Re: How to verify server certificate
Hi again,
> Why should it be broken?
It's deliberately broken to test the program, and thanks to your reply
I've been able to catch this exception:
CONNECT_ERROR: {'info': 'TLS: hostname does not match CN in peer
certificate', 'desc': 'Connect error'}
What I've so far *not* been able to provoke is an error because of an
expired certificate. Is there some way to do this?
> If the cert or hostname validation fails ldap.SERVER_DOWN is raised.
ehm.. I caught a CONNECT_ERROR (see above)... ?
> Well, there's a reason why in Demo/initialize.py the TLS-related
options are
> set globally. Only in recent versions of OpenLDAP you can set these
options
> per connection.
Thanks, didn't know this. The thing is that I want to verify some
certificates and accept others no matter what, but I've been (what seems
to be) successfully to toggle this with ldap.OPT_X_TLS_NEVER and
ldap.OPT_X_TLS_DEMAND respectively.
smime.p7s
Description: S/MIME Cryptographic Signature
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
RE: ldap.passwd_s with Active Direcory
> -Original Message- > From: Michael Ströder [mailto:[email protected]] > Sent: 04 August 2009 18:23 > To: Mike Peters > Cc: [email protected] > Subject: Re: ldap.passwd_s with Active Direcory > > [email protected] wrote: > > > >> There's a MSDN article about how to set attribute unicodePwd via > LDAP > >> in AD. > > > > If I try the alternative method however: > > > > mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', 'password' )] > > dn = 'CN=Barney Rubble,OU=Users,DC=mydomain,dc=local' > > r = l.modify_s(dn, mod_attrs) > > > > I get: > > > > {'info': '001F: SvcErr: DSID-031A0FC0, problem 5003 > (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to > perform'} > > > > I guess I'm still missing something :( > > Did you search for the MSDN article? The value has to be in your case > above: > > '"password"'.encode('utf-16-le') > > Note the quotes and the UTF-16 low-endian encoding. > Thanks again for your help. I tried that but to no avail. I still get the same error. Do you know if the fact I'm accessing the server over a VPN would make any difference? Mike Peters -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: ldap.passwd_s with Active Direcory
[email protected] wrote: > Michael Ströder wrote: >> Did you search for the MSDN article? The value has to be in your case >> above: >> >> '"password"'.encode('utf-16-le') >> >> Note the quotes and the UTF-16 low-endian encoding. > > Thanks again for your help. I tried that but to no avail. I still get the > same error. It should work. It's the way I've implemented it in web2ldap. You must use either LDAPS or StartTLS ext.op. You might wanna look what's going on by setting trace_level=2 when calling ldap.initialize(). > Do you know if the fact I'm accessing the server over a VPN > would make any difference? AD enforces that to work solely over an encrypted connection. A VPN is outside the connection handling of AD so this won't work. Ciao, Michael. -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Connection to AD on windows
Hi,
I'm trying to get python-ldap working on a windows machine to authenticate
users against an Active Directory server.
However, I'm getting the weirdest things...
This is what I'm trying:
import ldap, ldap.sasl
conn = ldap.initialize('ldap://blabla')
conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
conn.set_option(ldap.OPT_REFERRALS,0)
sasl = ldap.sasl.gssapi()
conn.sasl_interactive_bind_s('', sasl)
upon the sasl_interactive_bind_s, I get the following traceback:
Traceback (most recent call last):
File "D:\Projects\Python\ldap\src\ldaptest.py", line 12, in
conn.sasl_interactive_bind_s('', sasl)
File
"c:\python25\lib\site-packages\python_ldap-2.3.9-py2.5-win32.egg\ldap\ldapobject.py",
line 219, in sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
File
"c:\python25\lib\site-packages\python_ldap-2.3.9-py2.5-win32.egg\ldap\ldapobject.py",
line 96, in _ldap_call
result = func(*args,**kwargs)
ldap.SUCCESS: {'desc': 'Success'}
so apparently an exception of type ldap.SUCCESS seems to be thrown, which
doesn't make much sense...
What's going on?
I'm totally clueless...
Im using the 2.3.9 release I got here:
http://svn.kmrc.de/download/distribution/contrib/
Thanks in advance for any ideas!
