我在FreeBSD機器上運行Python 2.6,並且我希望對Active Directory執行兩階段身份驗證(並且我不知道正確的術語)。如何在Python中對Active Directory服務器執行兩階段身份驗證?
基本上,過程登錄用戶myuserid'是:
- 綁定到使用爲此目的而創建的系統帳戶的AD LDAP服務器(稱之爲
DOMAIN\gatekeeper
) - 驗證
myuserid
的密碼針對該用戶存儲在AD中的憑證。
我有以下代碼,它看起來很像this question中的代碼。
l = ldap.initialize(Server)
l.protoco_version = 3
l.set_option(ldap.OPT_REFERRALS, 0)
l.simple_bind_s('cn=gatekeeper,dc=DOMAIN,dc=COMPANY,dc=TLD', 'gatekeeper_password')
此錯誤這最後的結果:
=> LDAPError - INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}
---------------------------------------------------------------------------
INVALID_CREDENTIALS Traceback (most recent call last)
/Users/crose/projects/ldap-auth/9163_saas/webservices/aws/model/aw_registry/<ipython console> in <module>()
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in simple_bind_s(self, who, cred, serverctrls, clientctrls)
205 """
206 msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
--> 207 return self.result(msgid,all=1,timeout=self.timeout)
208
209 def bind(self,who,cred,method=ldap.AUTH_SIMPLE):
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result(self, msgid, all, timeout)
420 polling (timeout = 0), in which case (None, None) is returned.
421 """
--> 422 res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
423 return res_type,res_data
424
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result2(self, msgid, all, timeout)
424
425 def result2(self,msgid=ldap.RES_ANY,all=1,timeout=None):
--> 426 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
427 return res_type, res_data, res_msgid
428
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result3(self, msgid, all, timeout)
430 if timeout is None:
431 timeout = self.timeout
--> 432 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
433 if ldap_result is None:
434 rtype, rdata, rmsgid, decoded_serverctrls = (None,None,None,None)
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in _ldap_call(self, func, *args, **kwargs)
94 try:
95 try:
---> 96 result = func(*args,**kwargs)
97 if __debug__ and self._trace_level>=2:
98 if func.__name__!="unbind_ext":
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}
每個教程中,我看到的似乎就是預設了我在Windows上運行,這是情況並非如此。我如何從Unix做到這一點?
我建議你改用kerberos PAM路線。如果這是爲web服務,我建議使用apache + mod_kerb。然後,您可以在Windows域中使用協商身份驗證進行單點登錄。這就是我在組織內部實現基於unix的web服務的方式。 – MattH 2010-08-23 21:26:52
Kerberos PAM auth可以工作;也許你可以提供說明?然而,Apache + mod_kerb在這裏不起作用。 – 2010-08-23 22:02:41