Menu
▾
▴
python-ldap-dev
|
From: Gavin D. <gdo...@an...> - 2004-04-06 20:50:46
|
I'm having fits with ldap.sasl, and was wondering if perhaps I was just
suffering from a conceptual gap. Maybe there's some sample code
someplace that I couldn't find with google?
I need to use Kerberos authentication through GSSAPI to talk to our LDAP
server. I have a valid Kerberos ticket granting ticket, and I can use
the ldapadd utility to accomplish what I want on the server in question,
so I know that my account is properly provisioned.
Code looks like this:
l = ldap.open('ldapserver.dreamworks.com')
auth = ldap.sasl.gssapi()
l.sasl_interactive_bind_s('', auth)
traceback like this:
l.sasl_interactive_bind_s('', auth)
File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py",
line 196, in sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,serverctrls,clientctrls)
File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py",
line 94, in _ldap_call
result = func(*args,**kwargs)
ldap.LOCAL_ERROR: {'desc': 'Local error'}
--
Gavin Doughtie
DreamWorks SKG
|
|
From: <mi...@st...> - 2004-04-06 22:41:18
|
Gavin Doughtie wrote:
> I need to use Kerberos authentication through GSSAPI to talk to our LDAP
> server.
I don't have personal experience with such a setup.
> I have a valid Kerberos ticket granting ticket, and I can use
> the ldapadd utility to accomplish what I want on the server in question,
> [..]
> ldap.LOCAL_ERROR: {'desc': 'Local error'}
Just guessing:
Is the Python script running as the same user as your ldapadd test?
Does the Python script have access to the Kerberos ticket?
Ciao, Michael.
|
|
From: Gavin D. <gdo...@an...> - 2004-04-06 23:19:13
|
I'm running the Python script from an interactive shell, and I have a=20
Kerberos ticket. So far, everything is running as me with my tickets. As=20
far as the Python script having access -- well, as far as I can=20
understand things it *should* have access via the native sasl library=20
which, using GSSAPI, should go grab my ticket and present it to the LDAP=20
server. However, I think either the sasl_bind_interactive method is=20
broken or I'm not giving it the right information.
Michael Str=F6der wrote:
> Gavin Doughtie wrote:
>=20
>> I need to use Kerberos authentication through GSSAPI to talk to our=20
>> LDAP server.
>=20
>=20
> I don't have personal experience with such a setup.
>=20
>> I have a valid Kerberos ticket granting ticket, and I can use the=20
>> ldapadd utility to accomplish what I want on the server in question,
>> [..]
>> ldap.LOCAL_ERROR: {'desc': 'Local error'}
>=20
>=20
> Just guessing:
>=20
> Is the Python script running as the same user as your ldapadd test?
>=20
> Does the Python script have access to the Kerberos ticket?
>=20
> Ciao, Michael.
--=20
Gavin Doughtie
DreamWorks SKG
|
|
From: <mi...@st...> - 2004-04-06 23:24:03
|
Gavin Doughtie wrote: > I'm running the Python script from an interactive shell, and I have a > Kerberos ticket. So far, everything is running as me with my tickets. As > far as the Python script having access -- well, as far as I can > understand things it *should* have access via the native sasl library > which, using GSSAPI, should go grab my ticket and present it to the LDAP > server. Running as the same user? > However, I think either the sasl_bind_interactive method is > broken or I'm not giving it the right information. Hmm, maybe it's broken. Please raise debug level set with ldap.set_option(ldap.OPT_DEBUG_LEVEL,0). Maybe this gives some hints. Ciao, Michael. |
|
From: Gavin D. <gdo...@an...> - 2004-04-06 23:42:37
|
Yes, running as the same user. Here's the detailed dump: ldap_interactive_sasl_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection ldap_int_open_connection ldap_connect_to_host: ldap4.anim.dreamworks.com ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.4.141:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_err2string <--- failure ldap_free_connection ldap_send_unbind ldap_free_connection: act Do I need to put any more information in the ldap.sasl.gssapi() object? Michael Str=F6der wrote: > Gavin Doughtie wrote: >=20 >> I'm running the Python script from an interactive shell, and I have a=20 >> Kerberos ticket. So far, everything is running as me with my tickets.=20 >> As far as the Python script having access -- well, as far as I can=20 >> understand things it *should* have access via the native sasl library=20 >> which, using GSSAPI, should go grab my ticket and present it to the=20 >> LDAP server. >=20 >=20 > Running as the same user? >=20 >> However, I think either the sasl_bind_interactive method is broken or=20 >> I'm not giving it the right information. >=20 >=20 > Hmm, maybe it's broken. Please raise debug level set with=20 > ldap.set_option(ldap.OPT_DEBUG_LEVEL,0). Maybe this gives some hints. >=20 > Ciao, Michael. --=20 Gavin Doughtie DreamWorks SKG (818) 695-3821 |
|
From: <mi...@st...> - 2004-04-07 10:22:19
|
Gavin Doughtie wrote:
> ldap.LOCAL_ERROR: {'desc': 'Local error'}
Can you please catch the exception and display it using str()? See
Demo/sasl_bind.py.