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: ldap.passwd_s with Active Direcory
[email protected] wrote: >> -Original Message- >> From: Michael Ströder [mailto:[email protected]] >> Sent: 04 August 2009 18:23 >> To: Mike Peters >> Cc: [email protected] >> Subject: Re: ldap.passwd_s with Active Direcory >> >> [email protected] wrote: There's a MSDN article about how to set attribute unicodePwd via >> LDAP in AD. >>> If I try the alternative method however: >>> >>> mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', 'password' )] >>> dn = 'CN=Barney Rubble,OU=Users,DC=mydomain,dc=local' >>> r = l.modify_s(dn, mod_attrs) >>> >>> I get: >>> >>> {'info': '001F: SvcErr: DSID-031A0FC0, problem 5003 >> (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to >> perform'} >>> I guess I'm still missing something :( >> Did you search for the MSDN article? The value has to be in your case >> above: >> >> '"password"'.encode('utf-16-le') >> >> Note the quotes and the UTF-16 low-endian encoding. >> > > Thanks again for your help. I tried that but to no avail. I still get the > same error. Do you know if the fact I'm accessing the server over a VPN would > make any difference? > For what it's worth, this is the working code I use to set the password. I didn't realize you could use the -le suffix to get an encoding without the byte order mark which I've just been stripping off. The example posted above should be equivalent. ldap_conn.modify_s(dn, [ ( ldap.MOD_REPLACE, 'unicodePwd', ''.join(('"', pwd, '"')).encode('utf-16').lstrip('\377\376'), ) ]) Another thing to note is that the connection must be under a TLS layer. -- Russell A. Jackson Network Analyst California State University, Bakersfield Excellent day to have a rotten day. signature.asc Description: OpenPGP digital signature -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
SASL GSSAPI under Win32 (was: Connection to AD on windows)
Jeroen Michiel wrote:
>
> I'm trying to get python-ldap working on a windows machine to authenticate
> users against an Active Directory server. However, I'm getting the weirdest
> things...
>
> This is what I'm trying:
>
> import ldap, ldap.sasl
>
> conn = ldap.initialize('ldap://blabla')
> conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
> conn.set_option(ldap.OPT_REFERRALS,0)
> sasl = ldap.sasl.gssapi()
> conn.sasl_interactive_bind_s('', sasl)
I'm pretty sure SASL bind with GSSAPI mech is not supported with the Win32
builds. Therefore I changed the subject line to trigger attention of the
relevant readers.
The OpenLDAP libs are usually compiled against heimdal or MIT Kerberos which
both have nothing to do with the Kerberos ticket store of your Windows session.
David tried another approach which would help for this situation. His
experimental attempts to build with wldap32.dll can be found here:
http://sourceforge.net/tracker/?func=detail&aid=1698443&group_id=2072&atid=352072
Any takers? Personally I have some doubts though because especially regarding
SASL the APIs are incompatible.
> upon the sasl_interactive_bind_s, I get the following traceback:
>
> Traceback (most recent call last):
> File "D:\Projects\Python\ldap\src\ldaptest.py", line 12, in
> conn.sasl_interactive_bind_s('', sasl)
> File
> "c:\python25\lib\site-packages\python_ldap-2.3.9-py2.5-win32.egg\ldap\ldapobject.py",
> line 219, in sasl_interactive_bind_s
> return
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
> File
> "c:\python25\lib\site-packages\python_ldap-2.3.9-py2.5-win32.egg\ldap\ldapobject.py",
> line 96, in _ldap_call
> result = func(*args,**kwargs)
> ldap.SUCCESS: {'desc': 'Success'}
Raising ldap.SUCCESS in this case is clearly a bug.
> Im using the 2.3.9 release I got here:
> http://svn.kmrc.de/download/distribution/contrib/
These are .egg files built by Torsten. Not sure what he did regarding Kerberos.
Maybe Torsten or Waldemar can comment on the Win32 builds.
Ciao, Michael.
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
RE: ldap.passwd_s with Active Direcory
> -Original Message- > From: Michael Ströder [mailto:[email protected]] > Sent: 05 August 2009 16:11 > To: Mike Peters > Cc: [email protected] > Subject: Re: ldap.passwd_s with Active Direcory > > [email protected] wrote: > > Michael Ströder wrote: > >> Did you search for the MSDN article? The value has to be in your > case > >> above: > >> > >> '"password"'.encode('utf-16-le') > >> > >> Note the quotes and the UTF-16 low-endian encoding. > > > > Thanks again for your help. I tried that but to no avail. I still get > the > > same error. > > It should work. It's the way I've implemented it in web2ldap. You must > use > either LDAPS or StartTLS ext.op. > > You might wanna look what's going on by setting trace_level=2 when > calling > ldap.initialize(). > With trace_level=2 I get the following: In [1]: import ldap In [2]: l = ldap.initialize("ldaps://ad01.demo.local:636", trace_level=2) *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.set_option ((17, 3),{}) In [3]: l.simple_bind_s(u'u...@addemo', u'secret') *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.simple_bind ((u'u...@addemo', u'secret', None, None),{}) => result: 1 *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.result3 ((1, 1, -1),{}) => result: (97, [], 1, []) Out[3]: (97, []) In [4]: mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', '"password"'.encode('utf-16-le') )] In [5]: dn = 'CN=Barney Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local' In [6]: r = l.modify_s(dn, mod_attrs)*** ldaps://ad01.demo.local:636 - SimpleLDAPObject.modify_ext (('CN=Barney Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local', [(2, 'unicodePwd', '"\x00p\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00"\x00')], None, None),{}) => result: 2 *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.result3 ((2, 1, -1),{}) => LDAPError - UNWILLING_TO_PERFORM: {'info': '052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'} ERROR: An unexpected error occurred while tokenizing input The following traceback may be corrupted or invalid The error message is: ('EOF in multi-line statement', (134, 0)) --- UNWILLING_TO_PERFORM Traceback (most recent call last) /home/django/pplace/ in () /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in modify_s(self, dn, modlist) 326 def modify_s(self,dn,modlist): 327 msgid = self.modify(dn,modlist) --> 328 return self.result(msgid,all=1,timeout=self.timeout) 329 330 def modrdn(self,dn,newrdn,delold=1): /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in result(self, msgid, all, timeout) 426 polling (timeout = 0), in which case (None, None) is returned. 