[python-ldap] GSSAPI and Active Directory
陈伟洪
whchen1080 at gmail.com
Wed Aug 12 03:17:36 CEST 2015
I try to use digest-md5:
source:
import ldap
import ldap.sasl
adconn = ldap.initialize('ldap://192.168.1.198:389')
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
ldap.sasl.CB_AUTHNAME:"administrator",
ldap.sasl.CB_PASS :"",
},
'digest-md5'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
result:
cwh at zopen05:~/gitlab/workonline$ python test_ldap.py
Traceback (most recent call last):
File "test_ldap.py", line 13, in <module>
adconn.sasl_interactive_bind_s('', sasl_auth)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 227, in
sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in
_ldap_call
result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
comment: The digest-uri does not match any LDAP SPN's registered for this
server., data 0, v1db1", 'desc': 'Invalid credentials'}
2015-08-12 6:52 GMT+08:00 Jun Sheng <chaoseternal at gmail.com>:
> I remember if GSSAPI is used, a successful kerberos login (kinit) must
> be performed before doing ldap_bind, but I am not very sure.
>
> Still, AD supports digest-md5, I suggest you try that first.
>
> On Tue, Aug 11, 2015 at 3:50 PM, 陈伟洪 <whchen1080 at gmail.com> wrote:
> > In the Linux environment, I tried to run this script:
> >
> >
> > import ldap
> > import ldap.sasl
> >
> > adconn = ldap.initialize('ldap://192.168.1.198:389')
> > adconn.protocol_version = ldap.VERSION3
> > sasl_auth = ldap.sasl.sasl(
> > {
> > ldap.sasl.CB_AUTHNAME:"",
> > ldap.sasl.CB_PASS :"",
> > },
> > 'GSSAPI'
> > )
> > adconn.sasl_interactive_bind_s('', sasl_auth)
> >
> > result:
> >
> > root at 872d112a0c37:/var/edo/wo# bin/python test_ldap.py
> > Traceback (most recent call last):
> > File "bin/python", line 275, in <module>
> > exec(compile(__file__f.read(), __file__, "exec"))
> > File "test_ldap.py", line 13, in <module>
> > adconn.sasl_interactive_bind_s('', sasl_auth)
> > File
> >
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
> > line 229, in sasl_interactive_bind_s
> > return
> >
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
> > File
> >
> "/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
> > line 99, in _ldap_call
> > result = func(*args,**kwargs)
> > ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
> > Unspecified GSS failure. Minor code may provide more information (No
> > Kerberos credentials available)', 'desc': 'Local error'}
> >
> > Is that python-ldap no support username/password as credentials to
> login in
> > MS AD server which only support GSSAPI?
> >
> > 2015-08-10 23:15 GMT+08:00 Michael Ströder <michael at stroeder.com>:
> >>
> >> 陈伟洪 wrote:
> >> > I'm unable to search Active Directory with GSSAPI for some reason.
> >> >
> >> >
> >> > Here's a small test script I've been using.
> >> >
> >> > import ldap
> >> > import ldap.sasl
> >> >
> >> > adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
> >> > adconn.protocol_version = ldap.VERSION3
> >> > sasl_auth = ldap.sasl.sasl(
> >> > {
> >> > },
> >> > 'GSSAPI'
> >> > )
> >> >
> >> > adconn.sasl_interactive_bind_s('', sasl_auth)
> >> >
> >> >
> >> >
> >> > It fails every time with
> >> >
> >> > C:\Users\whchen\Downloads>python test_ldap.py
> >>
> >> It seems you're on Windows.
> >>
> >> I don't know the detailed status of SASL support in current Windows
> builds
> >> of
> >> python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially
> this
> >> would require to install Kerberos for Windows and build against that.
> >> Current
> >> KfW releases seem to be able to make use of the Windows ticket store
> but I
> >> never tried out myself.
> >>
> >> SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built
> >> with
> >> SASL and Kerberos libs.
> >>
> >> Ciao, Michael.
> >>
> >
> >
> > _______________________________________________
> > python-ldap mailing list
> > python-ldap at python.org
> > https://mail.python.org/mailman/listinfo/python-ldap
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20150812/392f905d/attachment-0001.html>
More information about the python-ldap
mailing list