Discussion:
[python-ldap] GSSAPI and Active Directory
陈伟洪
2015-08-10 09:26:04 UTC
Permalink
I'm unable to search Active Directory with GSSAPI for some reason.


Here's a small test script I've been using.

import ldap
import ldap.sasl

adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
},
'GSSAPI'
)

adconn.sasl_interactive_bind_s('', sasl_auth)



It fails every time with

C:\Users\whchen\Downloads>python test_ldap.py

*** <ldap.ldapobject.SimpleLDAPObject instance at 0x02217CD8> ldap://
192.168.1.1 98:389/ - SimpleLDAPObject.set_option ((17, 3), {}) ***
<ldap.ldapobject.SimpleLDAPObject instance at 0x02217CD8> ldap://192.168.1.1
98:389/ - SimpleLDAPObject.set_option ((17, 3), {}) ***
<ldap.ldapobject.SimpleLDAPObject instance at 0x02217CD8> ldap://192.168.1.1
98:389/ - SimpleLDAPObject.sasl_interactive_bind_s (('', <ldap.sasl.sasl
instance at 0x0226E1E8>, None, None, 2), {}) Traceback (most recent call
last): File "test_ldap.py", line 16, in <module>
adconn.sasl_interactive_bind_s('', sasl_auth) File
"C:\Python27\lib\site-packages\ldap\ldapobject.py", line 244, in sasl_int
eractive_bind_s return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestContr
olTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File
"C:\Python27\lib\site-packages\ldap\ldapobject.py", line 106, in _ldap_ca
ll result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'info': 'SASL(-1):
generic failure: Unable to find a callback : 2', 'desc': 'Local error'}


I do not know how to configure the client authentication information,
and I know "ldap admin" software support auth mechanism is not simple
and exchange authentication information by username / password , I
would like to know python-ldap support?
Michael Ströder
2015-08-10 15:15:46 UTC
Permalink
Post by 陈伟洪
I'm unable to search Active Directory with GSSAPI for some reason.
Here's a small test script I've been using.
import ldap
import ldap.sasl
adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
It fails every time with
C:\Users\whchen\Downloads>python test_ldap.py
It seems you're on Windows.

I don't know the detailed status of SASL support in current Windows builds of
python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially this
would require to install Kerberos for Windows and build against that. Current
KfW releases seem to be able to make use of the Windows ticket store but I
never tried out myself.

SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built with
SASL and Kerberos libs.

Ciao, Michael.
陈伟洪
2015-08-11 07:50:22 UTC
Permalink
In the Linux environment, I tried to run this script:


import ldap
import ldap.sasl

adconn = ldap.initialize('ldap://192.168.1.198:389')
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
ldap.sasl.CB_AUTHNAME:"",
ldap.sasl.CB_PASS :"",
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)

result:

***@872d112a0c37:/var/edo/wo# bin/python test_ldap.py
Traceback (most recent call last):
File "bin/python", line 275, in <module>
exec(compile(__file__f.read(), __file__, "exec"))
File "test_ldap.py", line 13, in <module>
adconn.sasl_interactive_bind_s('', sasl_auth)
File
"/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
line 229, in sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
File
"/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
line 99, in _ldap_call
result = func(*args,**kwargs)
ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (No
Kerberos credentials available)', 'desc': 'Local error'}

Is that python-ldap no support username/password as credentials to login
in MS AD server which only support GSSAPI?
Post by Michael Ströder
Post by 陈伟洪
I'm unable to search Active Directory with GSSAPI for some reason.
Here's a small test script I've been using.
import ldap
import ldap.sasl
adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
It fails every time with
C:\Users\whchen\Downloads>python test_ldap.py
It seems you're on Windows.
I don't know the detailed status of SASL support in current Windows builds of
python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially this
would require to install Kerberos for Windows and build against that. Current
KfW releases seem to be able to make use of the Windows ticket store but I
never tried out myself.
SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built with
SASL and Kerberos libs.
Ciao, Michael.
Jun Sheng
2015-08-11 22:52:23 UTC
Permalink
I remember if GSSAPI is used, a successful kerberos login (kinit) must
be performed before doing ldap_bind, but I am not very sure.

