python-ldap：使用GSS-API時找不到回調

Question

我正在嘗試在Windows上使用python-ldap查詢Active Directory服務器。 這是我到目前為止的內容：

import ldap
import ldap.sasl

email_address = 'user.name@host.company.com'
ldap_url = 'ldap://domain.company.com:389'
domain = 'domain'
user = 'user'
password = 'password'
lo = ldap.initialize(ldap_url)
auth_tokens = ldap.sasl.gssapi('')
lo.sasl_interactive_bind_s('', auth_tokens)
print lo.whoami_s()
base = 'dc=%s,dc=company,dc=com' % domain
scope = ldap.SCOPE_SUBTREE
filter_str = '(mail=%s)' % email_address
attr_list = None
result = lo.search_s(base, scope, filter_str, attr_list)
print "result = %s" % result

這是回溯：

Traceback (most recent call last):
File "question.py", line 11, in <module>
lo.sasl_interactive_bind_s('', auth_tokens)
File "C:\Python27\lib\site-packages\ldap\ldapobject.py", line 244, in sasl_interactive_bind_s
return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
File "C:\Python27\lib\site-packages\ldap\ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: Unable to find a callback: 2', 'desc': 'Local error'}

我已使用LDAP Admin工具來驗證可以從Windows計算機訪問服務器。

這是ldap.sasl_interactive_bind_s的代碼：

def sasl_interactive_bind_s(self,who,auth,serverctrls=None,clientctrls=None,sasl_flags=ldap.SASL_QUIET):
    """
    sasl_interactive_bind_s(who, auth [,serverctrls=None[,clientctrls=None[,sasl_flags=ldap.SASL_QUIET]]]) -> None
    """
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)

SASL_QUIET是默認設置。

Answer 1

除GSS憑證結構外，Cyrus SASL GSSAPI機制最多不接受任何身份驗證信息。 您看到的錯誤是交互模式需要回調來提供虛擬/默認值。 您需要設置為安靜/非替代模式。

這是C語言中的代碼，您可能需要為Python弄清楚：

rc = ldap_sasl_interactive_bind_s(ld, NULL, SASL_MECH,
  NULL, NULL, LDAP_SASL_QUIET, do_interact, NULL);

do_interact在哪里：

int do_interact(
         LDAP *ld,
         unsigned flags,
         void *defaults,
         void *in )
 {
   sasl_interact_t *interact = in;
   char *sasl_defaults = (char  *)defaults;
   const char *dflt = interact->defresult;
   dflt = sasl_defaults;
   interact->result = (dflt && *dflt) ? dflt : "";
   interact->len = strlen( interact->result );
   return LDAP_SUCCESS;
 }

始終記住，GSS-API始終要求您已經通過其他/外部方式（例如，工作站登錄， kinit等）對網絡執行了身份驗證。