[python-ldap] GSSAPI and Active Directory
Jun Sheng
chaoseternal at gmail.com
Thu Aug 13 13:08:03 CEST 2015
On Thu, Aug 13, 2015 at 1:51 AM, Michael Ströder <michael at stroeder.com> wrote:
> 陈伟洪 wrote:
>> I try to use digest-md5:
>> [..]
>> ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
>> comment: The digest-uri does not match any LDAP SPN's registered for this
>> server., data 0, v1db1", 'desc': 'Invalid credentials'}
>>
>>
>> 2015-08-12 6:52 GMT+08:00 Jun Sheng <chaoseternal at gmail.com>:
>>
>>> I remember if GSSAPI is used, a successful kerberos login (kinit) must
>>> be performed before doing ldap_bind, but I am not very sure.
>>>
>>> Still, AD supports digest-md5, I suggest you try that first.
>>>
>>> On Tue, Aug 11, 2015 at 3:50 PM, 陈伟洪 <whchen1080 at gmail.com> wrote:
>>>> In the Linux environment, I tried to run this script:
>>>> [..]
>>>> sasl_auth = ldap.sasl.sasl(
>>>> {
>>>> ldap.sasl.CB_AUTHNAME:"",
>>>> ldap.sasl.CB_PASS :"",
>>>> },
>>>> 'GSSAPI'
>>>> )
>>>> adconn.sasl_interactive_bind_s('', sasl_auth)
>>>> [..]
>>>> ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
>>>> Unspecified GSS failure. Minor code may provide more information (No
>>>> Kerberos credentials available)', 'desc': 'Local error'}
>
> It works for me both GSSAPI and DIGEST-MD5.
>
> But MS AD is pretty picky regarding correct DNS names to be used. So this
> likely does not work:
I think this requirement is employed by DIGEST-MD5 or say Cyrus-SASL
>
> ldap.initialize('ldap://192.168.1.198:389')
>
> Put correct DNS names in their. Start with locating the DCs hostnames:
>
> host -t srv _ldap._tcp.example.com
>
> with example.com being the DNS domain name of your AD domain.
>
> Ciao, Michael.
>
>
>
> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap
>
More information about the python-ldap
mailing list