[Pythonmac-SIG] Active Directory authentication on Mac using Python

brad.allen@omsdal.com brad.allen at omsdal.com
Mon Aug 15 22:46:31 CEST 2005

eichin at metacarta.com wrote on 08/15/2005 12:48:56 PM:

> > I thought one of the key concepts of Kerberos was that the password
> > is only ever sent to the authentication server by a client, and that
> Horrors no.  This is one of the common misconceptions about Kerberos.
> The password is *never sent anywhere*.   Not to application servers,
> and not to the authentication server either.
> Instead, the login client (kinit, or loginwindow or whatever) requests
> an "initial ticket" - and then takes your password, turns it into a
> key, and uses that key to decrypt the ticket.  (There are some good
> articles on this, I don't want to duplicate them here, and I'm fudging
> around preauth as well.)
> An application that uses Kerberos uses that initial ticket to get
> other tickets, and present those to the service - so a client
> *application* that uses kerberos doesn't even ever see the user's
> password.

Thanks for setting me straight. So, I'm unclear on whether LDAP
authentication actually uses Kerberos in some underlying way
(via SASL), or whether it actually sends the password across the 
network. Maybe I'm barking up the wrong tree by trying to use LDAP.

A search at developer.apple.com on "Kerberos" shows many, many articles,
but I'm unclear where to start. I tried a Google search on "Python 
and came up with a module called pykpass. Maybe that will be the next 
for me to try out...


Brad Allen
IT Desktop Support

brad.allen at omsdal.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/pythonmac-sig/attachments/20050815/093d8bbe/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 18067 bytes
Desc: not available
Url : http://mail.python.org/pipermail/pythonmac-sig/attachments/20050815/093d8bbe/attachment-0001.jpeg

More information about the Pythonmac-SIG mailing list