I'm experimenting with GSSAPI right now but currently I'm getting:
Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure:
GSSAPI Error: Miscellaneous failure (see text) (Incorrect net address)',
'desc': 'Local error'}
Ciao, Michael.
|
|
From: <mi...@st...> - 2004-04-07 10:58:01
|
Michael Str=F6der wrote: >=20 > I'm experimenting with GSSAPI right now=20 It seems to work for me. Since I'm not a Kerberos expert I can't provide = more detailed help. It seems to also depend on the interface's IP address. I succeeded by=20 fetching the TGT with kinit --no-addresses michael Note that you should really dig into the issues with your local=20 configuration! Simply doing copy&paste of such a kinit command above coul= d=20 lead to security issues! Anyone else here who has more insights? Ciao, Michael. |
|
From: Gavin D. <gdo...@an...> - 2004-04-07 17:39:35
|
OK, here's the result from running my modified sasl_bind.py (below): marlin [~/src/mod/python/users](SHARK)(55)> kinit Password for gdo...@AN...: marlin [~/src/mod/python/users](SHARK)(56)> klist Ticket cache: FILE:/tmp/krb5cc_3501 Default principal: gdo...@AN... =20 =20 Valid starting Expires Service principal 04/07/04 10:36:46 04/07/04 20:36:46=20 krbtgt/ANI...@AN... =20 =20 =20 =20 Kerberos 4 ticket cache: /tmp/tkt3501 klist: You have no tickets cached marlin [~/src/mod/python/users](SHARK)(57)> python ./sasl_bind.py ******************** GSSAPI ******************** *** ldap://etzadaat.anim.dreamworks.com:389/ -=20 SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://etzadaat.anim.dreamworks.com:389/ -=20 SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://etzadaat.anim.dreamworks.com:389/ -=20 SimpleLDAPObject.sasl_interactive_bind_s (('', <ldap.sasl.sasl instance=20 at 0xb6e8110c>, None, None),{}) Error using SASL mechanism GSSAPI {'desc': 'Local error'} (<class=20 ldap.LOCAL_ERROR at 0xb73fa4dc>, <ldap.LOCAL_ERROR instance at=20 0xb6e811ec>, <traceback object at 0xb6e85f54>) File "./sasl_bind.py", line 72, in ? l.sasl_interactive_bind_s("", sasl_auth) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py",=20 line 196, in sasl_interactive_bind_s return=20 self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,serverctrls,clie= ntctrls) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py",=20 line 94, in _ldap_call result =3D func(*args,**kwargs) *** ldap://etzadaat.anim.dreamworks.com:389/ -=20 SimpleLDAPObject.unbind_ext ((None, None),{}) marlin [~/src/mod/python/users](SHARK)(58)> ------------------------------------------------- code ---------- # For documentation, see comments in Module/LDAPObject.c and the # ldap.sasl module documentation. import traceback import sys import ldap,ldap.sasl ldap.sasl._trace_level=3D0 ldap.set_option(ldap.OPT_DEBUG_LEVEL,0) for ldap_uri,sasl_mech,sasl_cb_value_dict in [ ( "ldap://etzadaat.anim.dreamworks.com:389/", 'GSSAPI', { ldap.sasl.CB_AUTHNAME :'', ldap.sasl.CB_PASS :'', } ), # ( # "ldap://localhost:1390/", # 'CRAM-MD5', # { # ldap.sasl.CB_AUTHNAME :'fred', # ldap.sasl.CB_PASS :'secret', # } # ), # ( # "ldap://localhost:1390/", # 'PLAIN', # { # ldap.sasl.CB_AUTHNAME :'fred', # ldap.sasl.CB_PASS :'secret', # } # ), # ( # "ldap://localhost:1390/", # 'LOGIN', # { # ldap.sasl.CB_AUTHNAME :'fred', # ldap.sasl.CB_PASS :'secret', # } # ), # ( # "ldapi://%2Ftmp%2Fopenldap-socket/", # 'EXTERNAL', # { } # ), # ( # "ldap://localhost:1390/", # 'GSSAPI', # { } # ), # ( # "ldap://localhost:1390/", # 'DIGEST-MD5', # { # ldap.sasl.CB_AUTHNAME :'fred', # ldap.sasl.CB_PASS :'secret', # } # ), ]: