[python-ldap] GSSAPI and Active Directory
Jun Sheng
chaoseternal at gmail.com
Wed Aug 12 00:52:23 CEST 2015
I remember if GSSAPI is used, a successful kerberos login (kinit) must
be performed before doing ldap_bind, but I am not very sure.
Still, AD supports digest-md5, I suggest you try that first.
On Tue, Aug 11, 2015 at 3:50 PM, 陈伟洪 <whchen1080 at gmail.com> wrote:
> In the Linux environment, I tried to run this script:
>
>
> import ldap
> import ldap.sasl
>
> adconn = ldap.initialize('ldap://192.168.1.198:389')
> adconn.protocol_version = ldap.VERSION3
> sasl_auth = ldap.sasl.sasl(
> {
> ldap.sasl.CB_AUTHNAME:"",
> ldap.sasl.CB_PASS :"",
> },
> 'GSSAPI'
> )
> adconn.sasl_interactive_bind_s('', sasl_auth)
>
> result:
>
> root at 872d112a0c37:/var/edo/wo# bin/python test_ldap.py
> Traceback (most recent call last):
> File "bin/python", line 275, in <module>
> exec(compile(__file__f.read(), __file__, "exec"))
> File "test_ldap.py", line 13, in <module>
> adconn.sasl_interactive_bind_s('', sasl_auth)
> File
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
> line 229, in sasl_interactive_bind_s
> return
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
> File
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
> line 99, in _ldap_call
> result = func(*args,**kwargs)
> ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information (No
> Kerberos credentials available)', 'desc': 'Local error'}
>
> Is that python-ldap no support username/password as credentials to login in
> MS AD server which only support GSSAPI?
>
> 2015-08-10 23:15 GMT+08:00 Michael Ströder <michael at stroeder.com>:
>>
>> 陈伟洪 wrote:
>> > I'm unable to search Active Directory with GSSAPI for some reason.
>> >
>> >
>> > Here's a small test script I've been using.
>> >
>> > import ldap
>> > import ldap.sasl
>> >
>> > adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
>> > adconn.protocol_version = ldap.VERSION3
>> > sasl_auth = ldap.sasl.sasl(
>> > {
>> > },
>> > 'GSSAPI'
>> > )
>> >
>> > adconn.sasl_interactive_bind_s('', sasl_auth)
>> >
>> >
>> >
>> > It fails every time with
>> >
>> > C:\Users\whchen\Downloads>python test_ldap.py
>>
>> It seems you're on Windows.
>>
>> I don't know the detailed status of SASL support in current Windows builds
>> of
>> python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially this
>> would require to install Kerberos for Windows and build against that.
>> Current
>> KfW releases seem to be able to make use of the Windows ticket store but I
>> never tried out myself.
>>
>> SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built
>> with
>> SASL and Kerberos libs.
>>
>> Ciao, Michael.
>>
>
>
> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap
>
More information about the python-ldap
mailing list