From d.bajal at hostcomm.ru Fri Oct 3 16:25:06 2014 From: d.bajal at hostcomm.ru (Dmitriy Bajal) Date: Fri, 03 Oct 2014 18:25:06 +0400 Subject: [python-ldap] syncrepl and rename Message-ID: <91c30205b3ecc709a5f11822de136c5a@hostcomm.ru> Hey guys. We have syncrepl working and recently got next problem: when trying to rename object, operation succeeds, but syncrepl gets no events for renaming children objects of renamed first one. How do you fix this? Is it ldap server configuration, or am I doing smth wrong with syncrepl? Fast look into google/python-ldap doc gave no information. Thanks for your attention. From michael at stroeder.com Fri Oct 3 16:39:40 2014 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 03 Oct 2014 16:39:40 +0200 Subject: [python-ldap] syncrepl and rename In-Reply-To: <91c30205b3ecc709a5f11822de136c5a@hostcomm.ru> References: <91c30205b3ecc709a5f11822de136c5a@hostcomm.ru> Message-ID: <542EB52C.6000506@stroeder.com> Dmitriy Bajal wrote: > We have syncrepl working and recently got next problem: when trying to rename > object, operation succeeds, but syncrepl gets no events for renaming children > objects of renamed first one. Which version of python-ldap are you using? Which LDAP server and version are you using? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From d.bajal at hostcomm.ru Mon Oct 6 08:45:28 2014 From: d.bajal at hostcomm.ru (=?UTF-8?B?0JHQsNC20LDQuyDQlNC80LjRgtGA0LjQuQ==?=) Date: Mon, 06 Oct 2014 10:45:28 +0400 Subject: [python-ldap] syncrepl and rename In-Reply-To: <542EB52C.6000506@stroeder.com> References: <91c30205b3ecc709a5f11822de136c5a@hostcomm.ru> <542EB52C.6000506@stroeder.com> Message-ID: <54323A88.5000203@hostcomm.ru> 03.10.2014 18:39, Michael Str?der ?????: > Dmitriy Bajal wrote: >> We have syncrepl working and recently got next problem: when trying to rename >> object, operation succeeds, but syncrepl gets no events for renaming children >> objects of renamed first one. > Which version of python-ldap are you using? > Which LDAP server and version are you using? > > Ciao, Michael. > Python-ldap is of version '2.4.14'. Ldap server is OpenLDAP version 2.4.31. From michael at stroeder.com Mon Oct 6 09:01:16 2014 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Mon, 06 Oct 2014 09:01:16 +0200 Subject: [python-ldap] syncrepl and rename In-Reply-To: <54323A88.5000203@hostcomm.ru> References: <91c30205b3ecc709a5f11822de136c5a@hostcomm.ru> <542EB52C.6000506@stroeder.com> <54323A88.5000203@hostcomm.ru> Message-ID: <54323E3C.2030503@stroeder.com> ????? ??????? wrote: > 03.10.2014 18:39, Michael Str?der ?????: >> Dmitriy Bajal wrote: >>> We have syncrepl working and recently got next problem: when trying to rename >>> object, operation succeeds, but syncrepl gets no events for renaming children >>> objects of renamed first one. >> Which version of python-ldap are you using? >> Which LDAP server and version are you using? >> > Python-ldap is of version '2.4.14'. Ldap server is OpenLDAP version 2.4.31. Do you have OpenLDAP replicas either? Is the modrdn request replicated? There have been numerous syncrepl-related fixes in OpenLDAP even in most recent release 2.4.40. Can you first try a newer OpenLDAP release at your server? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From d.bajal at hostcomm.ru Tue Oct 7 13:52:47 2014 From: d.bajal at hostcomm.ru (=?UTF-8?B?0JHQsNC20LDQuyDQlNC80LjRgtGA0LjQuQ==?=) Date: Tue, 07 Oct 2014 15:52:47 +0400 Subject: [python-ldap] syncrepl and rename In-Reply-To: <54323E3C.2030503@stroeder.com> References: <91c30205b3ecc709a5f11822de136c5a@hostcomm.ru> <542EB52C.6000506@stroeder.com> <54323A88.5000203@hostcomm.ru> <54323E3C.2030503@stroeder.com> Message-ID: <5433D40F.6020004@hostcomm.ru> Thank you, Michael, I will try to update. 06.10.2014 11:01, Michael Str?der ?????: > ????? ??????? wrote: >> 03.10.2014 18:39, Michael Str?der ?????: >>> Dmitriy Bajal wrote: >>>> We have syncrepl working and recently got next problem: when trying to rename >>>> object, operation succeeds, but syncrepl gets no events for renaming children >>>> objects of renamed first one. >>> Which version of python-ldap are you using? >>> Which LDAP server and version are you using? >>> >> Python-ldap is of version '2.4.14'. Ldap server is OpenLDAP version 2.4.31. > Do you have OpenLDAP replicas either? > Is the modrdn request replicated? > There have been numerous syncrepl-related fixes in OpenLDAP even in most > recent release 2.4.40. Can you first try a newer OpenLDAP release at your server? > > Ciao, Michael. > > From michael at stroeder.com Thu Oct 9 10:24:53 2014 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 09 Oct 2014 10:24:53 +0200 Subject: [python-ldap] ANN: python-ldap 2.4.18 Message-ID: <54364655.8080402@stroeder.com> Find a new release of python-ldap: http://pypi.python.org/pypi/python-ldap/2.4.18 python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAP URLs and LDAPv3 schema). Project's web site: http://www.python-ldap.org/ Ciao, Michael. ---------------------------------------------------------------- Released 2.4.18 2014-10-09 Changes since 2.4.17: Lib/ * Fixed raising exception in LDAPObject.read_s() when reading an entry returns empty search result From alirezaimi at gmail.com Sun Oct 12 12:54:48 2014 From: alirezaimi at gmail.com (Ali Reza) Date: Sun, 12 Oct 2014 14:24:48 +0330 Subject: [python-ldap] how to create ou or group ? Message-ID: Hi, How can i create an ou or group in active directory ? Thanks. -- *>>> print (" Alireza Mazare'i ")* -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sun Oct 12 14:01:30 2014 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sun, 12 Oct 2014 14:01:30 +0200 Subject: [python-ldap] how to create ou or group ? In-Reply-To: References: Message-ID: <543A6D9A.2060704@stroeder.com> Ali Reza wrote: > How can i create an ou or group in active directory ? Just like any other entry using the appropriate set of object classes and attributes. Make yourself familiar with http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.add http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.modify You probably want to use the synchronous methods add_s() and modify_s(). Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From alirezaimi at gmail.com Tue Oct 14 07:28:24 2014 From: alirezaimi at gmail.com (Ali Reza) Date: Tue, 14 Oct 2014 08:58:24 +0330 Subject: [python-ldap] how to create ou or group ? In-Reply-To: <543A6D9A.2060704@stroeder.com> References: <543A6D9A.2060704@stroeder.com> Message-ID: I tested another configs for attr and objects, but not work and can not create a ou or group , can u explain more or give me some clue ?(with an example) thanks alot for support. On Sun, Oct 12, 2014 at 3:31 PM, Michael Str?der wrote: > Ali Reza wrote: > > How can i create an ou or group in active directory ? > > Just like any other entry using the appropriate set of object classes and > attributes. > > Make yourself familiar with > > http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.add > > http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.modify > > You probably want to use the synchronous methods add_s() and modify_s(). > > Ciao, Michael. > > > -- *>>> print (" Alireza Mazare'i ")* -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Tue Oct 14 07:57:40 2014 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue, 14 Oct 2014 07:57:40 +0200 Subject: [python-ldap] how to create ou or group ? In-Reply-To: References: <543A6D9A.2060704@stroeder.com> Message-ID: <543CBB54.8010609@stroeder.com> Ali Reza wrote: > I tested another configs for attr and objects, but not work and can not > create a ou or group , > can u explain more or give me some clue ?(with an example) I won't write ready-to-use examples on this list. This would take too much of my spare time. You should post an excerpt of your code reproducing the problem and the exception traceback or something else describing the problem in detail. Then maybe someone will look into this. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From chris.dukes.aix at gmail.com Tue Oct 14 14:29:06 2014 From: chris.dukes.aix at gmail.com (Chris Dukes) Date: Tue, 14 Oct 2014 08:29:06 -0400 Subject: [python-ldap] how to create ou or group ? In-Reply-To: References: <543A6D9A.2060704@stroeder.com> Message-ID: Ali Look at doing the add manually with an ldif file and the open ldap command line tools. When you figure that out you will figure out using the python module for the same. There are reams written on meeting prerequisites for existing structure and attributes needed for an object class. The do not belong in the documentation of a python interface to a c api for ldap. On Oct 14, 2014 1:28 AM, "Ali Reza" wrote: > I tested another configs for attr and objects, but not work and can not > create a ou or group , > can u explain more or give me some clue ?(with an example) > > thanks alot for support. > > On Sun, Oct 12, 2014 at 3:31 PM, Michael Str?der > wrote: > >> Ali Reza wrote: >> > How can i create an ou or group in active directory ? >> >> Just like any other entry using the appropriate set of object classes and >> attributes. >> >> Make yourself familiar with >> >> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.add >> >> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.modify >> >> You probably want to use the synchronous methods add_s() and modify_s(). >> >> Ciao, Michael. >> >> >> > > > -- > > *>>> print (" Alireza Mazare'i ")* > > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ericopfusco at gmail.com Mon Nov 3 14:32:37 2014 From: ericopfusco at gmail.com (Erico Fusco) Date: Mon, 3 Nov 2014 11:32:37 -0200 Subject: [python-ldap] Multiple Servers Message-ID: How does the script deals with multiple servers ? Can somebody confirm the script only uses the first server configured in uri parameter with no failover ? Thank, ?rico Fusco -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jared.Clayborn at oa.mo.gov Wed Nov 26 15:45:26 2014 From: Jared.Clayborn at oa.mo.gov (Clayborn, Jared) Date: Wed, 26 Nov 2014 14:45:26 +0000 Subject: [python-ldap] ldap.modlist.modifyModlist Message-ID: <3CF50E558D0E2648B2E1F982F50FE77A01407BC6@SDEXMBXP0003.state.mo.us> I have a system setup and I want to be able to remove users from a group. the group format is dn: cn=group1,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: top cn=group1 userpassword::secret gidNumber: 123 memberUid: member1 ... memberUid: member10 I have the following code to delete a user from the group, but it deletes the entire list #/usr/bin/python Import ldap Import ldap.modlist as modlist l = ldap.initialize("ldap://localhost:389/") l.simple_bind_s("cn=admin,dc=example,dc=com","secret") #delete from which group GRP = raw_input('Name of group deleting from: ') dn = 'cn='+GRP+',ou=Group,dc=example,dc=com' #get member to delete delMember = raw_input('Member uid to delete: ') old = {'memberUid':delMember} new={'':''} #should replace the member name with a blank ldif = modlist.modifModlist(old,new) l.modify_s(dn,ldif) l.unbind_s() I have tried multiple configurations for the old/new dicts and even modlist.modifyModlist(old,new,ignore_oldexistant=1) to no avail. Any help would be greatly appreciated. Thanks Jared Clayborn Information Technologist I OA/ITSD - WMASS Phone: 573-522-6364 E-Mail: Jared Clayborn -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcasale at activenetwerx.com Wed Nov 26 19:13:46 2014 From: jcasale at activenetwerx.com (Joseph L. Casale) Date: Wed, 26 Nov 2014 18:13:46 +0000 Subject: [python-ldap] ldap.modlist.modifyModlist In-Reply-To: <3CF50E558D0E2648B2E1F982F50FE77A01407BC6@SDEXMBXP0003.state.mo.us> References: <3CF50E558D0E2648B2E1F982F50FE77A01407BC6@SDEXMBXP0003.state.mo.us> Message-ID: <1417025626901.45226@activenetwerx.com> >?#should replace the member name with a blank ?>?ldif = modlist.modifModlist(old,new) ?>?l.modify_s(dn,ldif) ?>?? ?>?l.unbind_s() ?>?? ?>?? ?>?I have tried multiple configurations for the old/new dicts and even modlist.modifyModlist(old,new,ignore_oldexistant=1) to no avail.? ?