[python-ldap] Is it possible to bind using a kerberos keytab
python at spahan.ch
python at spahan.ch
Wed Dec 24 09:44:41 CET 2014
Disclaimer:I don't use AD, but MIT kerberos and redhat-directory-server.
This assumes the kerberos kinit was already done correctly (your code looks like it should work).
> import ldap.sasl
> [ ... ]
> auth_tokens = ldap.sasl.gssapi()
> conn = ldap.initialize('%s://%s' %(self.config.ldapproto, testserv))
> if conn.sasl_interactive_bind_s('', auth_tokens) == 0:
> [ ... do something with the connection ]
Greetings
Hanspeter
On Die, 2014-12-23 at 16:23 +0000, Kev SMITH wrote:
> RH 6.5
> Python 2.6.8
> ldap 2.3.12
>
> I am trying to bind to windows 2003 AD using a keytab - my code successfully initialises the keytab, the ldap options but I just can not seem to get the bind to work using a keytab.
> Is this type of authentication supported?
>
> >>
>
> kinit = 'a path to kinit'
> kinitopt = '-kt'
> keytab = 'a path to a keytab'
> svca = 'a windows account'
>
> kinit_args = [ kinit, kinitopt, keytab, svca ]
> #print ' '.join(kinit_args)
>
> kinit = subprocess.Popen(kinit_args, stderr = subprocess.PIPE)
> output,error = kinit.communicate()
> if not kinit.returncode == 0:
> if error:
> print error.rstrip()
> sys.exit(kinit.returncode)
>
> # I have a keytab loaded at this point
>
> ad = ldap.initialize('ldap://mydomain.acme.com')
> ad.protocol_version = 3
> ad.set_option(ldap.OPT_REFERRALS, 0)
> ad.set_option(ldap.OPT_DEBUG_LEVEL, 255)
>
> ad.bind() <-------------------------------------- how to bind using the keytab at this point?
>
> <<
>
> Any pointers appreciated - thanks!
>
> Kev.S
>
>
>
> ___________________________________________________________
> This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is prohibited.
>
> Please refer to http://www.bnpparibas.co.uk/en/email-disclaimer/ for additional disclosures.
> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap
More information about the python-ldap
mailing list