1

I have tried below lined of code on RHEL it works so great. On Linux I just have to acquire the Kerberos ticket.

mport ldap
import ldap.sasl

conn=ldap.initialize('ldap://auto.test-auto.com',trace_level=2)

conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
conn.set_option(ldap.OPT_REFERRALS,0)
sasl = ldap.sasl.gssapi()
conn.sasl_interactive_bind_s('', sasl)

Then I copied same thing in to a windows 2k3 server where ActivePython-2.7","python-ldap-2.4.10", "openssl-0.9.8o","setup-sasl-1.5.27" are installed.

Traceback (most recent call last):
  File "C:\susanta\test-sasl.py", line 10, in <module>
    conn.sasl_interactive_bind_s('', sasl)
  File "C:\Python27\lib\site-packages\ldap\ldapobject.py", line 229, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "C:\Python27\lib\site-packages\ldap\ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)
LOCAL_ERROR: {'desc': 'Local error'}

Could some one help me out?

pnuts
  • 58,317
  • 11
  • 87
  • 139
Susant
  • 21
  • 3

1 Answers1

0

Are you using Cyrus SASL as backend? If so, it compiled against MIT or Heimdal. You don't have access to the TGT. Search for registry key: session key tgt. But Cyrus SASL is not really usable on Windows if you use GSS-API unless you try Kerberos for Windows.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • Basically I want to connect to the Win AD using the windows client credentials that is in same domain. SO I am using LDAP sasl bind. Is there other way I can achieve it? I do not understand SSPI binding? I am using python ldap. Regards Susanta – Susant Nov 29 '12 at 15:16
  • I know what you are trying to do. But it is not that easy like on Unix, there is not GSS-API on Windows, there is only SSPI. Cyrus SASL does not use that. You maybe have to install MIT Kerberos too (KfW). – Michael-O Nov 29 '12 at 15:25
  • Hi Michael, You mean If I install MIT Kerberos,Cyrus SASL, it will work? Would you please explain thought in details. I saw a link (https://groups.google.com/forum/?fromgroups=#!topic/microsoft.public.active.directory.interfaces/nBP-heUg8LQ) They are saying this has been fiex in win 2k3 onwards. – Susant Nov 30 '12 at 06:44
  • The link won't solve your problem. You found a thread from the stone ages which discusses a Windows SASL LDAP C API. Your case is different. If you say SASL, you have to name it, like Cyrus SASL, GNU SASL, Windows SASL, etc. First, you have to figure out what SASL implementation is used by ActivePython for LDAP communication. Then we can continue. Maybe it would be better to use [Python ADSI](http://timgolden.me.uk/pywin32-docs/html/com/help/adsi.html). This is MS' API to access the Active Directory. It has full Kerberos support through SSPI. – Michael-O Nov 30 '12 at 11:14
  • Python LDAP uses Cyrus SASL: http://stackoverflow.com/questions/11058480/python-win32com-adsi-module-limits-number-of-returned-members-from-ad – Michael-O Nov 30 '12 at 11:16
  • Here is an example of Python ADSI: http://stackoverflow.com/questions/11058480/python-win32com-adsi-module-limits-number-of-returned-members-from-ad – Michael-O Nov 30 '12 at 11:16
  • I got it, It works with out SSPI. Don't have to user MS ADSI. It woks with Cyrus SASL. I need to install MITKerberosForWindows and openldap for windows . Thanks Michael. – Susant Nov 30 '12 at 15:27
  • This is what I have told you. KfW, Kerberos for Windows. You might want to accept my answer, I will add KfW. – Michael-O Nov 30 '12 at 17:13
  • Yes Sure, On top of that open ssl for windows is necessary. Thanks – Susant Dec 03 '12 at 06:09
  • You did not mention that you require SSL. Please note that you can request SASL to encrypt the entire traffic with Kerberos. – Michael-O Dec 03 '12 at 09:28
  • I got another issue with Windows system. The MIT Kerberos acquires credentials and pass to Cyrus SASL that si used by python LDAP in active python. It works only for that session. When I executing below script by sum windows service, that never works, looks like the MIT credentials is not accessible exiting with local GSSAPI error – Susant Sep 17 '13 at 07:55
  • I do not see any specific GSS error. Make sure that the account for the service is a domain account. – Michael-O Sep 17 '13 at 07:58
  • Yes Michael, The service is running in as windows domain administrator and I logged in as same and started Network Identity manager as well. So when I will execute the above script manually it works fine. But when the try to execute the same script though service it give same "local error no mechanism ..GSSAPI". Looks like the credential as available to the particular session? When does this stores the credentials? – Susant Sep 17 '13 at 13:50
  • OK, I know your problem. [This](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2/relnotes.html#mslsa) is it. – Michael-O Sep 17 '13 at 13:58
  • Looking into the link but unable to make out what need to be done. How can I pass share/pass this MIT credential with all the session. – Susant Sep 19 '13 at 09:20
  • You cannot. Either use a non-admin account or patch the OpenLDAP client to use SSPI instead of MIT Kerberos. – Michael-O Sep 19 '13 at 09:32