[EMAIL PROTECTED] wrote:
<x-tad-smaller>I haven't even started working on authorization. The first problem</x-tad-smaller>
<x-tad-smaller>is just basic authentication. Some LDAP servers, such as Active Directory,</x-tad-smaller>
<x-tad-smaller>supposedly supports authentication with queries, so if a username and</x-tad-smaller>
<x-tad-smaller>password are included as parameters to a query, they will be handled</x-tad-smaller>
<x-tad-smaller>appropriately. The part I'm not yet clear on has to do with the</x-tad-smaller>
<x-tad-smaller>requirements on such queries. For instance, Apple's OpenLDAP comes</x-tad-smaller>
<x-tad-smaller>with SASL authentication, but I haven't yet gotten that to work.</x-tad-smaller>
<x-tad-smaller>I've tried testing various parameters to the ldapsearch command,</x-tad-smaller>
<x-tad-smaller>for instance:</x-tad-smaller>

<x-tad-smaller>ldapsearch -h adserver.ourdomain.org -D "cn=myuserid" -w mypassword -b "dc=OURDOMAIN,dc=ORG"</x-tad-smaller>

<x-tad-smaller>...and here is the error I get on Mac OS 10.4.2:</x-tad-smaller>

<x-tad-smaller>SASL/GSSAPI authentication started</x-tad-smaller>
<x-tad-smaller>ldap_sasl_interactive_bind_s: Local error (-2)</x-tad-smaller>
<x-tad-smaller>        additional info: SASL(-1): generic failure:</x-tad-smaller>
<x-tad-smaller>                GSSAPI Error: Miscellaneous failure (No credentials cache found)</x-tad-smaller>

You don't necessarily have to use Kerberos. Here's a command line that has worked for me on 10.3.9 against a Windows 2000 Active Directory server. It authenticates [EMAIL PROTECTED] by prompting for the password and then printing out some user information. (The flags could be simplified to do authentication only, but I don't have an AD server handy to test, so I didn't want to risk breaking it.)

$ ldapsearch -H ldap://mydomain.sample.com/ -D testuser -vx -b dc=mydomain,dc=sample,dc=com -W "(samaccountname=testuser)" sn cn fn uid sAMAccountName

--
Andrew Shearer
http://www.shearersoftware.com/
_______________________________________________
Pythonmac-SIG maillist  -  Pythonmac-SIG@python.org
http://mail.python.org/mailman/listinfo/pythonmac-sig

Reply via email to