sasl_auth =3D ldap.sasl.sasl(sasl_cb_value_dict,sasl_mech) print 20*'*',sasl_auth.mech,20*'*' # Open the LDAP connection l =3D ldap.initialize(ldap_uri,trace_level=3D1) # Set protocol version to LDAPv3 to enable SASL bind! #l.protocol_version =3D 3 l.protocol_version =3D ldap.VERSION3 try: l.sasl_interactive_bind_s("", sasl_auth) except ldap.LDAPError,e: print 'Error using SASL mechanism ', sasl_auth.mech,str(e),=20 sys.exc_info() traceback.print_tb(sys.exc_info()[2]) else: print 'Sucessfully bound using SASL=20 mechanism',sasl_auth.mech,'as',repr(l.whoami_s()) l.unbind() --------------------------------------------- end code ---------- Michael Str=F6der wrote: > Gavin Doughtie wrote: > > ldap.LOCAL_ERROR: {'desc': 'Local error'} >=20 > Can you please catch the exception and display it using str()? See=20 > Demo/sasl_bind.py. >=20 > I'm experimenting with GSSAPI right now but currently I'm getting: >=20 > Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure:=20 > GSSAPI Error: Miscellaneous failure (see text) (Incorrect net=20 > address)', 'desc': 'Local error'} >=20 > Ciao, Michael. --=20 Gavin Doughtie DreamWorks SKG (818) 695-3821 |
|
From: <mi...@st...> - 2004-04-08 12:16:15
|
Gavin Doughtie wrote:
> OK, here's the result from running my modified sasl_bind.py (below):
>
> marlin [~/src/mod/python/users](SHARK)(55)> kinit
> Password for gdo...@AN...:
Could you please try with
kinit --no-addresses
> Error using SASL mechanism GSSAPI {'desc': 'Local error'}
Hmm, really no 'info' field?
What Kerberos lib are you using?
I'm using heimdal 0.6 and cyrus-sasl 2.1.15 shipped with my SuSE 9.0 system.
If anything goes wrong there's a message in the 'info' field containing also
Kerberos-related text.
Ciao, Michael.
|
|
From: Gavin D. <gdo...@an...> - 2004-04-08 17:29:16
|
Here's the complete scoop: marlin [~/src/mod/python/users](SHARK)(90)> rpm -qi krb5-workstation Name : krb5-workstation Relocations: (not relocateable= ) Version : 1.2.7 Vendor: (none) Release : 14 Build Date: Wed 13 Aug 2003=20 03:33:05 PM PDT Install Date: Thu 25 Mar 2004 09:36:58 AM PST Build Host:=20 tuna.anim.dreamworks.com Group : System Environment/Base Source RPM:=20 krb5-1.2.7-14.src.rpm Size : 1229404 License: MIT, freely=20 distributable. Signature : DSA/SHA1, Wed 12 Nov 2003 01:33:16 PM PST, Key ID=20 c4e64780ae5317ff URL : http://web.mit.edu/kerberos/www/ Summary : Kerberos 5 programs for use on workstations. Description : Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd) as well as kerberized versions of Telnet and FTP. If your network uses Kerberos, this package should be installed on every workstation. marlin [~/src/mod/python/users](SHARK)(91)> rpm -qi cyrus-sasl Name : cyrus-sasl Relocations: (not relocateable= ) Version : 2.1.15 Vendor: Red Hat, Inc. Release : 3 Build Date: Thu 21 Aug 2003=20 12:27:29 PM PDT Install Date: Thu 25 Mar 2004 09:38:29 AM PST Build Host:=20 daffy.perf.redhat.com Group : System Environment/Libraries Source RPM:=20 cyrus-sasl-2.1.15-3.src.rpm Size : 534045 License: Freely Distributa= ble Signature : DSA/SHA1, Wed 24 Sep 2003 11:11:29 AM PDT, Key ID=20 219180cddb42a60e Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://asg.web.cmu.edu/sasl/sasl-library.html Summary : The Cyrus SASL library. Description : The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. marlin [~/src/mod/python/users](SHARK)(92)> kinit --no-addresses kinit: invalid option -- - kinit: invalid option -- n kinit: invalid option -- o kinit: invalid option -- - kinit: invalid option -- a