[Freeipa-users] Connect to FreeIPA's LDAP Directory

Dmitri Pal dpal at redhat.com
Tue May 28 18:41:04 UTC 2013 

On 05/28/2013 02:51 AM, Alexander Bokovoy wrote:
> On Mon, 27 May 2013, Justin Brown wrote:
>> I'm working on a small project that needs access to user information
>> (primarily email addresses and phone numbers) from a LDAP directory. I'm
>> successfully using FreeIPA for general authentication and DNS in my
>> lab and
>> would like to have this application use FreeIPA as well.
>>
>> I need to be able to bind to the LDAP directory, using both Apache
>> Directory Studio (for development) and python-ldap. Both support various
>> methods of authentication, including "simple" aka password and
>> Kerberos via
>> GSSAPI. Unfortunately, I haven't had much access in connecting with
>> either.
>>
>> I have tried a variety of user accounts for password authentication
>> to no
>> success. Additionally, I have used `kinit` to obtain a TGT and even
>> specified the TGT cache dir (/run/user/1000/krb5cc.../tkt); however,
>> I get
>> an error: "unable to obtain Principal Name for authentication." From my
>> basic understanding of Kerberos, it seems that I need a TGT specific for
>> access to LDAP from FreeIPA, but I have no idea how to generate it.
>>
>> $ klist
>> Ticket cache: DIR::/run/user/1000/krb5cc_.../tkt
>> Default principal: justin at FANDINGO.ORG
>>
>> Valid starting     Expires            Service principal
>> 05/27/13 17:25:45  05/28/13 17:25:42  krbtgt/FANDINGO.ORG at FANDINGO.ORG
>>
>> Any help would be greatly appreciated.
> It would help if you show your code.
>
> Following code should work if you have KRB5CCNAME defined (or set to
> default) and there is initialized TGT in the ccache:
> ======
> import ldap, ldap.sasl
>
> connection =
> ldap.initialize('ldap://{host}'.format(host='foo.fandingo.org')) auth
> = ldap.sasl.gssapi("")
> connection.sasl_interactive_bind_s('', auth)
> ldif = .....
> dn = .....
> connection.add_s(dn, ldif)
> ======
>

And in conjunction with the GSS API consider using GSS proxy to take
care of the ticket renewal on your behalf.
Then you would not need to kinit yourself.
GSS proxy will make sure the ticket is acquired when it is needed.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list