总体目标:我正在尝试在Windows上使用Kerberos通过LDAP对Active Directory进行身份验证。由于依赖关系,我无法使用python-ldap或python-gssapi,因此我将ldap3与patch found in this answer一起使用以使用Kerberos(通过{{1} },而不是winkerberos。
示例代码:
python-gssapi投掷:
from ldap3 import Connection, Server, ALL, IP_V4_PREFERRED, SASL, GSSAPI
domain_controller = input("DC: ")
SERVER = Server(domain_controller,
allowed_referral_hosts=[('*', True)],
get_info=ALL,
mode=IP_V4_PREFERRED)
CONNECTION = {"authentication": SASL,
"sasl_mechanism": GSSAPI,
"check_names": True}
c = Connection(SERVER, **CONNECTION)
c.bind()
我尝试将solution here的 File "ldap3\core\connection.py", line 550, in bind
response = self.do_sasl_bind(controls)
File "ldap3\core\connection.py", line 1252, in do_sasl_bind
result = sasl_gssapi(self, controls)
File "ldap3\protocol\sasl\kerberos.py", line 54, in sasl_gssapi
base64.b64encode(in_token).decode('ascii')
winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable
更改为@,没有任何区别。套接字可以正确解析dc fqdn,该dc支持SASL / GSSAPI机制,我也可以传递用户名/密码来成功绑定。此处失败的部分听起来是特定于Kerberos的。
问题:是什么原因导致此错误,我该如何补救?