Menu
▾
▴
python-ldap-dev
|
From: Wido D. <wid...@gm...> - 2004-10-30 00:08:04
|
Hi All, some users of Luma ( http://luma.sf.net ) have problems with binding to a directory using the SASL/GSSAPI method. All these people have a working Kerberos environment and using SASL/MD5 work flawlessly. Here's the output they get from the console: SASL/GSSAPI authentication started Error during LDAP bind request Reason: {'info': 'SASL(0): successful result: ', 'desc': 'Local error'} Unfortunately I'm not able to test this myself since it would take to much time to set up such an environment. And currently I'm busy with my exams. For integrating SASL support into Luma I used the example code from python-ldap. Here is the 'bind()' function from Luma and maybe you have an idea what is going wrong: def bind(self): try: urlschemeVal = "ldap" if self.serverMeta.tls: urlschemeVal = "ldaps" whoVal = None credVal = None if not (self.serverMeta.bindAnon): whoVal = self.serverMeta.bindDN credVal = self.serverMeta.bindPassword url = ldapurl.LDAPUrl(urlscheme=urlschemeVal, hostport = self.serverMeta.host + ":" + str(self.serverMeta.port), dn = self.serverMeta.baseDN, who = whoVal, cred = credVal) self.ldapServerObject = ldap.initialize(url.initializeUrl()) self.ldapServerObject.protocol_version = 3 if self.serverMeta.bindAnon: self.ldapServerObject.simple_bind() elif self.serverMeta.authMethod == u"Simple": self.ldapServerObject.simple_bind(whoVal, credVal) elif u"SASL" in self.serverMeta.authMethod: sasl_cb_value_dict = None if not u"GSSAPI" in self.serverMeta.authMethod: sasl_cb_value_dict = {ldap.sasl.CB_AUTHNAME:whoVal, ldap.sasl.CB_PASS:credVal} sasl_mech = None if self.serverMeta.authMethod == u"SASL Plain": sasl_mech = "PLAIN" elif self.serverMeta.authMethod == u"SASL CRAM-MD5": sasl_mech = "CRAM-MD5" elif self.serverMeta.authMethod == u"SASL DIGEST-MD5": sasl_mech = "DIGEST-MD5" elif self.serverMeta.authMethod == u"SASL Login": sasl_mech = "LOGIN" elif self.serverMeta.authMethod == u"SASL GSSAPI": sasl_mech = "GSSAPI" sasl_auth = ldap.sasl.sasl(sasl_cb_value_dict,sasl_mech) self.ldapServerObject.sasl_interactive_bind_s("", sasl_auth) except ldap.LDAPError, e: print "Error during LDAP bind request" print "Reason: " + str(e) Maybe someone with a Kerberos environment can test Luma. So far I'm pretty lost what is going on. mfg. Wido -- Wido Depping ICQ: 51303067 AIM: wido3379 Jabber: wi...@ja... Blog: http://widoww.blogspot.com |
|
From: Hans A. <Han...@ep...> - 2004-11-03 09:05:48
|
[to list and OP] On Saturday 30 October 2004 02:07, Wido Depping wrote: > Hi All, > some users of Luma ( http://luma.sf.net ) have problems with binding > to a directory using the SASL/GSSAPI method. All these people have a > working Kerberos environment and using SASL/MD5 work flawlessly. > Here's the output they get from the console: > > SASL/GSSAPI authentication started > Error during LDAP bind request > Reason: {'info': 'SASL(0): successful result: ', 'desc': 'Local error'} This error is most likely due to a wrong setup of kerberos <-> LDAP, and has probably nothing to do with python-ldap. The luma users might look at http://www.bayour.com/LDAPv3-HOWTO.html which is a great HOWTO for setting up a working ldap server with GSSAPI authentication. It also explains the reasons for a 'local error'. BTW, it was some time ago that I last looked at python-ldap, but I think that it still is built on top of the openldap-libraries. So SASL/GSSAPI will work only if it also works using ldapsearch (and vice versa(?)). Hans |
|
From: <mi...@st...> - 2004-11-03 16:39:07
|
Hans Aschauer wrote:
> [to list and OP]
>
> On Saturday 30 October 2004 02:07, Wido Depping wrote:
>
>>SASL/GSSAPI authentication started
>>Error during LDAP bind request
>>Reason: {'info': 'SASL(0): successful result: ', 'desc': 'Local error'}
>
> This error is most likely due to a wrong setup of kerberos <-> LDAP, and has
> probably nothing to do with python-ldap.
I agree. One would also need to know which version of heimdal or MIT
Kerberos and which kind of KDC this happens with.
E.g. I did get such errors when using a earlier version of heimdal with a
KDC of W2K3 Active Directory. In my case this was solved by upgrading
heimdal. Your mileage may vary.
