using Kerberos to authenticate to Active Directory from python ldap
Michael Ströder
michael at stroeder.com
Thu Apr 9 23:30:33 CEST 2009
Olivier Sessink wrote:
>
> So I'm rewriting the script for python. However, I cannot get the
> kerberos authentication right.
>
> ld = ldap.initialize('activedirectory-dns')
> ld.sasl_interactive_bind_s('', ldap.sasl.gssapi('user at REALM'))
> ld.search_s(self.base, ldap.SCOPE_SUBTREE, '(CN=groupname)', ['Member'])
>
> I get an error that I don't have the right credentials.
>
> However it works with ldapsearch, so the Kerberos ticket is valid and
> correct for this query..
I cannot see how your parameters are. Note that SASL-Bind with GSSAPI is
quite picky about using the right DNS names.
Especially it should be something like
ld = ldap.initialize('ldap://dc1.dom2.adtest.domain')
with dc1.dom2.adtest.domain being one of the names listed with service
prefix ldap/ in servicePrincipalName on the domain controller.
> Or an example script that uses Kerberos?
Demo/sasl_bind.py
Ciao, Michael.
More information about the python-ldap
mailing list