[Pythonmac-SIG] Active Directory authentication on Mac using Python

brad.allen@omsdal.com brad.allen at omsdal.com
Tue Aug 16 18:43:07 CEST 2005 

Andrew Shearer wrote on 08/15/2005 07:54:00 PM:

> You don't necessarily have to use Kerberos. Here's a command line that 
> has worked for me on 10.3.9 against a Windows 2000 Active Directory 
> server. It authenticates testuser at mydomain.sample.com by prompting for 
> the password and then printing out some user information. (The flags 
> could be simplified to do authentication only, but I don't have an AD 
> server handy to test, so I didn't want to risk breaking it.)
> 
> $ ldapsearch -H ldap://mydomain.sample.com/ -D testuser -vx -b 
> dc=mydomain,dc=sample,dc=com -W "(samaccountname=testuser)" sn cn fn 
> uid sAMAccountName

That is the quick and dirty solution, but it has a couple of problems.
One is that the -x option "Simple Authentication" sends the password
across the network in clear text. The other problem is that if I call this
from a Python script I will need to include the password as a parameter
and I think the password might be visible in a ps listing (however 
briefly).

I'm not sure how big a security hole the "ps" listing represents,
and our network dept may decide the risk of sending clear text passwords
across our secure internal network is acceptable. So, this may be a 
good fallback strategy if we don't succeed in making LDAP/SASL 
authentication work,
or if developing a straight Kerberos solution proves too costly.

Using -x option on ldapsearch has worked in my testing, but I'd really
like to find out how to configure LDAP/SASL. I'm not clear on whether this 
requires
that something be done just on the Mac client side, or if it also requires 
something be
done on the Active Directory server configuration. 

Brad Allen
IT Desktop Support

brad.allen at omsdal.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/pythonmac-sig/attachments/20050816/1a144bbf/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 18067 bytes
Desc: not available
Url : http://mail.python.org/pipermail/pythonmac-sig/attachments/20050816/1a144bbf/attachment-0001.jpeg

More information about the Pythonmac-SIG mailing list