如何在Python中对Active Directory服务器执行两阶段身份验证?
我在FreeBSD机器上运行Python2.6,我想对active directory进行两阶段身份验证(我不知道正确的术语) 基本上,登录用户“myuserid”的过程是:如何在Python中对Active Directory服务器执行两阶段身份验证?,python,unix,authentication,active-directory,ldap,Python,Unix,Authentication,Active Directory,Ldap,我在FreeBSD机器上运行Python2.6,我想对active directory进行两阶段身份验证(我不知道正确的术语) 基本上,登录用户“myuserid”的过程是: 使用为此目的创建的系统帐户绑定到AD LDAP服务器(称之为DOMAIN\gatekeeper) 根据广告中存储的该用户的凭据验证myuserid的密码 我有下面的代码,看起来很像中的代码 最后一个错误会导致以下错误: => LDAPError - INVALID_CREDENTIALS: {'info': '800
DOMAIN\gatekeeper
)myuserid
的密码=> LDAPError - INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}
---------------------------------------------------------------------------
INVALID_CREDENTIALS Traceback (most recent call last)
/Users/crose/projects/ldap-auth/9163_saas/webservices/aws/model/aw_registry/<ipython console> in <module>()
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in simple_bind_s(self, who, cred, serverctrls, clientctrls)
205 """
206 msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
--> 207 return self.result(msgid,all=1,timeout=self.timeout)
208
209 def bind(self,who,cred,method=ldap.AUTH_SIMPLE):
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result(self, msgid, all, timeout)
420 polling (timeout = 0), in which case (None, None) is returned.
421 """
--> 422 res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
423 return res_type,res_data
424
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result2(self, msgid, all, timeout)
424
425 def result2(self,msgid=ldap.RES_ANY,all=1,timeout=None):
--> 426 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
427 return res_type, res_data, res_msgid
428
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result3(self, msgid, all, timeout)
430 if timeout is None:
431 timeout = self.timeout
--> 432 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
433 if ldap_result is None:
434 rtype, rdata, rmsgid, decoded_serverctrls = (None,None,None,None)
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in _ldap_call(self, func, *args, **kwargs)
94 try:
95 try:
---> 96 result = func(*args,**kwargs)
97 if __debug__ and self._trace_level>=2:
98 if func.__name__!="unbind_ext":
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}
=>LDAPError-无效的\u凭证:{'info':'80090308:LdapErr:DSID-0C0900334,注释:AcceptSecurityContext错误,数据525,vece','desc':'INVALID CREDENTIALS'}
---------------------------------------------------------------------------
无效的\u凭据回溯(上次最近的调用)
/Users/crose/projects/ldap auth/9163_saas/webservices/aws/model/aw_registry/in()
/简单绑定中的Users/crose/virtualenv/ldap auth/lib/python2.6/site-packages/ldap/ldapobject.pyc(self、who、cred、serverctrls、clientctrls)
205 """
206 msgid=self.simple\u绑定(who、cred、serverctrls、clientctrls)
-->207返回self.result(msgid,all=1,timeout=self.timeout)
208
209 def bind(self、who、cred、method=ldap.AUTH_SIMPLE):
/结果中的Users/crose/virtualenv/ldap auth/lib/python2.6/site-packages/ldap/ldapobject.pyc(self、msgid、all、timeout)
420轮询(超时=0),在这种情况下返回(无,无)。
421 """
-->422 res_类型,res_数据,res_msgid=self.result2(msgid,all,timeout)
423返回res_类型,res_数据
424
/result2中的Users/crose/virtualenv/ldap auth/lib/python2.6/site-packages/ldap/ldapobject.pyc(self、msgid、all、timeout)
424
