[Freeipa-users] Connect to FreeIPA's LDAP Directory
Alexander Bokovoy
abokovoy at redhat.com
Tue May 28 06:51:36 UTC 2013
On Mon, 27 May 2013, Justin Brown wrote:
>I'm working on a small project that needs access to user information
>(primarily email addresses and phone numbers) from a LDAP directory. I'm
>successfully using FreeIPA for general authentication and DNS in my lab and
>would like to have this application use FreeIPA as well.
>
>I need to be able to bind to the LDAP directory, using both Apache
>Directory Studio (for development) and python-ldap. Both support various
>methods of authentication, including "simple" aka password and Kerberos via
>GSSAPI. Unfortunately, I haven't had much access in connecting with either.
>
>I have tried a variety of user accounts for password authentication to no
>success. Additionally, I have used `kinit` to obtain a TGT and even
>specified the TGT cache dir (/run/user/1000/krb5cc.../tkt); however, I get
>an error: "unable to obtain Principal Name for authentication." From my
>basic understanding of Kerberos, it seems that I need a TGT specific for
>access to LDAP from FreeIPA, but I have no idea how to generate it.
>
>$ klist
>Ticket cache: DIR::/run/user/1000/krb5cc_.../tkt
>Default principal: justin at FANDINGO.ORG
>
>Valid starting Expires Service principal
>05/27/13 17:25:45 05/28/13 17:25:42 krbtgt/FANDINGO.ORG at FANDINGO.ORG
>
>Any help would be greatly appreciated.
It would help if you show your code.
Following code should work if you have KRB5CCNAME defined (or set to
default) and there is initialized TGT in the ccache:
======
import ldap, ldap.sasl
connection = ldap.initialize('ldap://{host}'.format(host='foo.fandingo.org'))
auth = ldap.sasl.gssapi("")
connection.sasl_interactive_bind_s('', auth)
ldif = .....
dn = .....
connection.add_s(dn, ldif)
======
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list