On Mon, Aug 15, 2005 at 11:33:10AM -0500, [EMAIL PROTECTED] wrote: > I haven't even started working on authorization. The first problem > is just basic authentication. Some LDAP servers, such as Active Directory, > supposedly supports authentication with queries, so if a username and > password are included as parameters to a query, they will be handled > appropriately. The part I'm not yet clear on has to do with the > requirements on such queries. For instance, Apple's OpenLDAP comes > with SASL authentication, but I haven't yet gotten that to work. > I've tried testing various parameters to the ldapsearch command, > for instance: > > ldapsearch -h adserver.ourdomain.org -D "cn=myuserid" -w mypassword -b > "dc=OURDOMAIN,dc=ORG" > > ...and here is the error I get on Mac OS 10.4.2: > > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: > GSSAPI Error: Miscellaneous failure (No credentials cache > found) [...] > I thought one of the key concepts of Kerberos was that the password > is only ever sent to the authentication server by a client, and that > the username and password would never be sent to the application server. > Instead, a Kerberos ticket would be sent, and the application server > would inspect the ticket for validity. Therefore, the client should > never need to send a password to the app server, and the app server > would never be in a position to collect user passwords.
These statements seem incompatible. Above, you're (attempting to) send your password to the LDAP server directly. Instead, you need to get a Kerberos TGT first, with kinit or the Kerberos app, and then ldapsearch should work without a password. -- Nicholas Riley <[EMAIL PROTECTED]> | <http://www.uiuc.edu/ph/www/njriley> _______________________________________________ Pythonmac-SIG maillist - Pythonmac-SIG@python.org http://mail.python.org/mailman/listinfo/pythonmac-sig