>?Any help would be greatly appreciated.? Thanks Not sure a replace makes sense? How does the dsa interpret an empty attribute type which indicates a member? You want a delete, and specify the value for that attribute type or you will remove all?occurrences. jlc From jcasale at activenetwerx.com Thu Nov 27 00:13:30 2014 From: jcasale at activenetwerx.com (Joseph L. Casale) Date: Wed, 26 Nov 2014 23:13:30 +0000 Subject: [python-ldap] ldap.modlist.modifyModlist In-Reply-To: <3CF50E558D0E2648B2E1F982F50FE77A01407F02@SDEXMBXP0003.state.mo.us> References: <3CF50E558D0E2648B2E1F982F50FE77A01407BC6@SDEXMBXP0003.state.mo.us> <1417025626901.45226@activenetwerx.com>, <3CF50E558D0E2648B2E1F982F50FE77A01407F02@SDEXMBXP0003.state.mo.us> Message-ID: <1417043609946.35927@activenetwerx.com> > Thanks for responding, and I appreciate the nudge in the right direction. Unfortunately, I am new to both ldap and python, so I'm not quite sure where to go. If it should be a delete, should it be similar to the form > >deleteDN = 'memberUid='+member1+',cn='+GRP+',ou=Group,dc=example,dc=com' > >l.delete_s(deleteDN)? > >If I'm asking too much, I apologize. Nothing to apologize for, You dont want to delete a dn, you want modify an object and delete a single value for a given attribute type. http://www.python-ldap.org/doc/html/ldap.html?highlight=modify#ldap.LDAPObject.modify_s You know the dn (the group), now construct the modlist. Use the modlist facility: http://www.python-ldap.org/doc/html/ldap-modlist.html#module-ldap.modlist maybe something like [(MOD_DELETE, 'memberUid', ['the_member_dn'])] Just be aware in this case, if you pass do not specify a member, or list of members, you drop the entire multivalued attribute type. Probably not what you want... jlc From michael at stroeder.com Fri Dec 12 11:42:46 2014 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Fri, 12 Dec 2014 11:42:46 +0100 Subject: [python-ldap] SimplePagedResultsControl Message-ID: <548AC6A6.5080605@stroeder.com> HI! I'd like to hear opinions. The current implementation of SimplePagedResultsControl relys on some (unmaintained) C code: Modules/ldapcontrol.c functions encode_rfc2696() and decode_rfc2696() It seems that decode_rfc2696() returns the wrong 'size' extracted from the response control value. To verify the bug I've implemented a pure Python control class ldap.controls.pagedresults.SimplePagedResultsControl which is actually a drop-in replacement ldap.controls.libldap.SimplePagedResultsControl and seems to work (interop tests with OpenLDAP and MS AD). Currently ldap.controls imports libldap.SimplePagedResultsControl as default. I'm inclined to change that and even remove the old implementation completely. But this would mean that a dependency to pyasn1 is introduced for code using class SimplePagedResultsControl. So the question boils down to: How many of you are using python-ldap with SimplePagedResultsControl without installing pyasn1? Note that without pyasn1 many LDAPv3 extended controls in python-ldap cannot be used anyway. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From space at wechall.net Tue Dec 16 14:03:26 2014 From: space at wechall.net (Space One) Date: Tue, 16 Dec 2014 14:03:26 +0100 Subject: [python-ldap] function for escaping/validation of attribute name Message-ID: <54902D9E.8050804@wechall.net> Hello, Currently there is no function to properly escape or validate attribute names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap filter and ldap search string injections. ######## code snippet ############# import ldap import ldap.filter lo = ldap.initialize(uri) lo.simple_bind_s(binddn, bindpw) user_input = 'MyAttributeInput|*&' filter = ldap.filter.filter_format('%s=%s', [user_input, '*']) lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter) ############################### ? raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'} How can I protect against user search string injections? My current attempt is to strip out everything which does not fulfill the python-regex r'^[\w\d\-;]+$'. I am not sure if this is valid, it protects for the first time. Related to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt There seems not to be a function in python-ldap which covers this use case. best regards Space From jdennis at redhat.com Tue Dec 16 15:42:34 2014 From: jdennis at redhat.com (John Dennis) Date: Tue, 16 Dec 2014 09:42:34 -0500 Subject: [python-ldap] function for escaping/validation of attribute name In-Reply-To: <54902D9E.8050804@wechall.net> References: <54902D9E.8050804@wechall.net> Message-ID: <549044DA.5090507@redhat.com> On 12/16/2014 08:03 AM, Space One wrote: > Hello, > > Currently there is no function to properly escape or validate attribute > names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap > filter and ldap search string injections. > > ######## code snippet ############# > import ldap > import ldap.filter > > lo = ldap.initialize(uri) > lo.simple_bind_s(binddn, bindpw) > > user_input = 'MyAttributeInput|*&' > filter = ldap.filter.filter_format('%s=%s', [user_input, '*']) > > lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter) > ############################### > ? raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'} > > How can I protect against user search string injections? > My current attempt is to strip out everything which does not fulfill the > python-regex r'^[\w\d\-;]+$'. > I am not sure if this is valid, it protects for the first time. Related > to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt > > There seems not to be a function in python-ldap which covers this use case. ldap.filter.escape_filter_chars() http://www.python-ldap.org/doc/html/ldap-filter.html -- John From space at wechall.net Tue Dec 16 15:46:38 2014 From: space at wechall.net (Space One) Date: Tue, 16 Dec 2014 15:46:38 +0100 Subject: [python-ldap] function for escaping/validation of attribute name In-Reply-To: <549044DA.5090507@redhat.com> References: <54902D9E.8050804@wechall.net> <549044DA.5090507@redhat.com> Message-ID: <549045CE.9040405@wechall.net> Hello John, yes, I am aware of this function but the function works only for the ldap filter value and not for the attribute name. Internally ldap.filter.filter_format() uses already ldap.filter.escape_filter_chars(). If will still receive a FILTER_ERROR when using e.g. '%s=%s' % (ldap.filter.escape_filter_chars(attributename), '*'). Am 16.12.2014 um 15:42 schrieb John Dennis: > On 12/16/2014 08:03 AM, Space One wrote: >> Hello, >> >> Currently there is no function to properly escape or validate attribute >> names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap >> filter and ldap search string injections. >> >> ######## code snippet ############# >> import ldap >> import ldap.filter >> >> lo = ldap.initialize(uri) >> lo.simple_bind_s(binddn, bindpw) >> >> user_input = 'MyAttributeInput|*&' >> filter = ldap.filter.filter_format('%s=%s', [user_input, '*']) >> >> lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter) >> ############################### >> ? raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'} >> >> How can I protect against user search string injections? >> My current attempt is to strip out everything which does not fulfill the >> python-regex r'^[\w\d\-;]+$'. >> I am not sure if this is valid, it protects for the first time. Related >> to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt >> >> There seems not to be a function in python-ldap which covers this use case. > ldap.filter.escape_filter_chars() > > http://www.python-ldap.org/doc/html/ldap-filter.html > > From jdennis at redhat.com Tue Dec 16 17:12:49 2014 From: jdennis at redhat.com (John Dennis) Date: Tue, 16 Dec 2014 11:12:49 -0500 Subject: [python-ldap] function for escaping/validation of attribute name In-Reply-To: <549045CE.9040405@wechall.net> References: <54902D9E.8050804@wechall.net> <549044DA.5090507@redhat.com> <549045CE.9040405@wechall.net> Message-ID: <54905A01.5080403@redhat.com> On 12/16/2014 09:46 AM, Space One wrote: > Hello John, > > yes, I am aware of this function but the function works only for the > ldap filter value and not for the attribute name. Internally > ldap.filter.filter_format() uses already ldap.filter.escape_filter_chars(). > If will still receive a FILTER_ERROR when using e.g. '%s=%s' % > (ldap.filter.escape_filter_chars(attributename), '*'). Sorry, I missed the fact you were trying to escape the attribute type (i.e. the name of the attribute). To the best of my knowledge there is no such concept. Either the attribute type is legal or it's not. The RFC you pointed specifies the legal string format. You need to write a regular expression that validates that format and if the user input does not match you need to raise an error. Off the top of my head I think it would look like this (not tested): attr_type_re = re.compile(r'^[a-z][a-z0-9;-]*$', re.IGNORECASE) if attr_type_re.search(user_input) is None: raise ValueError("Invalid LDAP attribute name: %s" % user_input) It's also legal to specify an attribute type using an OID which is a sequence of non-negative integers separated by a dot. I'll leave the construction of that regular expression as an exercise should you wish to also allow the use of OID's. > Am 16.12.2014 um 15:42 schrieb John Dennis: >> On 12/16/2014 08:03 AM, Space One wrote: >>> Hello, >>> >>> Currently there is no function to properly escape or validate attribute >>> names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap >>> filter and ldap search string injections. >>> >>> ######## code snippet ############# >>> import ldap >>> import ldap.filter >>> >>> lo = ldap.initialize(uri) >>> lo.simple_bind_s(binddn, bindpw) >>> >>> user_input = 'MyAttributeInput|*&' >>> filter = ldap.filter.filter_format('%s=%s', [user_input, '*']) >>> >>> lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter) >>> ############################### >>> ? raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'} >>> >>> How can I protect against user search string injections? >>> My current attempt is to strip out everything which does not fulfill the >>> python-regex r'^[\w\d\-;]+$'. >>> I am not sure if this is valid, it protects for the first time. Related >>> to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt >>> >>> There seems not to be a function in python-ldap which covers this use case. >> ldap.filter.escape_filter_chars() >> >> http://www.python-ldap.org/doc/html/ldap-filter.html >> >> > -- John From Jared.Clayborn at oa.mo.gov Tue Dec 16 18:15:51 2014 From: Jared.Clayborn at oa.mo.gov (Clayborn, Jared) Date: Tue, 16 Dec 2014 17:15:51 +0000 Subject: [python-ldap] user not found Message-ID: <3CF50E558D0E2648B2E1F982F50FE77A0141A5DA@SDEXMBXP0003.state.mo.us> Hello everyone! Sorry, to bother you guys but I've run into a small problem, and I can't seem to find anything on Google. Might just be typing the wrong thing in, but yielding no real response. I am running openldap on RHEL 6 to auth CVS and ViewVC, and everything seems to be working well, for the most part. Users are able to ssh in even access the repos. I have an account where I have added myself to two groups. These two groups are assigned to different repos. I can access both repos and checkout items as needed, but when I use ViewVC, one lets me in and the other doesn't. I pulled up the error logs and got the error "user jclayborn not found." Access to ViewVC is being managed by the files group1.conf and group2.conf and, with the exception of the AuthName, the GID in "Require ldap-attribute gidNumber" and the DN in "Require ldap-group..." they are written the same. In fact, group2 was copied from group1 and I changed those three lines. Any help would be appreciated, because I'm at a loss. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jared.Clayborn at oa.mo.gov Tue Dec 16 21:19:37 2014 From: Jared.Clayborn at oa.mo.gov (Clayborn, Jared) Date: Tue, 16 Dec 2014 20:19:37 +0000 Subject: [python-ldap] user not found In-Reply-To: <3CF50E558D0E2648B2E1F982F50FE77A0141A5DA@SDEXMBXP0003.state.mo.us> References: <3CF50E558D0E2648B2E1F982F50FE77A0141A5DA@SDEXMBXP0003.state.mo.us> Message-ID: <3CF50E558D0E2648B2E1F982F50FE77A0141A644@SDEXMBXP0003.state.mo.us> Thanks for looking into this guys, but we found the answer. I had forgotten to restart httpd after changing my config file. ALWAYS RESTART HTTPD WHEN CHANGING CONFIG FILES! Sorry if I wasted anybodies time. From: python-ldap [mailto:python-ldap-bounces+jared.clayborn=oa.mo.gov at python.org] On Behalf Of Clayborn, Jared Sent: Tuesday, December 16, 2014 11:16 AM To: python-ldap at python.org Subject: [python-ldap] user not found Hello everyone! Sorry, to bother you guys but I've run into a small problem, and I can't seem to find anything on Google. Might just be typing the wrong thing in, but yielding no real response. I am running openldap on RHEL 6 to auth CVS and ViewVC, and everything seems to be working well, for the most part. Users are able to ssh in even access the repos. I have an account where I have added myself to two groups. These two groups are assigned to different repos. I can access both repos and checkout items as needed, but when I use ViewVC, one lets me in and the other doesn't. I pulled up the error logs and got the error "user jclayborn not found." Access to ViewVC is being managed by the files group1.conf and group2.conf and, with the exception of the AuthName, the GID in "Require ldap-attribute gidNumber" and the DN in "Require ldap-group..." they are written the same. In fact, group2 was copied from group1 and I changed those three lines. Any help would be appreciated, because I'm at a loss. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Tue Dec 16 19:51:48 2014 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue, 16 Dec 2014 19:51:48 +0100 Subject: [python-ldap] function for escaping/validation of attribute name In-Reply-To: <54902D9E.8050804@wechall.net> References: <54902D9E.8050804@wechall.net> Message-ID: <54907F44.3030401@stroeder.com> Space One wrote: > filter = ldap.filter.filter_format('%s=%s', [user_input, '*']) You're misusing this functions. 1. ldap.filter.escape_filter_chars() was never meant to escape anything else than the AttributeValueAssertion defined in RFC 4515, especially since there are several modes of escaping. At least escape_mode=2 would certainly break AttributeDescription (see RFC 4515). Examples: >>> ldap.filter.escape_filter_chars('foo',escape_mode=0) 'foo' >>> ldap.filter.escape_filter_chars('foo',escape_mode=1) 'foo' >>> ldap.filter.escape_filter_chars('foo',escape_mode=2) >>> ldap.filter.escape_filter_chars('foo-bar;binary',escape_mode=0) 'foo-bar;binary' >>> ldap.filter.escape_filter_chars('foo-bar;binary',escape_mode=1) 'foo\\2dbar;binary' >>> ldap.filter.escape_filter_chars('foo-bar;binary',escape_mode=2) '\\66\\6f\\6f\\2d\\62\\61\\72\\3b\\62\\69\\6e\\61\\72\\79' 2. Nevertheless ldap.filter.filter_format() (currently always using escape_mode=0) does exactly what you're telling it to do, it correctly escapes the '*': >>> ldap.filter.filter_format('(%s=%s)', ['foo', '*']) '(foo=\\2a)' If you'd like to construct a filter like '(foo=*)' you would have to use: >>> ldap.filter.filter_format('(%s=*)', ['foo']) '(foo=*)' 3. You should always have decent input validation anyway. Read the RFCs what's valid where. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From space at wechall.net Thu Dec 18 22:12:07 2014 From: space at wechall.net (SpaceOne) Date: Thu, 18 Dec 2014 22:12:07 +0100 Subject: [python-ldap] function for escaping/validation of attribute name In-Reply-To: <54905A01.5080403@redhat.com> References: <54902D9E.8050804@wechall.net> <549044DA.5090507@redhat.com> <549045CE.9040405@wechall.net> <54905A01.5080403@redhat.com> Message-ID: <54934327.7080608@wechall.net> Hello John, thanks a lot, your answer is exactly what I was searching for! Hello Michael, Thanks, I understood your point. The solution from John helped me. Best regards Space One Am 16.12.2014 17:12, schrieb John Dennis: > On 12/16/2014 09:46 AM, Space One wrote: >> Hello John, >> >> yes, I am aware of this function but the function works only for the >> ldap filter value and not for the attribute name. Internally >> ldap.filter.filter_format() uses already ldap.filter.escape_filter_chars(). >> If will still receive a FILTER_ERROR when using e.g. '%s=%s' % >> (ldap.filter.escape_filter_chars(attributename), '*'). > Sorry, I missed the fact you were trying to escape the attribute type > (i.e. the name of the attribute). To the best of my knowledge there is > no such concept. Either the attribute type is legal or it's not. The RFC > you pointed specifies the legal string format. You need to write a > regular expression that validates that format and if the user input does > not match you need to raise an error. > > Off the top of my head I think it would look like this (not tested): > > attr_type_re = re.compile(r'^[a-z][a-z0-9;-]*$', re.IGNORECASE) > > if attr_type_re.search(user_input) is None: > raise ValueError("Invalid LDAP attribute name: %s" % user_input) > > It's also legal to specify an attribute type using an OID which is a > sequence of non-negative integers separated by a dot. I'll leave the > construction of that regular expression as an exercise should you wish > to also allow the use of OID's. > >> Am 16.12.2014 um 15:42 schrieb John Dennis: >>> On 12/16/2014 08:03 AM, Space One wrote: >>>> Hello, >>>> >>>> Currently there is no function to properly escape or validate attribute >>>> names. Using e.g. ldap.filter.filter_format can e.g. produce broken ldap >>>> filter and ldap search string injections. >>>> >>>> ######## code snippet ############# >>>> import ldap >>>> import ldap.filter >>>> >>>> lo = ldap.initialize(uri) >>>> lo.simple_bind_s(binddn, bindpw) >>>> >>>> user_input = 'MyAttributeInput|*&' >>>> filter = ldap.filter.filter_format('%s=%s', [user_input, '*']) >>>> >>>> lo.search_ext_s('dc=foo,dc=bar', ldap.SCOPE_BASE, filter) >>>> ############################### >>>> ? raises (of course) FILTER_ERROR: {'desc': 'Bad search filter'} >>>> >>>> How can I protect against user search string injections? >>>> My current attempt is to strip out everything which does not fulfill the >>>> python-regex r'^[\w\d\-;]+$'. >>>> I am not sure if this is valid, it protects for the first time. Related >>>> to the attribute syntax I only found: https://www.ietf.org/rfc/rfc2252.txt >>>> >>>> There seems not to be a function in python-ldap which covers this use case. >>> ldap.filter.escape_filter_chars() >>> >>> http://www.python-ldap.org/doc/html/ldap-filter.html >>> >>> > From kev.smith at uk.bnpparibas.com Tue Dec 23 17:23:40 2014 From: kev.smith at uk.bnpparibas.com (Kev SMITH) Date: Tue, 23 Dec 2014 16:23:40 +0000 Subject: [python-ldap] Is it possible to bind using a kerberos keytab Message-ID: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> RH 6.5 Python 2.6.8 ldap 2.3.12 I am trying to bind to windows 2003 AD using a keytab - my code successfully initialises the keytab, the ldap options but I just can not seem to get the bind to work using a keytab. Is this type of authentication supported? >> kinit = 'a path to kinit' kinitopt = '-kt' keytab = 'a path to a keytab' svca = 'a windows account' kinit_args = [ kinit, kinitopt, keytab, svca ] #print ' '.join(kinit_args) kinit = subprocess.Popen(kinit_args, stderr = subprocess.PIPE) output,error = kinit.communicate() if not kinit.returncode == 0: if error: print error.rstrip() sys.exit(kinit.returncode) # I have a keytab loaded at this point ad = ldap.initialize('ldap://mydomain.acme.com') ad.protocol_version = 3 ad.set_option(ldap.OPT_REFERRALS, 0) ad.set_option(ldap.OPT_DEBUG_LEVEL, 255) ad.bind() <-------------------------------------- how to bind using the keytab at this point? << Any pointers appreciated - thanks! Kev.S ___________________________________________________________ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is prohibited. Please refer to http://www.bnpparibas.co.uk/en/email-disclaimer/ for additional disclosures. -------------- next part -------------- An HTML attachment was scrubbed... URL: From python at spahan.ch Wed Dec 24 09:44:41 2014 From: python at spahan.ch (python at spahan.ch) Date: Wed, 24 Dec 2014 09:44:41 +0100 Subject: [python-ldap] Is it possible to bind using a kerberos keytab In-Reply-To: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> References: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> Message-ID: <1419410681.14574.0.camel@spahan.ch> Disclaimer:I don't use AD, but MIT kerberos and redhat-directory-server. This assumes the kerberos kinit was already done correctly (your code looks like it should work). > import ldap.sasl > [ ... ] > auth_tokens = ldap.sasl.gssapi() > conn = ldap.initialize('%s://%s' %(self.config.ldapproto, testserv)) > if conn.sasl_interactive_bind_s('', auth_tokens) == 0: > [ ... do something with the connection ] Greetings Hanspeter On Die, 2014-12-23 at 16:23 +0000, Kev SMITH wrote: > RH 6.5 > Python 2.6.8 > ldap 2.3.12 > > I am trying to bind to windows 2003 AD using a keytab - my code successfully initialises the keytab, the ldap options but I just can not seem to get the bind to work using a keytab. > Is this type of authentication supported? > > >> > > kinit = 'a path to kinit' > kinitopt = '-kt' > keytab = 'a path to a keytab' > svca = 'a windows account' > > kinit_args = [ kinit, kinitopt, keytab, svca ] > #print ' '.join(kinit_args) > > kinit = subprocess.Popen(kinit_args, stderr = subprocess.PIPE) > output,error = kinit.communicate() > if not kinit.returncode == 0: > if error: > print error.rstrip() > sys.exit(kinit.returncode) > > # I have a keytab loaded at this point > > ad = ldap.initialize('ldap://mydomain.acme.com') > ad.protocol_version = 3 > ad.set_option(ldap.OPT_REFERRALS, 0) > ad.set_option(ldap.OPT_DEBUG_LEVEL, 255) > > ad.bind() <-------------------------------------- how to bind using the keytab at this point? > > << > > Any pointers appreciated - thanks! > > Kev.S > > > > ___________________________________________________________ > This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is prohibited. > > Please refer to http://www.bnpparibas.co.uk/en/email-disclaimer/ for additional disclosures. > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap From jdennis at redhat.com Wed Dec 24 15:30:00 2014 From: jdennis at redhat.com (John Dennis) Date: Wed, 24 Dec 2014 09:30:00 -0500 Subject: [python-ldap] Is it possible to bind using a kerberos keytab In-Reply-To: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> References: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> Message-ID: <549ACDE8.9010509@redhat.com> I believe you need to have the KRB5CCNAME environment variable set to the location of your ccache file. The library code looks for KRB5CCNAME in the processes environment variables in order to locate your krb credentials. -- John From mailinglist0 at skurfer.com Wed Dec 24 20:07:00 2014 From: mailinglist0 at skurfer.com (Rob McBroom) Date: Wed, 24 Dec 2014 14:07:00 -0500 Subject: [python-ldap] Is it possible to bind using a kerberos keytab In-Reply-To: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> References: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> Message-ID: On 23 Dec 2014, at 11:23, Kev SMITH wrote: > I am trying to bind to windows 2003 AD using a keytab - my code > successfully initialises the keytab, the ldap options but I just can > not seem to get the bind to work using a keytab. > Is this type of authentication supported? Yes. I used to use it all the time, and while it would work with something like MIT Kerberos, I could never get it to work against AD. (We were on 2008. You might have better luck with 2003.) I think the bit you?re asking about is auth_tokens = ldap.sasl.gssapi() adconn.sasl_interactive_bind_s('', auth_tokens) That will use an existing Kerberos ticket. (Don?t ask me how, because the `auth_tokens` object is identical with or without a ticket.) Here?s a full script I had when I was trying to troubleshoot the AD problems. The first call to `whoami` returned my DN from AD, so I know the bind worked, but as soon as I tried to do something (like search) it would fail and the second call to `whoami` would no longer return my DN. #!