> So SASL/GSSAPI will work only if it
> also works using ldapsearch (and vice versa(?)).
Yes. Best advice is to test with OpenLDAP's command-line tool ldapsearch.
Ciao, Michael.
|
|
From: Wido D. <wid...@gm...> - 2004-11-08 23:10:54
|
On Wed, 3 Nov 2004 10:05:34 +0100, Hans Aschauer <han...@ep...> wrote: > On Saturday 30 October 2004 02:07, Wido Depping wrote: > > Hi All, > > some users of Luma ( http://luma.sf.net ) have problems with binding > > to a directory using the SASL/GSSAPI method. All these people have a > > working Kerberos environment and using SASL/MD5 work flawlessly. > > Here's the output they get from the console: > > > > SASL/GSSAPI authentication started > > Error during LDAP bind request > > Reason: {'info': 'SASL(0): successful result: ', 'desc': 'Local error'} > > This error is most likely due to a wrong setup of kerberos <-> LDAP, and has > probably nothing to do with python-ldap. The luma users might look at > > http://www.bayour.com/LDAPv3-HOWTO.html > > which is a great HOWTO for setting up a working ldap server with GSSAPI > authentication. It also explains the reasons for a 'local error'. BTW, it was > some time ago that I last looked at python-ldap, but I think that it still is > built on top of the openldap-libraries. So SASL/GSSAPI will work only if it > also works using ldapsearch (and vice versa(?)). Hi All, The solution for my problem was simpler than expected. In my code I had "sasl_cb_value_dict = None" instead of "sasl_cb_value_dict = {}". After correcting this, everything worked. However it would be good if the developer gets a more meaningful error message than 'local error'. Beside that, I just want to say that python-ldap is a really nice library and it has helped me a lot with my Luma development, altough I don't use its full potential :) mfg. Wido Depping -- Wido Depping ICQ: 51303067 AIM: wido3379 Jabber: wi...@ja... Blog: http://widoww.blogspot.com |
|
From: <mi...@st...> - 2004-11-08 23:51:54
|
Wido Depping wrote:
> On Wed, 3 Nov 2004 10:05:34 +0100, Hans Aschauer <han...@ep...> wrote:
>
>>>SASL/GSSAPI authentication started
>>>Error during LDAP bind request
>>>Reason: {'info': 'SASL(0): successful result: ', 'desc': 'Local error'}
>>
>>This error is most likely due to a wrong setup of kerberos <-> LDAP, and has
>>probably nothing to do with python-ldap.
>
> The solution for my problem was simpler than expected.
Thanks for letting us know.
> In my code I
> had "sasl_cb_value_dict = None" instead of "sasl_cb_value_dict = {}".
> After correcting this, everything worked. However it would be good if
> the developer gets a more meaningful error message than 'local error'.
Hmm, would the patch below solve this particular problem?
> Beside that, I just want to say that python-ldap is a really nice
> library and it has helped me a lot with my Luma development, altough I
> don't use its full potential :)
I look forward to luma using the full potential of python-ldap... :-)
Ciao, Michael.
Index: Lib/ldap/sasl.py
===================================================================
RCS file: /cvsroot/python-ldap/python-ldap/Lib/ldap/sasl.py,v
retrieving revision 1.11
diff -u -r1.11 sasl.py
--- Lib/ldap/sasl.py 25 Mar 2004 14:57:02 -0000 1.11
+++ Lib/ldap/sasl.py 8 Nov 2004 23:44:36 -0000
@@ -46,7 +46,7 @@
question-answer pairs. Questions are specified by the respective
SASL callback id's. The mech argument is a string that specifies
the SASL mechaninsm to be uesd."""
- self.cb_value_dict = cb_value_dict
+ self.cb_value_dict = cb_value_dict or {}
self.mech = mech
def callback(self,cb_id,challenge,prompt,defresult):
|
|
From: Wido D. <wid...@gm...> - 2004-11-09 00:03:59
|
On Tue, 09 Nov 2004 00:46:51 +0100, Michael Str=F6der
<mi...@st...> wrote:
> > The solution for my problem was simpler than expected.
> Thanks for letting us know.
> > In my code I
> > had "sasl_cb_value_dict =3D None" instead of "sasl_cb_value_dict =3D {}=
".
> > After correcting this, everything worked. However it would be good if
> > the developer gets a more meaningful error message than 'local error'.
>=20
> Hmm, would the patch below solve this particular problem?
The patch looks ok to me. Thanks for the fast response :)
bye
Wido
--=20
Wido Depping
ICQ: 51303067 AIM: wido3379
Jabber: wi...@ja...
Blog: http://widoww.blogspot.com
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X