[python-ldap] GSSAPI and Active Directory
Michael Ströder
michael at stroeder.com
Wed Aug 12 19:51:09 CEST 2015
陈伟洪 wrote:
> I try to use digest-md5:
> [..]
> ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
> comment: The digest-uri does not match any LDAP SPN's registered for this
> server., data 0, v1db1", 'desc': 'Invalid credentials'}
>
>
> 2015-08-12 6:52 GMT+08:00 Jun Sheng <chaoseternal at gmail.com>:
>
>> I remember if GSSAPI is used, a successful kerberos login (kinit) must
>> be performed before doing ldap_bind, but I am not very sure.
>>
>> Still, AD supports digest-md5, I suggest you try that first.
>>
>> On Tue, Aug 11, 2015 at 3:50 PM, 陈伟洪 <whchen1080 at gmail.com> wrote:
>>> In the Linux environment, I tried to run this script:
>>> [..]
>>> sasl_auth = ldap.sasl.sasl(
>>> {
>>> ldap.sasl.CB_AUTHNAME:"",
>>> ldap.sasl.CB_PASS :"",
>>> },
>>> 'GSSAPI'
>>> )
>>> adconn.sasl_interactive_bind_s('', sasl_auth)
>>> [..]
>>> ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
>>> Unspecified GSS failure. Minor code may provide more information (No
>>> Kerberos credentials available)', 'desc': 'Local error'}
It works for me both GSSAPI and DIGEST-MD5.
But MS AD is pretty picky regarding correct DNS names to be used. So this
likely does not work:
ldap.initialize('ldap://192.168.1.198:389')
Put correct DNS names in their. Start with locating the DCs hostnames:
host -t srv _ldap._tcp.example.com
with example.com being the DNS domain name of your AD domain.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20150812/d8353adf/attachment.bin>
More information about the python-ldap
mailing list