Re: using Kerberos to authenticate to Active Directory from python ldap
2009/4/10 Geert Jansen : > As a related solution, you could have a look at python-ad [1]. > Python-AD is built on top of python-ldap and provides lots of > functionality that you normally need to connect to AD built in. For > example, service discovery, credential management and multi-domain > functionality. There's a few examples on the site, including how to > use Kerberos credentials with AD. I noticed that there is some C code related to Kerberos in python-ad. Is this code required to initialize a kerberos authentication, or is this just to change passwords and things like that? thanks, Olivier -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: using Kerberos to authenticate to Active Directory from python ldap
Olivier Sessink wrote: > 2009/4/10 Geert Jansen : >> As a related solution, you could have a look at python-ad [1]. >> Python-AD is built on top of python-ldap and provides lots of >> functionality that you normally need to connect to AD built in. For >> example, service discovery, credential management and multi-domain >> functionality. There's a few examples on the site, including how to >> use Kerberos credentials with AD. > > I noticed that there is some C code related to Kerberos in python-ad. > Is this code required to initialize a kerberos authentication, or is > this just to change passwords and things like that? You can bind with SASL/GSSAPI to AD with plain python-ldap provided you obtained a valid TGT with kinit before (just like with command-line tool ldapsearch). Ciao, Michael. -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Limited the usage of SF services for python-ldap
Zhang Huangbin wrote: > Try google code project hosting? > http://code.google.com/ Nope! I strongly prefer to cooperate with people who are not a big company and are personally committed to either directly support Python or OpenLDAP. I won't go for an infrastructure like SF anymore where download and admin pages are getting more and more complicated with mandantory Javascript, banner ads and all this crap. Even if such a service looks ok for now, the experience in the past showed that it's getting worse after some time. I will inform here about the decision taken. Ciao, Michael. -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
New python-ldap home page
HI! The web pages of python-ldap were moved to http://www.python-ldap.org/ Ciao, Michael. -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
ldapsearch vs. python-ldap
Hey, I'm trying to use python-ldap to do something that works with the ldapsearch command line tool. I've posted code samples, can someone point out why the python-ldap fails? What is different about what python-ldap is doing. It seems that it forgets that it just _did_ bind successfully... thanks in advance, _James [email protected] # from a command line you can successfully run: # $ # ldapsearch -x -b "" -D "place\" -h -p 389 -W "(&(objectcategory=person)(objectclass=user)(samaccountname=))" # # # however this doesn't work: import ldap import sys import getpass l = ldap.initialize('ldap://:389') try: #l.simple_bind_s('[email protected]', getpass.getpass()) l.simple_bind_s('\', getpass.getpass()) # Works except Exception, e: print e print 'Bind Failed' sys.exit(1) try: r = l.search_s('dc=', ldap.SCOPE_SUBTREE, '(&(objectcategory=person)(objectclass=user)(samaccountname=))', ['*']) except Exception, e: print e # this prints: # {'info': ': LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'} print 'Search Died' sys.exit(1) for x in r: print x -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: tarball vs. download URL
On Tue, Apr 7, 2009 at 1:28 PM, Jens Vagelpohl wrote: > Personally, I haven't had the need to search for a service that offers > something like SF, including version control and bug tracking. I > either use my own systems, or those used by the Zope developer > community. > > One candidate you could look at, if you have a minute, is Launchpad. > They have all kinds of nice services, but there's one big drawback: > They force you onto their own VCS (bzr). I have not looked at any > other sites like Google Code. That's not true. You are not required to use bzr, you can easily host your code somewhere. When setting up a project you have the option to specify a CVS or Subversion repo URL. Regular code imports from CVS and SVN are supported too, and many Zope projects are being mirrored in Launchpad's Code Hosting. Soon git will be supported for code mirroring too. -- Sidnei da Silva Canonical Ltd. Landscape · Changing the way you manage your systems http://landscape.canonical.com -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: using Kerberos to authenticate to Active Directory from python ldap
2009/4/10 Michael Ströder :
> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you
> obtained a valid TGT with kinit before (just like with command-line tool
> ldapsearch).
thanks, that's what I need to know.
I can't get it to work though..
ld = ldap.initialize('ldap://foobar')
sasl = ldap.sasl.gssapi()
ld.sasl_interactive_bind_s('', sasl)
ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member'])
ldap.OPERATIONS_ERROR: {'info': ': LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece', 'desc': 'Operations
error'}
this shell command works:
ldapsearch -YGSSAPI -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member
I've tried different ldap URL's, but from an ldapsearch strace I'm
pretty sure I use the right ldap server.
