Olivier Sessink wrote:
> 2009/4/10 Michael Ströder <mich...@stroeder.com>:
>> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you
>> obtained a valid TGT with kinit before (just like with command-line tool
>> ldapsearch).
>
> thanks, that's what I need to know.
>
> I can't get it to work though..
>
> ld = ldap.initialize('ldap://foobar')
> sasl = ldap.sasl.gssapi()
> ld.sasl_interactive_bind_s('', sasl)
> ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member'])
>
> ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627,
> comment: In order to perform this operation a successful bind must be
> completed on the connection., data 0, vece', 'desc': 'Operations
> error'}
>
> this shell command works:
>
> ldapsearch -YGSSAPI -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member
>
> I've tried different ldap URL's, but from an ldapsearch strace I'm
> pretty sure I use the right ldap server.
Hmm, this should simply work just like the ldapsearch usage. Since
you're searching from domain level it would be worth to try to
explicitly switch off referral chasing within libldap:
ld = ldap.initialize('ldap://foobar')
ld.set_option(ldap.OPT_REFERRALS,0)
Note that automatic referral chasing within libldap was always using
anonymous bind.
> However, this is on a suse linux enterprise box, which has python-ldap
> 2.0.11. Could it be that this is too old?
Glancing over CHANGES there were no related fixes to SASL but maybe the
default for ldap.OPT_REFERRALS was changed. But you should upgrade
anyway for various reasons...
Ciao, Michael.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
