[Pythonmac-SIG] Active Directory authentication on Mac using Python
Andrew Shearer
ashearerw at shearersoftware.com
Tue Aug 16 02:54:00 CEST 2005
brad.allen at omsdal.com wrote:
> I haven't even started working on authorization. The first problem
> is just basic authentication. Some LDAP servers, such as Active
> Directory,
> supposedly supports authentication with queries, so if a username and
> password are included as parameters to a query, they will be handled
> appropriately. The part I'm not yet clear on has to do with the
> requirements on such queries. For instance, Apple's OpenLDAP comes
> with SASL authentication, but I haven't yet gotten that to work.
> I've tried testing various parameters to the ldapsearch command,
> for instance:
>
> ldapsearch -h adserver.ourdomain.org -D "cn=myuserid" -w mypassword -b
> "dc=OURDOMAIN,dc=ORG"
>
> ...and here is the error I get on Mac OS 10.4.2:
>
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure:
> GSSAPI Error: Miscellaneous failure (No credentials
> cache found)
You don't necessarily have to use Kerberos. Here's a command line that
has worked for me on 10.3.9 against a Windows 2000 Active Directory
server. It authenticates testuser at mydomain.sample.com by prompting for
the password and then printing out some user information. (The flags
could be simplified to do authentication only, but I don't have an AD
server handy to test, so I didn't want to risk breaking it.)
$ ldapsearch -H ldap://mydomain.sample.com/ -D testuser -vx -b
dc=mydomain,dc=sample,dc=com -W "(samaccountname=testuser)" sn cn fn
uid sAMAccountName
--
Andrew Shearer
http://www.shearersoftware.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2303 bytes
Desc: not available
Url : http://mail.python.org/pipermail/pythonmac-sig/attachments/20050815/5b27d0d2/attachment.bin
More information about the Pythonmac-SIG
mailing list