425 def result2(self,msgid=ldap.RES_ANY,all=1,timeout=None):
-->426 res_type,res_data,res_msgid,srv_ctrls=self.result3(msgid,all,timeout)
427返回res_类型、res_数据、res_msgid
428
/result3中的Users/crose/virtualenv/ldap auth/lib/python2.6/site-packages/ldap/ldapobject.pyc(self、msgid、all、timeout)
430如果超时为无:
431 timeout=self.timeout
-->432 ldap\u result=self.\u ldap\u调用(self.\u l.result3,msgid,all,timeout)
433如果ldap_结果为无:
434 rtype、rdata、rmsgid、解码的_serverctrls=(无、无、无、无)
/调用中的Users/crose/virtualenv/ldap auth/lib/python2.6/site-packages/ldap/ldapobject.pyc(self、func、*args、**kwargs)
94尝试:
95尝试:
--->96结果=函数(*args,**kwargs)
97如果调试和自跟踪级别>=2:
98如果函数名=“解除绑定扩展”:
无效的_凭据:{'info':'80090308:ldapperr:DSID-0C0900334,注释:AcceptSecurityContext错误,数据525,vece','desc':'INVALID CREDENTIALS'}
我看到的每一篇教程似乎都假定我是在Windows上运行的,但事实并非如此。如何从Unix执行此操作?子代码为525的密码不是错误的密码,而是错误的绑定DN。52e是坏凭证。检查您是否具有正确的网守用户DN 子代码为525的不是错误的密码,而是错误的绑定DN。52e是坏凭证。检查您是否具有正确的网守用户DN 您在那里遇到了多个麻烦:
- 确保你的广告完全接受简单授权
- 与您的网守帐户绑定,并在AD中找到用户名的DN (通常通过搜索类似sAMAccountName或userPrincipalName的内容)
- 尝试使用用户提供的密码绑定到找到的DN
- 如果绑定成功,您可以将用户视为经过身份验证的用户
但是,如果您的应用程序达到了这个程度,那么使用PAM或Kerberos就不会有太多的工作了。您的应用程序遇到了多个问题:
- 确保你的广告完全接受简单授权
- 与您的网守帐户绑定,并在AD中找到用户名的DN (通常通过搜索类似sAMAccountName或userPrincipalName的内容)
- 尝试使用用户提供的密码绑定到找到的DN
- 如果绑定成功,您可以将用户视为经过身份验证的用户
但是,如果您的应用程序达到这个程度,那么使用PAM或Kerberos就不会有太多的工作了。我建议您改用Kerberos PAM路线。如果这是针对webservices的,我建议使用apache+mod_kerb。然后,您可以在windows域内使用协商身份验证进行单点登录。这就是我在组织内实现基于unix的Web服务的方式;也许你可以提供一些指导?但是,Apache+mod_路缘石在这里不起作用。我会的
=> LDAPError - INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}
---------------------------------------------------------------------------
INVALID_CREDENTIALS Traceback (most recent call last)
/Users/crose/projects/ldap-auth/9163_saas/webservices/aws/model/aw_registry/<ipython console> in <module>()
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in simple_bind_s(self, who, cred, serverctrls, clientctrls)
205 """
206 msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
--> 207 return self.result(msgid,all=1,timeout=self.timeout)
208
209 def bind(self,who,cred,method=ldap.AUTH_SIMPLE):
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result(self, msgid, all, timeout)
420 polling (timeout = 0), in which case (None, None) is returned.
421 """
--> 422 res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
423 return res_type,res_data
424
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result2(self, msgid, all, timeout)
424
425 def result2(self,msgid=ldap.RES_ANY,all=1,timeout=None):
--> 426 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
427 return res_type, res_data, res_msgid
428
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in result3(self, msgid, all, timeout)
430 if timeout is None:
431 timeout = self.timeout
--> 432 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
433 if ldap_result is None:
434 rtype, rdata, rmsgid, decoded_serverctrls = (None,None,None,None)
/Users/crose/virtualenv/ldap-auth/lib/python2.6/site-packages/ldap/ldapobject.pyc in _ldap_call(self, func, *args, **kwargs)
94 try:
95 try:
---> 96 result = func(*args,**kwargs)
97 if __debug__ and self._trace_level>=2:
98 if func.__name__!="unbind_ext":
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}