroeder.com
Wed Sep 7 08:58:18 CEST 2011


Rob McBroom wrote:
> On Sep 2, 2011, at 2:26 PM, Michael Ströder wrote:
> 
>> I'd first set trace_level to 2 to check whether the bind method is called at all.
> 
> It is called, and I now I *know* it’s working because I’ve added a call to
> whoami_s before the search which correctly identifies me.

So this is W2K8 since the Who Am I extended operation is not supported in
W2K3. I don't have a test machine of W2K8 at hand.

>     *** ldap://employer.com - SimpleLDAPObject.set_option
>     ((17, 3), {})
>     => result:
>     None
>     *** ldap://employer.com - SimpleLDAPObject.sasl_interactive_bind_s
>     (('', <ldap.sasl.gssapi instance at 0x10c0913b0>, None, None, 2), {})
>     => result:
>     0
>     *** ldap://employer.com - SimpleLDAPObject.whoami_s
>     ((None, None), {})
>     => result:
>     'u:EMPLOYER\\Username'
>     *** ldap://employer.com - SimpleLDAPObject.search_ext
>     (('dc=employer,dc=com',
>       2,
>       '(sn=McBroom)',
>       ['sAMAccountName', 'userPrincipalName'],
>       0,
>       None,
>       None,
>       -1,
>       0),
>      {})
>     => result:
>     4
>     *** ldap://employer.com - SimpleLDAPObject.result4
>     ((4, 1, -1, 0, 0, 0), {})
>     => LDAPError - OPERATIONS_ERROR: {'info': '000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0', 'desc': 'Operations error’}

Are you 100% sure that the very same LDAPObject instance is used when doing
the search? I note a deficiency of the trace logging since it does not print
the object id.

Ciao, Michael.



More information about the python-ldap mailing list