[python-ldap] GSSAPI and Active Directory

Michael Ströder michael at stroeder.com
Thu Aug 13 13:12:55 CEST 2015

Jun Sheng wrote:
> On Thu, Aug 13, 2015 at 1:51 AM, Michael Ströder <michael at stroeder.com> wrote:
>> 陈伟洪 wrote:
>>> I try to use digest-md5:
>>> [..]
>>> ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
>>> comment: The digest-uri does not match any LDAP SPN's registered for this
>>> server., data 0, v1db1", 'desc': 'Invalid credentials'}
>>> 2015-08-12 6:52 GMT+08:00 Jun Sheng <chaoseternal at gmail.com>:
>>>> I remember if GSSAPI is used, a successful kerberos login (kinit) must
>>>> be performed before doing ldap_bind, but I am not very sure.
>>>> Still, AD supports digest-md5, I suggest you try that first.
>>>> On Tue, Aug 11, 2015 at 3:50 PM, 陈伟洪 <whchen1080 at gmail.com> wrote:
>>>>> In the Linux environment, I tried to run this script:
>>>>> [..]
>>>>> sasl_auth = ldap.sasl.sasl(
>>>>>           {
>>>>>             ldap.sasl.CB_AUTHNAME:"",
>>>>>             ldap.sasl.CB_PASS    :"",
>>>>>           },
>>>>>             'GSSAPI'
>>>>>             )
>>>>> adconn.sasl_interactive_bind_s('', sasl_auth)
>>>>> [..]
>>>>> ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
>>>>> Unspecified GSS failure.  Minor code may provide more information (No
>>>>> Kerberos credentials available)', 'desc': 'Local error'}
>> It works for me both GSSAPI and DIGEST-MD5.
>> But MS AD is pretty picky regarding correct DNS names to be used. So this
>> likely does not work:
> I think this requirement is employed by DIGEST-MD5 or say Cyrus-SASL

Have a look at the error message in the DIGEST-MD5 case.
It starts with "80090303: LdapErr: DSID-0C0904BE .." which is typical for
diagnostic messages returned in LDAP results by MS AD.

In the GSSAPI case there are definitely additional dependencies on Kerberos
principal names and correct DNS entries used. In fact "fix your DNS" is the
standard answer when experiencing issues like that.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20150813/26f40c8a/attachment.bin>

More information about the python-ldap mailing list