kinit: invalid option -- d kinit: invalid option -- d Bad lifetime value esses Usage: kinit [-5] [-4] [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F] [-p | -P] [-A] [-v] [-R] [-k [-t keytab_file]] [-c cachename] [-S service_name] [principal] options: valid with Kerbero= s: -5 Kerberos 5 (available) -4 Kerberos 4 (available) (Default behavior is to try Kerberos 5) -V verbose Either 4 or 5 -l lifetime Either 4 or 5 -s start time 5 -r renewable lifetime 5 -f forwardable 5 -F not forwardable 5 -p proxiable 5 -P not proxiable 5 -A do not include addresses 5 -v validate 5 -R renew 5, or both 5=20 and 4 -k use keytab 5, or both 5=20 and 4 -t filename of keytab to use 5, or both 5=20 and 4 -c Kerberos 5 cache name 5 -S service 5, or both 5=20 and 4 marlin [~/src/mod/python/users](SHARK)(93)> kinit -A Password for gdo...@AN...: marlin [~/src/mod/python/users](SHARK)(94)> python sasl sasl_bind.py~ sasl_bind.py marlin [~/src/mod/python/users](SHARK)(94)> python sasl_bind.py ******************** GSSAPI ******************** *** ldap://etzadaat.anim.dreamworks.com:389/ -=20 SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://etzadaat.anim.dreamworks.com:389/ -=20 SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://etzadaat.anim.dreamworks.com:389/ -=20 SimpleLDAPObject.sasl_interactive_bind_s (('', <ldap.sasl.sasl instance=20 at 0xb6e8110c>, None, None),{}) Error using SASL mechanism GSSAPI {'desc': 'Local error'} (<class=20 ldap.LOCAL_ERROR at 0xb73fa4dc>, <ldap.LOCAL_ERROR instance at=20 0xb6e811ec>, <traceback object at 0xb6e85f54>) File "sasl_bind.py", line 72, in ? l.sasl_interactive_bind_s("", sasl_auth) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py",=20 line 196, in sasl_interactive_bind_s return=20 self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,serverctrls,clie= ntctrls) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py",=20 line 94, in _ldap_call result =3D func(*args,**kwargs) *** ldap://etzadaat.anim.dreamworks.com:389/ -=20 SimpleLDAPObject.unbind_ext ((None, None),{}) Michael Str=F6der wrote: > Gavin Doughtie wrote: >=20 >> OK, here's the result from running my modified sasl_bind.py (below): >> >> marlin [~/src/mod/python/users](SHARK)(55)> kinit >> Password for gdo...@AN...: >=20 >=20 > Could you please try with >=20 > kinit --no-addresses >=20 >> Error using SASL mechanism GSSAPI {'desc': 'Local error'} >=20 >=20 > Hmm, really no 'info' field? >=20 > What Kerberos lib are you using? >=20 > I'm using heimdal 0.6 and cyrus-sasl 2.1.15 shipped with my SuSE 9.0=20 > system. >=20 > If anything goes wrong there's a message in the 'info' field containing= =20 > also Kerberos-related text. >=20 > Ciao, Michael. --=20 Gavin Doughtie DreamWorks SKG (818) 695-3821 |
|
From: <mi...@st...> - 2004-04-08 17:55:52
|
Gavin Doughtie wrote: > Here's the complete scoop: > [..] > Name : krb5-workstation Relocations: (not relocateable) > [..] > URL : http://web.mit.edu/kerberos/www/ It seems you're using the MIT Kerberos implementation which is known to have some issues with OpenLDAP (mainly cause it's not thread-safe). In opposite to that I'm using the heimdal implementation. http://www.pdc.kth.se/heimdal/ As I said I do not have much experience with Kerberos. It simply works for me. It seems I can't really help with your setup. Ciao, Michael. |
|
From: Gavin D. <gdo...@an...> - 2004-04-08 20:49:45
|
Does the example below work on your system (or anybody else's on this lis=
t?)
This is the example I've been using to test sasl_bind with a little clean=
up.
