[python-ldap] Issue with sasl binds

William Brown william at blackhats.net.au
Tue Nov 14 01:05:13 EST 2017 

Hi there,

I have a very odd issue.

I can properly use ldapwhoami from the cli with TLS EXTERNAL:

LDAPTLS_KEY=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
LDAPTLS_CERT=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
LDAPTLS_CACERT=/opt/dirsrv/etc/dirsrv/ssca/ca.crt ldapwhoami -Y
EXTERNAL -H ldaps://localhost:63601/

SASL/EXTERNAL authentication started
SASL username: cn=testuser_a,o=testing,l=389ds,st=Queensland,c=AU
SASL SSF: 0
dn: cn=testuser_a,O=testing,L=389ds,ST=Queensland,C=AU

However, the same with python-ldap does not work.

import ldap

tls_locs = {
'ca': '/opt/dirsrv/etc/dirsrv/ssca/ca.crt',
'crt': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt',
'key': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key',
}

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])

conn = ldap.initialize('ldaps://localhost:63601')

conn.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
conn.set_option(ldap.OPT_X_TLS_CERTFILE, tls_locs['crt'])
conn.set_option(ldap.OPT_X_TLS_KEYFILE, tls_locs['key'])

print(conn.get_option(ldap.OPT_X_TLS_CACERTFILE))
print(conn.get_option(ldap.OPT_X_TLS_CERTFILE))
print(conn.get_option(ldap.OPT_X_TLS_KEYFILE))

sasl_auth = ldap.sasl.external()
conn.sasl_interactive_bind_s("", sasl_auth)

assert(conn.whoami_s().lower() == "dn: %s" % dn.lower())
conn.unbind_s()


----------

/opt/dirsrv/etc/dirsrv/ssca/ca.crt
/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
Traceback (most recent call last):
  File "works.py", line 23, in <module>
    conn.sasl_interactive_bind_s("", sasl_auth)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
410, in sasl_interactive_bind_s
    return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControl
Tuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
265, in _ldap_call
    result = func(*args,**kwargs)
ldap.AUTH_UNKNOWN: {'desc': 'Unknown authentication method', 'info':
'SASL(-4): no mechanism available: '}

I'm really quite stumped on this one, and what's going on. Trace level
9 has no real extra help here. It seems like a problem with actually
detecting the available mechs, because the server logs don't get far at
all:

[14/Nov/2017:16:03:56.517461686 +1000] conn=9 fd=64 slot=64 SSL
connection from ::1 to ::1
[14/Nov/2017:16:03:56.536788945 +1000] conn=9 TLS1.2 128-bit AES-GCM
[14/Nov/2017:16:03:56.556707754 +1000] conn=9 op=0 UNBIND
[14/Nov/2017:16:03:56.556823805 +1000] conn=9 op=0 fd=64 closed - U1

Ideas? 

note: affects pyldap as well.

More information about the python-ldap mailing list