First step is configuring your platform's kerberos library so you can
kinit against your AD server. You will need to read about krb5.conf and
kinit, I suspect.
Next step is getting a SASL-GSSAPI module installed so that SASL can
access your Kerberos library (through its GSSAPI interface). This is a
matter of package hunting usually.
I'm assuming your OpenLDAP library has SASL support.
Finally, you call ldap_sasl_bind to connect. I hope someone else can
chime in here with an example of sasl binds with python-ldap.
d
Mike Matz wrote:
Thanks for your input David. I will read through the MSDN articles to
see if they provide me with any inside. I am not familiar with
using SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly
provide me with a few steps to accomplish this?
Thanks,
Mike
On Nov 8, 2007, at 7:48 AM, David Leonard wrote:
Hi, Mike
I think AD uses an extension to the Kerberos protocol to change the
password of a user. See
http://msdn2.microsoft.com/en-us/library/ms808911.aspx
As far as I understand it, the unicodePwd attribute is the NT hash of
the user's password. (See
http://msdn2.microsoft.com/en-us/library/ms680513.aspx).
Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to
AD's LDAP. It should be a lot easier to manage than SSL certs.
David
Mike Matz wrote:
Thanks for the help guys. It got me off to a great start. I have
successfully created a user in my AD. As you already eluded to, I
am struggling with the password attribute. Can the password
attribute be set when creating a user. From what I gathered, the
password attribute is 'unicodePwd'. This attribute cannot be
created, it can only be modified. Is this attribute created by
default when a user is created? Would I be able to do an add and
then a modify to set the password? I am aware of the fact that
there are certain restrictions in place in order to modify the
password. I have setup my AD to include SSL and I am able to bind
as Administrator over port 636. With that said one of the examples
I ran across for adding a user refers to another attribute
'userPassword'. I am unable to tell what this attribute is. In the
link below, it appears that the password is being set when the entry
is added. I have tried this unsuccessfully. I appreicate all the
help thus far.
Regards,
Mike
Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html
-----Original Message-----
From: Geert Jansen [mailto:[EMAIL PROTECTED]
Sent: Wed 11/7/2007 1:50 PM
To: Michael Ströder
Cc: Mike Matz; [email protected]
Subject: Re: Creating Active Directory Objects
Michael Ströder wrote:
> I vaguely remember that there are some issues with really activating a
> user entry as a Windows user. But this is not a problem of
accessing AD
> via python-ldap.
>
This indeed rings a bell. You need to create the user as disabled (look
for userAccountControl on MSDN), set a compliant password, and then
enable him.
Regards,
Geert
--
David Leonard [EMAIL PROTECTED]
Ph:+61 404 844 850
------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
_______________________________________________
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
--
David Leonard [EMAIL PROTECTED]
Ph:+61 404 844 850
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
