On Mon, 27 May 2013, Justin Brown wrote:
I'm working on a small project that needs access to user information
(primarily email addresses and phone numbers) from a LDAP directory. I'm
successfully using FreeIPA for general authentication and DNS in my lab and
would like to have this application use FreeIPA as well.

I need to be able to bind to the LDAP directory, using both Apache
Directory Studio (for development) and python-ldap. Both support various
methods of authentication, including "simple" aka password and Kerberos via
GSSAPI. Unfortunately, I haven't had much access in connecting with either.

I have tried a variety of user accounts for password authentication to no
success. Additionally, I have used `kinit` to obtain a TGT and even
specified the TGT cache dir (/run/user/1000/krb5cc.../tkt); however, I get
an error: "unable to obtain Principal Name for authentication." From my
basic understanding of Kerberos, it seems that I need a TGT specific for
access to LDAP from FreeIPA, but I have no idea how to generate it.

$ klist
Ticket cache: DIR::/run/user/1000/krb5cc_.../tkt
Default principal: jus...@fandingo.org

Valid starting     Expires            Service principal
05/27/13 17:25:45  05/28/13 17:25:42  krbtgt/fandingo....@fandingo.org

Any help would be greatly appreciated.
It would help if you show your code.

Following code should work if you have KRB5CCNAME defined (or set to
default) and there is initialized TGT in the ccache:
import ldap, ldap.sasl

connection = ldap.initialize('ldap://{host}'.format(host='foo.fandingo.org')) auth = ldap.sasl.gssapi("")
connection.sasl_interactive_bind_s('', auth)
ldif = .....
dn = .....
connection.add_s(dn, ldif)

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to