/usr/bin/env python # encoding: utf-8 import ldap import ldap.sasl last = 'McBroom' adconn = ldap.initialize('ldap://employer.com') ldap.set_option(ldap.OPT_REFERRALS, 1) ldap.set_option(ldap.OPT_PROTOCOL_VERSION, 3) auth_tokens = ldap.sasl.gssapi() adconn.sasl_interactive_bind_s('', auth_tokens) print adconn.whoami_s() ad_search = adconn.search_s( 'dc=employer,dc=com', ldap.SCOPE_SUBTREE, '(sn=%s)' % last, ['sAMAccountName', 'userPrincipalName'] ) adconn.whoami_s() for (dn, attrs) in ad_search: pprint(attrs['sAMAccountName'][0]) Good luck. -- Rob McBroom http://www.skurfer.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Dec 25 12:34:37 2014 From: michael at stroeder.com (=?windows-1252?Q?Michael_Str=F6der?=) Date: Thu, 25 Dec 2014 12:34:37 +0100 Subject: [python-ldap] Is it possible to bind using a kerberos keytab In-Reply-To: References: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> Message-ID: <549BF64D.6040500@stroeder.com> Rob McBroom wrote: > On 23 Dec 2014, at 11:23, Kev SMITH wrote: > >> I am trying to bind to windows 2003 AD using a keytab - my code successfully >> initialises the keytab, the ldap options but I just can not seem to get the >> bind to work using a keytab. >> Is this type of authentication supported? > > Yes. I used to use it all the time, and while it would work with something > like MIT Kerberos, I could never get it to work against AD. (We were on 2008. > You might have better luck with 2003.) I can confirm that this simply works provided your Kerberos setup in correct at client and server side. With MS AD you have to carefully examine DNS entries. Most times bad DNS entries are the culprit for non-functional Kerberos. > auth_tokens = ldap.sasl.gssapi() > adconn.sasl_interactive_bind_s('', auth_tokens) > > That will use an existing Kerberos ticket. (Don?t ask me how, because the > `auth_tokens` object is identical with or without a ticket.) Mainly the SASL library does all the magic under the hood if you have the GSSAPI SASL plugin module installed. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From kev.smith at uk.bnpparibas.com Tue Dec 30 13:43:56 2014 From: kev.smith at uk.bnpparibas.com (Kev SMITH) Date: Tue, 30 Dec 2014 12:43:56 +0000 Subject: [python-ldap] Is it possible to bind using a kerberos keytab In-Reply-To: <549BF64D.6040500@stroeder.com> References: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> <549BF64D.6040500@stroeder.com> Message-ID: <387DA264871BE742972A79C3684DB29B35C40D84@LONS00110044.mercury.intra> Rob/Michael Thanks for your replies this far. Some more info which will assist in this challenge... (a) Kerberos environment is provided by centrify.com and it's 'server suite standard edition' 1. Kerberos V5 keytab auth is working fine outside of python ldap # klist -fae klist: No credentials cache found (ticket cache KCM:0) root at buddy:/home/kev# /usr/share/centrifydc/bin/ldapsearch -YGSSAPI -Q -H ldap://buddy.com -b "dc=com, dc=buddy" "(&(objectclass=user)(displayname=BUDDYSVCA))" ldap_sasl_interactive_bind_s: unknown LDAP result code (-50) additional info: SASL(-1): generic failure: # /usr/share/centrifydc/kerberos/bin/kinit -kt /etc/buddy.keytab SVC.UX.BUDDY # klist -fae Ticket cache: KCM:0 Default principal: SVC.UX.BUDDY at BUDDY.COM Valid starting Expires Service principal 12/30/14 12:07:21 12/30/14 22:07:21 krbtgt/BUDDY.COM at BUDDY.COM renew until 12/31/14 12:07:21, Flags: RIA Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Addresses: (none) # /usr/share/centrifydc/bin/ldapsearch -YGSSAPI -Q -LLL -H ldap://buddy.com -b "dc=buddy,dc=com" "(&(objectclass=user)(displayname= SVC.UX.BUDDY))" dn: CN= SVC.UX.BUDDY,OU=XX,OU=XX,OU=XX,OU=XX,DC=buddy,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user 2. I took Rob's test script and ran it through python interactive Python 2.6.6 (r266:84292, Nov 21 2013, 10:50:32) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ldap, ldap.sasl, subprocess, sys >>> kinit = '/usr/share/centrifydc/kerberos/bin/kinit' >>> kinitopt = '-kt' >>> keytab = '/etc/buddy.keytab' >>> svca = 'SVC.UX.BUDDY' >>> >>> kinit_args = [ kinit, kinitopt, keytab, svca ] >>> kinit = subprocess.Popen(kinit_args) >>> output,error = kinit.communicate() >>> print output None >>> print error None >>> adconn = ldap.initialize('ldap://buddy.com',trace_level=1) *** ldap://buddy.com - SimpleLDAPObject.set_option ((17, 3), {}) >>> ldap.set_option(ldap.OPT_REFERRALS, 1) >>> ldap.set_option(ldap.OPT_PROTOCOL_VERSION, 3) >>> auth_tokens = ldap.sasl.gssapi() >>> adconn.sasl_interactive_bind_s('', auth_tokens) *** ldap://buddy.comn - SimpleLDAPObject.sasl_interactive_bind_s (('', , None, None, 2), {}) Traceback (most recent call last): File "", line 1, in File "/usr/lib64/python2.6/site-packages/python_ldap-2.4.18-py2.6-linux-x86_64.egg/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib64/python2.6/site-packages/python_ldap-2.4.18-py2.6-linux-x86_64.egg/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)', 'desc': 'Local error'} >>> from subprocess import call >>> call(['/usr/share/centrifydc/kerberos/bin/klist','-fae']) Ticket cache: KCM:0 Default principal: SVC.UX.BUDDY at BUDDY.COM Valid starting Expires Service principal 12/30/14 11:57:42 12/30/14 21:57:42 krbtgt/BUDDY.COM at BUDDY.COM renew until 12/31/14 11:57:42, Flags: RIA Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Addresses: (none) 0 >>> adconn.sasl_interactive_bind_s('', auth_tokens) *** ldap://euro.net.intra - SimpleLDAPObject.sasl_interactive_bind_s (('', , None, None, 2), {}) Traceback (most recent call last): File "", line 1, in File "/usr/lib64/python2.6/site-packages/python_ldap-2.4.18-py2.6-linux-x86_64.egg/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib64/python2.6/site-packages/python_ldap-2.4.18-py2.6-linux-x86_64.egg/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)', 'desc': 'Local error'} >>> So - as you can see in example (1) the GSSAPI layer/keytab authentication appears to be working. However in example (2) the python ldap sasl_interactive_bind_s is failing even though there is a valid ticket. Is it possible the python-ldap [2.4.18] does not support KCM [Kerberos V5 in memory tickets] or requires rebuilding against the centrify Kerberos LIB's My end goal is to be able to use python-ldap [2.4.18] to bind using SASL/keytabs with Microsoft AD running on Windows 2003 so that I can read and [eventually] write data - However - Rob's previous comments saying he never got it to work concerns me. Any other pointers/ideas? Kev -----Original Message----- From: michael at stroeder.com [mailto:michael at stroeder.com] Sent: 25 December 2014 11:35 To: mailinglist0 at skurfer.com; Kev SMITH Cc: python-ldap at python.org Subject: Re: [python-ldap] Is it possible to bind using a kerberos keytab Rob McBroom wrote: > On 23 Dec 2014, at 11:23, Kev SMITH wrote: > >> I am trying to bind to windows 2003 AD using a keytab - my code successfully >> initialises the keytab, the ldap options but I just can not seem to get the >> bind to work using a keytab. >> Is this type of authentication supported? > > Yes. I used to use it all the time, and while it would work with something > like MIT Kerberos, I could never get it to work against AD. (We were on 2008. > You might have better luck with 2003.) I can confirm that this simply works provided your Kerberos setup in correct at client and server side. With MS AD you have to carefully examine DNS entries. Most times bad DNS entries are the culprit for non-functional Kerberos. > auth_tokens = ldap.sasl.gssapi() > adconn.sasl_interactive_bind_s('', auth_tokens) > > That will use an existing Kerberos ticket. (Don't ask me how, because the > `auth_tokens` object is identical with or without a ticket.) Mainly the SASL library does all the magic under the hood if you have the GSSAPI SASL plugin module installed. Ciao, Michael. ___________________________________________________________ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is prohibited. Please refer to http://www.bnpparibas.co.uk/en/email-disclaimer/ for additional disclosures. From michael at stroeder.com Tue Dec 30 18:33:02 2014 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 30 Dec 2014 18:33:02 +0100 Subject: [python-ldap] Is it possible to bind using a kerberos keytab In-Reply-To: <387DA264871BE742972A79C3684DB29B35C40D84@LONS00110044.mercury.intra> References: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> <549BF64D.6040500@stroeder.com> <387DA264871BE742972A79C3684DB29B35C40D84@LONS00110044.mercury.intra> Message-ID: <54A2E1CE.1040405@stroeder.com> Kev SMITH wrote: > (a) Kerberos environment is provided by centrify.com and it's 'server suite standard edition' Hmmpf! Proprietary 3rd-party tools... > 1. Kerberos V5 keytab auth is working fine outside of python ldap > > # klist -fae > klist: No credentials cache found (ticket cache KCM:0) > root at buddy:/home/kev# /usr/share/centrifydc/bin/ldapsearch -YGSSAPI -Q -H ldap://buddy.com -b "dc=com, dc=buddy" "(&(objectclass=user)(displayname=BUDDYSVCA))" > ldap_sasl_interactive_bind_s: unknown LDAP result code (-50) > additional info: SASL(-1): generic failure: Seeing the path names I suspect that this proprietary software comes with its completely separate software stack (Kerberos, SASL and LDAP libs) and that your python-ldap installation knows nothing about it. You can check with ldd /path/to/_ldap.so which libs python-ldap gets linked to. So you would have to either 1. configure your OS stack to match this product's configuration or 2. create a custom build of python-ldap to be linked to the LDAP libs shipped by this vendor. For 2. be prepared to run into lots of dynamic library linking mixes possibly causing seg faults. But sorry, this is where supporting commercial software ends at my side. Please ask your vendor for support. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From mailinglist0 at skurfer.com Tue Dec 30 20:24:22 2014 From: mailinglist0 at skurfer.com (Rob McBroom) Date: Tue, 30 Dec 2014 14:24:22 -0500 Subject: [python-ldap] Is it possible to bind using a kerberos keytab In-Reply-To: <549BF64D.6040500@stroeder.com> References: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> <549BF64D.6040500@stroeder.com> Message-ID: On 25 Dec 2014, at 6:34, Michael Str?der wrote: > I can confirm that this simply works provided your Kerberos setup in > correct > at client and server side. With MS AD you have to carefully examine > DNS > entries. Most times bad DNS entries are the culprit for non-functional > Kerberos. Hard to say what the issue was. The Kerberos part was working as far as I can tell, because `whoami` would give the correct DN. It was the search that barfed. Anyway, I no longer work there and will hopefully never have to deal with AD again. -- Rob McBroom http://www.skurfer.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglist0 at skurfer.com Tue Dec 30 20:26:10 2014 From: mailinglist0 at skurfer.com (Rob McBroom) Date: Tue, 30 Dec 2014 14:26:10 -0500 Subject: [python-ldap] Is it possible to bind using a kerberos keytab In-Reply-To: <387DA264871BE742972A79C3684DB29B35C40D84@LONS00110044.mercury.intra> References: <387DA264871BE742972A79C3684DB29B35C4055B@LONS00110044.mercury.intra> <549BF64D.6040500@stroeder.com> <387DA264871BE742972A79C3684DB29B35C40D84@LONS00110044.mercury.intra> Message-ID: On 30 Dec 2014, at 7:43, Kev SMITH wrote: > /usr/share/centrifydc/kerberos/bin/kinit -kt /etc/buddy.keytab > SVC.UX.BUDDY What if you use the *real* `kinit` that comes with your system? That should work fine against AD, and will probably use the same libraries that Python is using. -- Rob McBroom http://www.skurfer.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: