[python-ldap] Is it possible to bind using a kerberos keytab
Rob McBroom
mailinglist0 at skurfer.com
Wed Dec 24 20:07:00 CET 2014
On 23 Dec 2014, at 11:23, Kev SMITH wrote:
> I am trying to bind to windows 2003 AD using a keytab - my code
> successfully initialises the keytab, the ldap options but I just can
> not seem to get the bind to work using a keytab.
> Is this type of authentication supported?
Yes. I used to use it all the time, and while it would work with
something like MIT Kerberos, I could never get it to work against AD.
(We were on 2008. You might have better luck with 2003.)
I think the bit you’re asking about is
auth_tokens = ldap.sasl.gssapi()
adconn.sasl_interactive_bind_s('', auth_tokens)
That will use an existing Kerberos ticket. (Don’t ask me how, because
the `auth_tokens` object is identical with or without a ticket.)
Here’s a full script I had when I was trying to troubleshoot the AD
problems. The first call to `whoami` returned my DN from AD, so I know
the bind worked, but as soon as I tried to do something (like search) it
would fail and the second call to `whoami` would no longer return my DN.
#!/usr/bin/env python
# encoding: utf-8
import ldap
import ldap.sasl
last = 'McBroom'
adconn = ldap.initialize('ldap://employer.com')
ldap.set_option(ldap.OPT_REFERRALS, 1)
ldap.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
auth_tokens = ldap.sasl.gssapi()
adconn.sasl_interactive_bind_s('', auth_tokens)
print adconn.whoami_s()
ad_search = adconn.search_s(
'dc=employer,dc=com',
ldap.SCOPE_SUBTREE,
'(sn=%s)' % last,
['sAMAccountName', 'userPrincipalName']
)
adconn.whoami_s()
for (dn, attrs) in ad_search:
pprint(attrs['sAMAccountName'][0])
Good luck.
--
Rob McBroom
http://www.skurfer.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20141224/753ec6f9/attachment.html>
More information about the python-ldap
mailing list