-------------------- 8< -----------------------------------
# For documentation, see comments in Module/LDAPObject.c and the
# ldap.sasl module documentation.
import traceback
import sys
import ldap,ldap.sasl
ldap.sasl._trace_level=3D0
ldap.set_option(ldap.OPT_DEBUG_LEVEL,0)
############### CHANGE THIS TO YOUR SERVER ##################
MY_LDAP_SERVER =3D "ldap://put.your.server.url.here/"
for ldap_uri,sasl_mech,sasl_cb_value_dict in [
(
MY_LDAP_SERVER,
'GSSAPI',
{
ldap.sasl.CB_AUTHNAME :'',
ldap.sasl.CB_PASS :'',
}
),
]:
sasl_auth =3D ldap.sasl.sasl(sasl_cb_value_dict,sasl_mech)
print 20*'*',sasl_auth.mech,20*'*'
# Open the LDAP connection
l =3D ldap.initialize(ldap_uri,trace_level=3D1)
# Set protocol version to LDAPv3 to enable SASL bind!
l.protocol_version =3D ldap.VERSION3
try:
l.sasl_interactive_bind_s("", sasl_auth)
except ldap.LDAPError,e:
print 'Error using SASL mechanism ', sasl_auth.mech,str(e),=20
sys.exc_info()
traceback.print_tb(sys.exc_info()[2])
else:
print 'Sucessfully bound using SASL=20
mechanism',sasl_auth.mech,'as',repr(l.whoami_s())
l.unbind()
-------------------- 8< -----------------------------------
Michael Str=F6der wrote:
> Gavin Doughtie wrote:
> > Here's the complete scoop:
> > [..]
> > Name : krb5-workstation Relocations: (not=20
> relocateable)
> > [..]
> > URL : http://web.mit.edu/kerberos/www/
>=20
> It seems you're using the MIT Kerberos implementation which is known to=
=20
> have some issues with OpenLDAP (mainly cause it's not thread-safe). In=20
> opposite to that I'm using the heimdal implementation.
>=20
> http://www.pdc.kth.se/heimdal/
>=20
> As I said I do not have much experience with Kerberos. It simply works=20
> for me. It seems I can't really help with your setup.
>=20
> Ciao, Michael.
>=20
--=20
Gavin Doughtie
DreamWorks SKG
(818) 695-3821
|
|
From: paul k <pa...@su...> - 2004-04-08 22:38:23
|
Gavin Doughtie wrote:
> Does the example below work on your system (or anybody else's on this
> list?)
Your code looks strange to me but I'm by no means an expert here. I can
confirm that if I set my hostname and change digest-md5 to gssapi in the
provided sasl_bind.py from the Demo directory, SASL GSSAPI binds work
fine against Openldap 2.2.8 with SASL 2.1.17 and both MIT kerberos 1.3.1
and a current heimdal snapshot from late march. Python Versions are
2.2.3 and 2.3.3, python-ldap is pre19, system is linux 2.6
######### code from sasl_bind.py ##################
import ldap, ldap.sasl
l = ldap.initialize("ldap://localhost")
auth = ldap.sasl.gssapi("")
l.sasl_bind_s("", auth)
res = l.search_s("dc=nil,dc=b17",ldap.SCOPE_BASE,"(objectClass=*)")
print res
l.unbind()
######### results #########################
nil python-test # python sasl_bind.py
SASL/GSSAPI authentication started
SASL username: root@B17
SASL SSF: 56
SASL installing layers
[('dc=nil,dc=b17', {'objectClass': ['top', 'dcObject', 'domain',
'domainRelatedObject'], 'associatedDomain': ['nil.b17'], 'dc': ['nil']})]
hth
Paul
|
|
From: <mi...@st...> - 2004-04-09 19:54:39
|
paul k wrote:
> Gavin Doughtie wrote:
>
>> Does the example below work on your system (or anybody else's on this
>> list?)
>
> Your code looks strange to me
His code is taken from Demo/sasl_bind.py and is correct.
> auth = ldap.sasl.gssapi("")
ldap.sasl.gssapi is just a primitive convenience wrapper class around
ldap.sasl.sasl for GSSAPI.
Ciao, Michael.
|
|
From: <mi...@st...> - 2004-04-09 19:57:07
|
Gavin Doughtie wrote:
> Does the example below work on your system (or anybody else's on this
> list?)
Yes, it simply works.
Due to my local setup without DNS I have to use kinit --no-addresses when
obtaining the TGT.
After running the program I also have a ticket for the LDAP service.
$ klist
Credentials cache: FILE:/tmp/krb5cc_500
Principal: mi...@ST...
Issued Expires Principal
Apr 9 21:51:00 Apr 10 07:51:00 krbtgt/STR...@ST...
Apr 9 21:51:02 Apr 10 07:51:00 ldap/loc...@ST...
Ciao, Michael.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X