Still, AD supports digest-md5, I suggest you try that first.
Post by 陈伟洪
import ldap
import ldap.sasl
adconn = ldap.initialize('ldap://192.168.1.198:389')
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
ldap.sasl.CB_AUTHNAME:"",
ldap.sasl.CB_PASS :"",
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
File "bin/python", line 275, in <module>
exec(compile(__file__f.read(), __file__, "exec"))
File "test_ldap.py", line 13, in <module>
adconn.sasl_interactive_bind_s('', sasl_auth)
File
"/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
line 229, in sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
File
"/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
line 99, in _ldap_call
result = func(*args,**kwargs)
Unspecified GSS failure. Minor code may provide more information (No
Kerberos credentials available)', 'desc': 'Local error'}
Is that python-ldap no support username/password as credentials to login in
MS AD server which only support GSSAPI?
Post by Michael Ströder
Post by 陈伟洪
I'm unable to search Active Directory with GSSAPI for some reason.
Here's a small test script I've been using.
import ldap
import ldap.sasl
adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
It fails every time with
C:\Users\whchen\Downloads>python test_ldap.py
It seems you're on Windows.
I don't know the detailed status of SASL support in current Windows builds of
python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially this
would require to install Kerberos for Windows and build against that. Current
KfW releases seem to be able to make use of the Windows ticket store but I
never tried out myself.
SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built with
SASL and Kerberos libs.
Ciao, Michael.
_______________________________________________
python-ldap mailing list
https://mail.python.org/mailman/listinfo/python-ldap
陈伟洪
2015-08-12 01:17:36 UTC
Permalink
I try to use digest-md5:

source:

import ldap
import ldap.sasl

adconn = ldap.initialize('ldap://192.168.1.198:389')
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
ldap.sasl.CB_AUTHNAME:"administrator",
ldap.sasl.CB_PASS :"",
},
'digest-md5'
)
adconn.sasl_interactive_bind_s('', sasl_auth)

result:

***@zopen05:~/gitlab/workonline$ python test_ldap.py
Traceback (most recent call last):
File "test_ldap.py", line 13, in <module>
adconn.sasl_interactive_bind_s('', sasl_auth)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 227, in
sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in
_ldap_call
result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
comment: The digest-uri does not match any LDAP SPN's registered for this
server., data 0, v1db1", 'desc': 'Invalid credentials'}
Post by Jun Sheng
I remember if GSSAPI is used, a successful kerberos login (kinit) must
be performed before doing ldap_bind, but I am not very sure.
Still, AD supports digest-md5, I suggest you try that first.
Post by 陈伟洪
import ldap
import ldap.sasl
adconn = ldap.initialize('ldap://192.168.1.198:389')
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
ldap.sasl.CB_AUTHNAME:"",
ldap.sasl.CB_PASS :"",
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
File "bin/python", line 275, in <module>
exec(compile(__file__f.read(), __file__, "exec"))
File "test_ldap.py", line 13, in <module>
adconn.sasl_interactive_bind_s('', sasl_auth)
File
"/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
Post by 陈伟洪
line 229, in sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
Post by 陈伟洪
File
"/opt/buildout-cache/eggs/python_ldap-2.4.14-py2.7-linux-x86_64.egg/ldap/ldapobject.py",
Post by 陈伟洪
line 99, in _ldap_call
result = func(*args,**kwargs)
Unspecified GSS failure. Minor code may provide more information (No
Kerberos credentials available)', 'desc': 'Local error'}
Is that python-ldap no support username/password as credentials to
login in
Post by 陈伟洪
MS AD server which only support GSSAPI?
Post by Michael Ströder
Post by 陈伟洪
I'm unable to search Active Directory with GSSAPI for some reason.
Here's a small test script I've been using.
import ldap
import ldap.sasl
adconn = ldap.initialize('ldap://192.168.1.198:389/', trace_level=1)
adconn.protocol_version = ldap.VERSION3
sasl_auth = ldap.sasl.sasl(
{
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
It fails every time with
C:\Users\whchen\Downloads>python test_ldap.py
It seems you're on Windows.
I don't know the detailed status of SASL support in current Windows
builds
Post by 陈伟洪
Post by Michael Ströder
of
python-ldap but IMO SASL/GSSAPI does not work on Windows. Especially
this
Post by 陈伟洪
Post by Michael Ströder
would require to install Kerberos for Windows and build against that. Current
KfW releases seem to be able to make use of the Windows ticket store
but I
Post by 陈伟洪
Post by Michael Ströder
never tried out myself.
SASL/GSSAPI with MS AD works ok on most Linux boxes with LDAP libs built with
SASL and Kerberos libs.
Ciao, Michael.
_______________________________________________
python-ldap mailing list
https://mail.python.org/mailman/listinfo/python-ldap
Michael Ströder
2015-08-12 17:51:09 UTC
Permalink
Post by 陈伟洪
[..]
ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
comment: The digest-uri does not match any LDAP SPN's registered for this
server., data 0, v1db1", 'desc': 'Invalid credentials'}
Post by Jun Sheng
I remember if GSSAPI is used, a successful kerberos login (kinit) must
be performed before doing ldap_bind, but I am not very sure.
Still, AD supports digest-md5, I suggest you try that first.
Post by 陈伟洪
[..]
sasl_auth = ldap.sasl.sasl(
{
ldap.sasl.CB_AUTHNAME:"",
ldap.sasl.CB_PASS :"",
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
[..]
Unspecified GSS failure. Minor code may provide more information (No
Kerberos credentials available)', 'desc': 'Local error'}
It works for me both GSSAPI and DIGEST-MD5.

