[python-ldap] testing for credentials

Michael Ströder michael at stroeder.com
Sat Jul 7 11:50:40 CEST 2012

Rob McBroom wrote:
> I'd like my scripts to attempt Kerberos, but fall back to simple authentication if that fails. If I do this:
>     import ldap.sasl
>     auth_tokens = ldap.sasl.gssapi()
> Is there something about `auth_tokens` I can use to determine whether or not a valid Kerberos ticket exists? The object appears to be identical with or without credentials. If I try to bind, the difference becomes apparent, but I'd obviously like to know which type of authentication to use *before* the bind.
> I could run `klist -s` and check the exit code like an animal, but I was hoping for a simpler way.

There's nothing you can check in advance.

I'd simply try SASL/GSSAPI bind first and catch the exception for falling back
to simple bind. IMHO this is the best approach anyway.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3883 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20120707/03da615b/attachment.bin>

More information about the python-ldap mailing list