[python-ldap] GSSAPI and Active Directory

Jun Sheng chaoseternal at gmail.com
Wed Aug 12 00:52:23 CEST 2015


I remember if GSSAPI is used, a successful kerberos login (kinit) must
be performed before doing ldap_bind, but I am not very sure.

Still, AD supports digest-md5, I suggest you try that first.

On Tue, Aug 11, 2015 at 3:50 PM, 陈伟洪 <whchen1080 at gmail.com> wrote:
> In the Linux environment, I tried to run this script:
>
>
> import ldap
> import ldap.sasl
>
> adconn = ldap.initialize('ldap://192.168.1.198:389')
> adconn.protocol_version = ldap.VERSION3
> sasl_auth = ldap.sasl.sasl(
>           {
>             ldap.sasl.CB_AUTHNAME:"",
>             ldap.sasl.CB_PASS    :"",
>           },
>             'GSSAPI'
>             )
> adconn.sasl_interactive_bind_s('', sasl_auth)
>
> result:
>
> root at 872d112a0c37:/var/edo/wo# bin/python test_ldap.py
> Traceback (most recent call last):
>   File "bin/python", line 275, in <module>
>     exec(compile(__file__f.read(), __file__, "exec"))
>   File "test_ldap.py", line 13, in <module>
>     adconn.sasl_interactive_bind_s('', sasl_auth)
>   File
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
> line 229, in sasl_interactive_bind_s
>     return
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
>   File
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
> line 99, in _ldap_call
>     result = func(*args,**kwargs)
> ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information (No
> Kerberos credentials available)', 'desc': 'Local error'}
>
> Is that python-ldap  no support username/password as credentials to login in
> MS AD server which only support GSSAPI?
>
> 2015-08-10 23:15 GMT+08:00 Michael Ströder <michael at stroeder.com>:
>>
>> 陈伟洪 wrote:
>> > I'm unable to search Active Directory with GSSAPI for some reason.
>> >
>> >
>> > Here's a small test script I've been using.
>> >
>> > import ldap
>> > import ldap.sasl
>> >
>> > adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
>> > adconn.protocol_version = ldap.VERSION3
>> > sasl_auth = ldap.sasl.sasl(
>> >            {
>> >            },
>> >              'GSSAPI'
>> >              )
>> >
>> > adconn.sasl_interactive_bind_s('', sasl_auth)
>> >
>> >
>> >
>> > It fails every time with
>> >
>> >   C:\Users\whchen\Downloads>python test_ldap.py
>>
>> It seems you're on Windows.
>>
>> I don't know the detailed status of SASL support in current Windows builds
>> of
>> python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially this
>> would require to install Kerberos for Windows and build against that.
>> Current
>> KfW releases seem to be able to make use of the Windows ticket store but I
>> never tried out myself.
>>
>> SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built
>> with
>> SASL and Kerberos libs.
>>
>> Ciao, Michael.
>>
>
>
> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap
>


More information about the python-ldap mailing list