But MS AD is pretty picky regarding correct DNS names to be used. So this
likely does not work:

ldap.initialize('ldap://192.168.1.198:389')

Put correct DNS names in their. Start with locating the DCs hostnames:

host -t srv _ldap._tcp.example.com

with example.com being the DNS domain name of your AD domain.

Ciao, Michael.
Jun Sheng
2015-08-13 11:08:03 UTC
Permalink
Post by Michael Ströder
Post by 陈伟洪
[..]
ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
comment: The digest-uri does not match any LDAP SPN's registered for this
server., data 0, v1db1", 'desc': 'Invalid credentials'}
Post by Jun Sheng
I remember if GSSAPI is used, a successful kerberos login (kinit) must
be performed before doing ldap_bind, but I am not very sure.
Still, AD supports digest-md5, I suggest you try that first.
Post by 陈伟洪
[..]
sasl_auth = ldap.sasl.sasl(
{
ldap.sasl.CB_AUTHNAME:"",
ldap.sasl.CB_PASS :"",
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
[..]
Unspecified GSS failure. Minor code may provide more information (No
Kerberos credentials available)', 'desc': 'Local error'}
It works for me both GSSAPI and DIGEST-MD5.
But MS AD is pretty picky regarding correct DNS names to be used. So this
I think this requirement is employed by DIGEST-MD5 or say Cyrus-SASL
Post by Michael Ströder
ldap.initialize('ldap://192.168.1.198:389')
host -t srv _ldap._tcp.example.com
with example.com being the DNS domain name of your AD domain.
Ciao, Michael.
_______________________________________________
python-ldap mailing list
https://mail.python.org/mailman/listinfo/python-ldap
Michael Ströder
2015-08-13 11:12:55 UTC
Permalink
Post by Jun Sheng
Post by Michael Ströder
Post by 陈伟洪
[..]
ldap.INVALID_CREDENTIALS: {'info': "80090303: LdapErr: DSID-0C0904BE,
comment: The digest-uri does not match any LDAP SPN's registered for this
server., data 0, v1db1", 'desc': 'Invalid credentials'}
Post by Jun Sheng
I remember if GSSAPI is used, a successful kerberos login (kinit) must
be performed before doing ldap_bind, but I am not very sure.
Still, AD supports digest-md5, I suggest you try that first.
Post by 陈伟洪
[..]
sasl_auth = ldap.sasl.sasl(
{
ldap.sasl.CB_AUTHNAME:"",
ldap.sasl.CB_PASS :"",
},
'GSSAPI'
)
adconn.sasl_interactive_bind_s('', sasl_auth)
[..]
Unspecified GSS failure. Minor code may provide more information (No
Kerberos credentials available)', 'desc': 'Local error'}
It works for me both GSSAPI and DIGEST-MD5.
But MS AD is pretty picky regarding correct DNS names to be used. So this
I think this requirement is employed by DIGEST-MD5 or say Cyrus-SASL
Have a look at the error message in the DIGEST-MD5 case.
It starts with "80090303: LdapErr: DSID-0C0904BE .." which is typical for
diagnostic messages returned in LDAP results by MS AD.

In the GSSAPI case there are definitely additional dependencies on Kerberos
principal names and correct DNS entries used. In fact "fix your DNS" is the
standard answer when experiencing issues like that.

Ciao, Michael.

Loading...