Re: using Kerberos to authenticate to Active Directory from python ldap

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Olivier Sessink wrote:
> 
> So I'm rewriting the script for python. However, I cannot get the 
> kerberos authentication right.
> 
> ld = ldap.initialize('activedirectory-dns')
> ld.sasl_interactive_bind_s('', ldap.sasl.gssapi('user@REALM'))
> ld.search_s(self.base, ldap.SCOPE_SUBTREE, '(CN=groupname)', ['Member'])
> 
> I get an error that I don't have the right credentials.
> 
> However it works with ldapsearch, so the Kerberos ticket is valid and 
> correct for this query..

I cannot see how your parameters are. Note that SASL-Bind with GSSAPI is
quite picky about using the right DNS names.

Especially it should be something like

ld = ldap.initialize('ldap://dc1.dom2.adtest.domain')

with dc1.dom2.adtest.domain being one of the names listed with service
prefix ldap/ in servicePrincipalName on the domain controller.

> Or an example script that uses Kerberos?

Demo/sasl_bind.py

Ciao, Michael.