[Pythonmac-SIG] Active Directory authentication on Mac using Python
Nicholas Riley
njriley at uiuc.edu
Mon Aug 15 20:00:27 CEST 2005
On Mon, Aug 15, 2005 at 11:33:10AM -0500, brad.allen at omsdal.com wrote:
> I haven't even started working on authorization. The first problem
> is just basic authentication. Some LDAP servers, such as Active Directory,
> supposedly supports authentication with queries, so if a username and
> password are included as parameters to a query, they will be handled
> appropriately. The part I'm not yet clear on has to do with the
> requirements on such queries. For instance, Apple's OpenLDAP comes
> with SASL authentication, but I haven't yet gotten that to work.
> I've tried testing various parameters to the ldapsearch command,
> for instance:
>
> ldapsearch -h adserver.ourdomain.org -D "cn=myuserid" -w mypassword -b
> "dc=OURDOMAIN,dc=ORG"
>
> ...and here is the error I get on Mac OS 10.4.2:
>
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure:
> GSSAPI Error: Miscellaneous failure (No credentials cache
> found)
[...]
> I thought one of the key concepts of Kerberos was that the password
> is only ever sent to the authentication server by a client, and that
> the username and password would never be sent to the application server.
> Instead, a Kerberos ticket would be sent, and the application server
> would inspect the ticket for validity. Therefore, the client should
> never need to send a password to the app server, and the app server
> would never be in a position to collect user passwords.
These statements seem incompatible. Above, you're (attempting to)
send your password to the LDAP server directly. Instead, you need to
get a Kerberos TGT first, with kinit or the Kerberos app, and then
ldapsearch should work without a password.
--
Nicholas Riley <njriley at uiuc.edu> | <http://www.uiuc.edu/ph/www/njriley>
More information about the Pythonmac-SIG
mailing list