[Pythonmac-SIG] Active Directory authentication on Mac using Python
eichin@metacarta.com
eichin at metacarta.com
Sun Aug 14 19:17:31 CEST 2005
I suspect the original mention of LDAP was a bit of a distraction -
that's only useful for authORIZATION (ie. getting lists of groups and
acls that a user has and *deciding* what they can do, once you know
who they are - it's the knowing who they are part that is
authENTICATION, which is done with kerberos.)
What the original left out was: how do the client and server talk to
each other? The most common case is for the server to be HTTP and the
authentication to be "Negotiate", which ends up either passing GSSAPI
tokens or falling back to NTLM (which is, hopefully, disabled.)
If that's the protocol you care about, you can look at how firefox
implements it (Safari still doesn't seem to, though it is *supposed*
to in tiger I've yet to get it to work - and it probably wouldn't help
you as much as the firefox code does.)
If it isn't, then what matters is what your protocol actually does.
It doesn't make any sense to me that the *client* would do ldap
authorization lookups, simply because it could just as easily "make up
answers" and present them to the server - the client is on the wrong
side of the trust boundary...
More information about the Pythonmac-SIG
mailing list