[Pythonmac-SIG] Active Directory authentication on Mac using Python

brad.allen@omsdal.com brad.allen at omsdal.com
Mon Aug 15 18:33:10 CEST 2005

eichin at metacarta.com wrote on 08/14/2005 12:17:31 PM:

> I suspect the original mention of LDAP was a bit of a distraction -
> that's only useful for authORIZATION (ie. getting lists of groups and
> acls that a user has and *deciding* what they can do, once you know
> who they are - it's the knowing who they are part that is
> authENTICATION, which is done with kerberos.)

I haven't even started working on authorization. The first problem
is just basic authentication. Some LDAP servers, such as Active Directory,
supposedly supports authentication with queries, so if a username and
password are included as parameters to a query, they will be handled
appropriately. The part I'm not yet clear on has to do with the
requirements on such queries. For instance, Apple's OpenLDAP comes
with SASL authentication, but I haven't yet gotten that to work.
I've tried testing various parameters to the ldapsearch command,
for instance:

ldapsearch -h adserver.ourdomain.org -D "cn=myuserid" -w mypassword -b 

...and here is the error I get on Mac OS 10.4.2:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure:
                GSSAPI Error: Miscellaneous failure (No credentials cache 

> It doesn't make any sense to me that the *client* would do ldap
> authorization lookups, simply because it could just as easily "make up
> answers" and present them to the server - the client is on the wrong
> side of the trust boundary...

I thought one of the key concepts of Kerberos was that the password
is only ever sent to the authentication server by a client, and that
the username and password would never be sent to the application server.
Instead, a Kerberos ticket would be sent, and the application server
would inspect the ticket for validity. Therefore, the client should
never need to send a password to the app server, and the app server
would never be in a position to collect user passwords.

> What the original left out was: how do the client and server talk to
> each other?  The most common case is for the server to be HTTP and the
> authentication to be "Negotiate", which ends up either passing GSSAPI
> tokens or falling back to NTLM (which is, hopefully, disabled.)

The client and server communicate via XML-RPC in the case of the
app I'm working on.

Brad Allen
IT Desktop Support

brad.allen at omsdal.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/pythonmac-sig/attachments/20050815/d4e7ec18/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 18067 bytes
Desc: not available
Url : http://mail.python.org/pipermail/pythonmac-sig/attachments/20050815/d4e7ec18/attachment-0001.jpeg

More information about the Pythonmac-SIG mailing list