427 """ --> 428 res_type,res_data,res_msgid = self.result2(msgid,all,timeout) 429 return res_type,res_data 430 /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in result2(self, msgid, all, timeout) 430 431 def result2(self,msgid=_ldap.RES_ANY,all=1,timeout=None): --> 432 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) 433 return res_type, res_data, res_msgid 434 /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in result3(self, msgid, all, timeout) 436 if timeout is None: 437 timeout = self.timeout --> 438 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) 439 if ldap_result is None: 440 rtype, rdata, rmsgid, decoded_serverctrls = (None,None,None,None) /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in _ldap_call(self, func, *args, **kwargs) 94 try: 95 try: ---> 96 result = func(*args,**kwargs) 97 finally: 98 self._ldap_object_lock.release() UNWILLING_TO_PERFORM: {'info': '052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'} Does the encoded password look right? Thanks Mike Peters -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: SASL GSSAPI under Win32 (was: Connection to AD on windows)
2009/8/5 Michael Ströder : > Jeroen Michiel wrote: >> > > I'm pretty sure SASL bind with GSSAPI mech is not supported with the Win32 > builds. Therefore I changed the subject line to trigger attention of the > relevant readers. > > The OpenLDAP libs are usually compiled against heimdal or MIT Kerberos which > both have nothing to do with the Kerberos ticket store of your Windows > session. > > David tried another approach which would help for this situation. His > experimental attempts to build with wldap32.dll can be found here: > > http://sourceforge.net/tracker/?func=detail&aid=1698443&group_id=2072&atid=352072 > > Any takers? Personally I have some doubts though because especially regarding > SASL the APIs are incompatible. > > >> Im using the 2.3.9 release I got here: >> http://svn.kmrc.de/download/distribution/contrib/ > > These are .egg files built by Torsten. Not sure what he did regarding > Kerberos. > > Maybe Torsten or Waldemar can comment on the Win32 builds. > I have made a couple attempts to support SASL in the Win32 builds. One user even reported a success using it but it never worked for me. I will give it one more go but I can not make any promises. Waldemar -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: ldap.passwd_s with Active Direcory
[email protected] wrote: > *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.simple_bind > ((u'u...@addemo', u'secret', None, None),{}) First of all you should not pass Unicode strings to python-ldap. That's not a problem for the actual values you used though in this example but in general up to now python-ldap only receives raw strings as arguments. > In [4]: mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', > '"password"'.encode('utf-16-le') )] > In [5]: dn = 'CN=Barney Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local' > > In [6]: r = l.modify_s(dn, mod_attrs)*** ldaps://ad01.demo.local:636 - > SimpleLDAPObject.modify_ext (('CN=Barney > Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local', [(2, 'unicodePwd', > '"\x00p\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00"\x00')], None, None),{}) Unfortunately I can't tell whether u...@addemo and CN=Barney Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local are the same AD user entry. I vaguely remember that when setting your own password you have to explicitly delete the old one and add the new one. Dig for the MSDN article. Ciao, Michael. -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: SASL GSSAPI under Win32
Waldemar Osuch wrote:
> I have made a couple attempts to support SASL in the Win32 builds.
> One user even reported a success using it but it never worked for me.
> I will give it one more go but I can not make any promises.
I tried to bind with SASL DIGEST-MD5 to MS AD W2K3SP2 and to OpenLDAP 2.4.x
but that did not work:
AUTH_UNKNOWN: {'info': 'SASL(-4): no mechanism available: Unable to find a
callback: 2', 'desc': 'Unknown authentication method'}
Hmm, are the SASL mechs modules available at all?
Ciao, Michael.
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: SASL GSSAPI under Win32
2009/8/5 Michael Ströder :
> Waldemar Osuch wrote:
>> I have made a couple attempts to support SASL in the Win32 builds.
>> One user even reported a success using it but it never worked for me.
>> I will give it one more go but I can not make any promises.
>
> I tried to bind with SASL DIGEST-MD5 to MS AD W2K3SP2 and to OpenLDAP 2.4.x
> but that did not work:
>
> AUTH_UNKNOWN: {'info': 'SASL(-4): no mechanism available: Unable to find a
> callback: 2', 'desc': 'Unknown authentication method'}
>
> Hmm, are the SASL mechs modules available at all?
>
That is the error I am getting too.
My understanding of how it is supposed to work is that _ldap.pyd calls into
libsasl.dll first (this part works) but then libsasl.dll has to find and load
the requested auth mechanism.
Unfortunately I did not find a way of telling libsasl where the
auth plugin dlls are located.
Dropping them into the same directory and hoping it will find them
does not seem to work.
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
