Using NTLM and binding by hostname not in DNS returns authMethodNotSupported #625
Comments
|
Are you sure the dns is returning the same ip? Maybe it returns an ipv6 address or a different ip. The authMethodNotSupported message is from the server, it means that the NTLM method is not recognized. That method isn’t in the LDAP standard and is allowed for AD only.
… Il giorno 5 dic 2018, alle ore 09:37, fleonasb ***@***.***> ha scritto:
Python 3.6
ldap3 version 2.5.1
Ubuntu 18.04.1 LTS
Windows 2012R2 AD
When trying to bind a connection using a host name entry added to /etc/hosts:
c = ldap3.Connection('ldaps://ldap', user='mydomain\****rw', password='********', authentication=ldap3.NTLM)
bind() fails:
{'result': 7, 'description': 'authMethodNotSupported', 'dn': '', 'message': 'unknown authentication method', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
Replacing the hostname by its IP binds just ok:
>>> c = ldap3.Connection('ldaps://192.168.x.x', user='mydomain\****rw', password='******', authentication=ldap3.NTLM)
>>> c.bind()
True
I don't mind resolving the hostname to its IP but could we use a cleaner way?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
That's the problem, there is no possible answer from our DNS servers. I'm creating a dockerized app and, as part of Docker container creation, all host names go into containers' /etc/hosts - our DNS systems have no trace of such names, effectively returning NXDOMAIN if asking through DNS resolution. As you say, it's only failing with a direct connection to AD (everything else we do with ldap3 is not using NTLM). No big deal, because I can either provide an environment variable with the IP address or resolve it through the socket library. Just was wondering if there was a "cleaner" way. |
|
Could be the case that the you’re reaching a different server? The ldap3 library always uses the ip received from the dns. Can you enter the container for trying a ping to the dns name and checking that you get the correct ip?
… Il giorno 5 dic 2018, alle ore 12:35, fleonasb ***@***.***> ha scritto:
That's the problem, there is no possible answer from our DNS servers. I'm creating a dockerized app and, as part of Docker container creation, all host names go into containers' /etc/hosts - our DNS systems have no trace of such names, effectively returning NXDOMAIN if asking through DNS resolution. As you say, it's only failing with a direct connection to AD (everything else we do with ldap3 is not using NTLM).
No big deal, because I can either provide an environment variable with the IP address or resolve it through the socket library. Just was wondering if there was a "cleaner" way.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Yes, you're right, sigh! We are using a combination of openldap and AD, which for regular LDAP authentication works fine when pointing to the openldap server IP (there's a kind of "nested" structure), but in order to create AD users and set their userAccountControl, I need to use the AD server's IP address. Thanks for the help, and sorry for the rather silly issue! |
Python 3.6
ldap3 version 2.5.1
Ubuntu 18.04.1 LTS
Windows 2012R2 AD
When trying to bind a connection using a host name entry added to /etc/hosts:
c = ldap3.Connection('ldaps://ldap', user='mydomain\****rw', password='********', authentication=ldap3.NTLM)bind() fails:
Replacing the hostname by its IP binds just ok:
>>> c = ldap3.Connection('ldaps://192.168.x.x', user='mydomain\****rw', password='******', authentication=ldap3.NTLM)>>> c.bind()TrueI don't mind resolving the hostname to its IP but could we use a cleaner way?
The text was updated successfully, but these errors were encountered: