Support for GSSAPI/SASL #33
Comments
|
Hi, I'd like to add the kerberos authentication feature with pure-python code (without any C extension). My problem is that I don't have any kerberos infrastructure to test the authentication. In the meanwhile II've found a gist on https://gist.github.com/sigmaris/f4bf307e97b449148d78 that integrates the python-gssapi module with ldap3. Can you give a look and tell me if this is working for you? Thanks, |
|
Thanks for the speedy reply! I spent a couple hours trying to get the patch working, but haven't yet succeeded. The GSSAPI context is being established successfully, but then I receive a cryptic error message: ...which I haven't yet been able to track down. Here's a gist with the changes (as I've integrated them into the current ldap3 dev branch) I'm using to test: The script I'm testing with is: I've made a few changes (marked with "XXX:" and a comment) to the gist you found. I haven't yet found a way to get it working, but I'll keep poking at it and trying to make progress. Some of my changes might not be correct, as I've been trying a few different things without fully understanding them. I'll report back if I find out anything else. We'd also be more than happy to provide you access to our Kerberos/LDAP infrastructure to test on, if you'd like! |
|
Hi Chris, Anyway I will work on Kerberos authentication soon. Bye, ----- Messaggio originale ----- Thanks for the speedy reply! I spent a couple hours trying to get the patch working, but haven't yet succeeded. The GSSAPI context is being established successfully, but then I receive a cryptic error message: |
|
I'm also interested in this, and managed to get a modified version of the above gist working. |
|
thanks! I will check your code. Bye, |
|
Hi Peter, I've adapted your code to be used in the ldap3 library, but cannot test it. Can you give a try with the version in dev? Thanks, |
|
It works correctly against my test system, thanks a lot! |
|
@pefoley2 would you be able to share the code you're using to test? I've been unsuccessfully trying to get the dev branch working with our LDAP/Kerberos installation. It's actually binding via GSSAPI properly, but queries aren't being received properly by ldap3 (although the server logs look like it was completed and returned successfully). Additionally, are you using MIT or Heimdal? Do you require SSL/TLS for all LDAP connections? Thanks so much both of you! |
|
My script is here, https://gist.github.com/pefoley2/ea7aa9aa5964a998203d |
|
pythongssapi/python-gssapi#61 should fix heimdal support, I'll test that too at some point. |
|
Thanks for the additional info! Your code is working for me as well ( Unfortunately, I'm not actually able to make LDAP queries; they all return an empty list. The code I'm using is here. Are these kind of queries working for you? |
|
Yep, I got a full set of attrs w/ mit. heimdal is currently crashing on me, but I think that's a separate issue. |
|
Hi! I'm one of the devs from python-gssapi. I just wanted to let you know that if you need an easy way to set up a Kerberos environment for testing, the file It sets up a self-contained MIT krb5 environment to test in (assuming you have the appropriate krb5 packages installed). You can either use it from a unit test (like we do in the python-gssapi unit tests), or through the |
|
I tested this with python2.7 and it appears to need from future import absolute_import because the name of the file is the same as the name of the module it imports. |
|
thanks. I've changed the module name from gssapi.py to kerberos.py. |
|
Thanks DirectXMan12, I will check your k5test.py. Can I set it up on a WIndows machine or I need to use it on Linux? Bye, |
|
@cannatag : currently, it requires Linux, or something similar |
|
Hi DirectXMan12, you mean that the Kerberos environment in k5test.py works on Linux only or that the whole python-gssapi itself is intended to be used only on LInux? thanks, |
|
@cannatag : the test environment currently only works on Linux. Hypothetically, python-gssapi itself should work on Windows when using a library for Windows that provides GSSAPI (e.g. MIT krb5 for Windows), but this has not yet been tested. If you find any issues on Windows, please let us know. |
|
released in 0.9.8.3 |
First, thanks for a really well done library! It's already been extraordinarily helpful for us.
Our local setup uses the GSSAPI SASL mechanism to authenticate to LDAP via Kerberos. From reading the code, I don't think this is currently supported by ldap3, though it looks like some other SASL mechanisms are supported already.
I'm not sure how practical it is, but it'd be really cool if this was supported in some future release.
I notice there's a python-gssapi module, which looks like it might be helpful, but it's using a C extension to interface with GSSAPI, which I'm guessing might be an issue.
I'm going to try to get something working with python-gssapi as a starting point, but any insights you have would be greatly appreciated!
The text was updated successfully, but these errors were encountered: