First step is configuring your platform's kerberos library so you can kinit against your AD server. You will need to read about krb5.conf and kinit, I suspect.
Next step is getting a SASL-GSSAPI module installed so that SASL can access your Kerberos library (through its GSSAPI interface). This is a matter of package hunting usually.
I'm assuming your OpenLDAP library has SASL support.
Finally, you call ldap_sasl_bind to connect. I hope someone else can chime in here with an example of sasl binds with python-ldap.


Mike Matz wrote:
Thanks for your input David.  I will read through the MSDN articles to see if they provide me with any inside.  I am not familiar with using SASL/GSSAPI/Kerberos to bind to AD's LDAP.  Could you possibly provide me with a few steps to accomplish this?

On Nov 8, 2007, at 7:48 AM, David Leonard wrote:

Hi, Mike

I think AD uses an extension to the Kerberos protocol to change the password of a user. See
As far as I understand it, the unicodePwd attribute is the NT hash of the user's password. (See
Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's LDAP. It should be a lot easier to manage than SSL certs.


Mike Matz wrote:

Thanks for the help guys.  It got me off to a great start.  I have successfully created a user in my AD.  As you already eluded to, I am struggling with the password attribute.  Can the password attribute be set when creating a user.  From what I gathered, the password attribute is 'unicodePwd'.  This attribute cannot be created, it can only be modified.  Is this attribute created by default when a user is created?  Would I be able to do an add and then a modify to set the password?  I am aware of the fact that there are certain restrictions in place in order to modify the password.  I have setup my AD to include SSL and I am able to bind as Administrator over port 636.  With that said one of the examples I ran across for adding a user refers to another attribute 'userPassword'.  I am unable to tell what this attribute is.  In the link below, it appears that the password is being set when the entry is added.  I have tried this unsuccessfully.  I appreicate all the help thus far.

Example Add Entry -

-----Original Message-----
From: Geert Jansen []
Sent: Wed 11/7/2007 1:50 PM
To: Michael Ströder
Cc: Mike Matz;
Subject: Re: Creating Active Directory Objects

Michael Ströder wrote:

> I vaguely remember that there are some issues with really activating a
> user entry as a Windows user. But this is not a problem of accessing AD
> via python-ldap.

This indeed rings a bell. You need to create the user as disabled (look
for userAccountControl on MSDN), set a compliant password, and then
enable him.


David Leonard                 
                                        Ph:+61 404 844 850

------------------------------------------------------------------------- This email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >>

_______________________________________________ Python-LDAP-dev mailing list

David Leonard                 
                                        Ph:+61 404 844 850