However, this is on a suse linux enterprise box, which has python-ldap
2.0.11. Could it be that this is too old?
thanks,
Olivier
--
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: using Kerberos to authenticate to Active Directory from python ldap
Michael Ströder wrote: > Hmm, this should simply work just like the ldapsearch usage. BTW: If you're using MS AD of W2K8 (not W2K3) you can check whether your bound with ld.whoami_s() which on W2K8 returns 'u:DOMAIN\SAMACCOUNTNAME'. Ciao, Michael. -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Limited the usage of SF services for python-ldap
Michael Ströder wrote: > Zhang Huangbin wrote: >> Try google code project hosting? >> http://code.google.com/ > > Nope! > > I strongly prefer to cooperate with people who are not a big company and > are personally committed to either directly support Python or OpenLDAP. > I won't go for an infrastructure like SF anymore where download and > admin pages are getting more and more complicated with mandantory > Javascript, banner ads and all this crap. Even if such a service looks > ok for now, the experience in the past showed that it's getting worse > after some time. > > I will inform here about the decision taken. > > Ciao, Michael. > Kudos for your clear thinking on this. In my estimation, you're absolutely choosing the correct path by proceeding this way. ~c > -- > This SF.net email is sponsored by: > High Quality Requirements in a Collaborative Environment. > Download a free trial of Rational Requirements Composer Now! > http://p.sf.net/sfu/www-ibm-com > ___ > Python-LDAP-dev mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: using Kerberos to authenticate to Active Directory from python ldap
Olivier Sessink wrote:
> 2009/4/10 Michael Ströder :
>> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you
>> obtained a valid TGT with kinit before (just like with command-line tool
>> ldapsearch).
>
> thanks, that's what I need to know.
>
> I can't get it to work though..
>
> ld = ldap.initialize('ldap://foobar')
> sasl = ldap.sasl.gssapi()
> ld.sasl_interactive_bind_s('', sasl)
> ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member'])
>
> ldap.OPERATIONS_ERROR: {'info': ': LdapErr: DSID-0C090627,
> comment: In order to perform this operation a successful bind must be
> completed on the connection., data 0, vece', 'desc': 'Operations
> error'}
>
> this shell command works:
>
> ldapsearch -YGSSAPI -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member
>
> I've tried different ldap URL's, but from an ldapsearch strace I'm
> pretty sure I use the right ldap server.
Hmm, this should simply work just like the ldapsearch usage. Since
you're searching from domain level it would be worth to try to
explicitly switch off referral chasing within libldap:
ld = ldap.initialize('ldap://foobar')
ld.set_option(ldap.OPT_REFERRALS,0)
Note that automatic referral chasing within libldap was always using
anonymous bind.
> However, this is on a suse linux enterprise box, which has python-ldap
> 2.0.11. Could it be that this is too old?
Glancing over CHANGES there were no related fixes to SASL but maybe the
default for ldap.OPT_REFERRALS was changed. But you should upgrade
anyway for various reasons...
Ciao, Michael.
--
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: using Kerberos to authenticate to Active Directory from python ldap
2009/4/10 Michael Ströder :
> Olivier Sessink wrote:
>> 2009/4/10 Michael Ströder :
>>> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you
>>> obtained a valid TGT with kinit before (just like with command-line tool
>>> ldapsearch).
>>
>> thanks, that's what I need to know.
>>
>> I can't get it to work though..
>>
>> ld = ldap.initialize('ldap://foobar')
>> sasl = ldap.sasl.gssapi()
>> ld.sasl_interactive_bind_s('', sasl)
>> ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member'])
>>
>> ldap.OPERATIONS_ERROR: {'info': ': LdapErr: DSID-0C090627,
>> comment: In order to perform this operation a successful bind must be
>> completed on the connection., data 0, vece', 'desc': 'Operations
>> error'}
>>
>> this shell command works:
>>
>> ldapsearch -YGSSAPI -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member
>>
>> I've tried different ldap URL's, but from an ldapsearch strace I'm
>> pretty sure I use the right ldap server.
>
> Hmm, this should simply work just like the ldapsearch usage. Since
> you're searching from domain level it would be worth to try to
> explicitly switch off referral chasing within libldap:
>
> ld = ldap.initialize('ldap://foobar')
> ld.set_option(ldap.OPT_REFERRALS,0)
you saved my day!
it works.
sorry for my limited knowledge, but what does "referrals should be
automatically chased" mean?
many thanks
Olivier
--
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: using Kerberos to authenticate to Active Directory from python ldap
Olivier Sessink wrote:
>> ld = ldap.initialize('ldap://foobar')
>> ld.set_option(ldap.OPT_REFERRALS,0)
>
> you saved my day!
>
> it works.
Glad that worked.
> sorry for my limited knowledge, but what does "referrals should be
> automatically chased" mean?
Referrals are basically LDAP URLs returned potentially pointing to other
LDAP servers where to look for. The client has to chase the referrals.
This is a broken concept since the LDAPv3 standard says nothing about
which credentials to use when chasing the referral. libldap by default
chased referrals anonymously.
Ciao, Michael.
--
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
