Hello,
I am using python-ldap to bind using SASL with DIGEST-MD5 authentication. My program:
#!/usr/bin/python
import ldap.sasl
username = 'user'
pw = 'pass''
url = "ldap://example.com/"
bind = "dc=www,dc=example,dc=com"
def doit():
con = ldap.initialize(url)
auth_tok = ldap.sasl.digest_md5(username, pw)
ret = con.sasl_interactive_bind_s(bind, auth_tok)
print "bind:", ret
ret = con.unbind()
return
doit()
doit()
The first bind is successful, the second one fails (with INVALID_CREDENTIALS):
bind: 0
Traceback (most recent call last):
File "./ldaptest.py", line 21, in <module>
doit()
File "./ldaptest.py", line 12, in doit
ret = con.sasl_interactive_bind_s(bind, auth_tok)
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 219, in sasl_interactive_bind_s
return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 97, in _ldap_call
result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 57, vece', 'desc': 'Invalid credentials'}
It looks like that the credentials(nonce) are being cached and the server does not like this (it is a Windows server). Is there are way to ask the library to not cache the credentials? I ran wireshark and it confirms that on the first call to bind, only "sasl:mechanism" is sent. However, on the second call to bind, credentials are also being sent which confuses the server as it has not yet sent the challenge (via saslBindInProgress).
Thanks!
Ashwin
|
