[python-ldap] GSSAPI and Active Directory

陈伟洪 whchen1080 at gmail.com
Wed Aug 12 03:17:36 CEST 2015 

I try to use digest-md5:

source:

import ldap
import ldap.sasl

adconn = ldap.initialize('ldap://192.168.1.198:389')
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
          {
            ldap.sasl.CB_AUTHNAME:"administrator",
            ldap.sasl.CB_PASS    :"",
          },
          'digest-md5'
            )
adconn.sasl_interactive_bind_s('', sasl_auth)

result:

cwh at zopen05:~/gitlab/workonline$ python test_ldap.py
Traceback (most recent call last):
  File "test_ldap.py", line 13, in <module>
    adconn.sasl_interactive_bind_s('', sasl_auth)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 227, in
sasl_interactive_bind_s
    return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in
_ldap_call
    result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
comment: The digest-uri does not match any LDAP SPN's registered for this
server., data 0, v1db1", 'desc': 'Invalid credentials'}



2015-08-12 6:52 GMT+08:00 Jun Sheng <chaoseternal at gmail.com>:

> I remember if GSSAPI is used, a successful kerberos login (kinit) must
> be performed before doing ldap_bind, but I am not very sure.
>
> Still, AD supports digest-md5, I suggest you try that first.
>
> On Tue, Aug 11, 2015 at 3:50 PM, 陈伟洪 <whchen1080 at gmail.com> wrote:
> > In the Linux environment, I tried to run this script:
> >
> >
> > import ldap
> > import ldap.sasl
> >
> > adconn = ldap.initialize('ldap://192.168.1.198:389')
> > adconn.protocol_version = ldap.VERSION3
> > sasl_auth = ldap.sasl.sasl(
> >           {
> >             ldap.sasl.CB_AUTHNAME:"",
> >             ldap.sasl.CB_PASS    :"",
> >           },
> >             'GSSAPI'
> >             )
> > adconn.sasl_interactive_bind_s('', sasl_auth)
> >
> > result:
> >
> > root at 872d112a0c37:/var/edo/wo# bin/python test_ldap.py
> > Traceback (most recent call last):
> >   File "bin/python", line 275, in <module>
> >     exec(compile(__file__f.read(), __file__, "exec"))
> >   File "test_ldap.py", line 13, in <module>
> >     adconn.sasl_interactive_bind_s('', sasl_auth)
> >   File
> >
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
> > line 229, in sasl_interactive_bind_s
> >     return
> >
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
> >   File
> >
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
> > line 99, in _ldap_call
> >     result = func(*args,**kwargs)
> > ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
> > Unspecified GSS failure.  Minor code may provide more information (No
> > Kerberos credentials available)', 'desc': 'Local error'}
> >
> > Is that python-ldap  no support username/password as credentials to
> login in
> > MS AD server which only support GSSAPI?
> >
> > 2015-08-10 23:15 GMT+08:00 Michael Ströder <michael at stroeder.com>:
> >>
> >> 陈伟洪 wrote:
> >> > I'm unable to search Active Directory with GSSAPI for some reason.
> >> >
> >> >
> >> > Here's a small test script I've been using.
> >> >
> >> > import ldap
> >> > import ldap.sasl
> >> >
> >> > adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
> >> > adconn.protocol_version = ldap.VERSION3
> >> > sasl_auth = ldap.sasl.sasl(
> >> >            {
> >> >            },
> >> >              'GSSAPI'
> >> >              )
> >> >
> >> > adconn.sasl_interactive_bind_s('', sasl_auth)
> >> >
> >> >
> >> >
> >> > It fails every time with
> >> >
> >> >   C:\Users\whchen\Downloads>python test_ldap.py
> >>
> >> It seems you're on Windows.
> >>
> >> I don't know the detailed status of SASL support in current Windows
> builds
> >> of
> >> python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially
> this
> >> would require to install Kerberos for Windows and build against that.
> >> Current
> >> KfW releases seem to be able to make use of the Windows ticket store
> but I
> >> never tried out myself.
> >>
> >> SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built
> >> with
> >> SASL and Kerberos libs.
> >>
> >> Ciao, Michael.
> >>
> >
> >
> > _______________________________________________
> > python-ldap mailing list
> > python-ldap at python.org
> > https://mail.python.org/mailman/listinfo/python-ldap
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20150812/392f905d/attachment-0001.html>

More information about the python-ldap mailing list