[python-ldap] Issue with sasl binds
William Brown
william at blackhats.net.au
Tue Nov 14 01:05:13 EST 2017
Hi there,
I have a very odd issue.
I can properly use ldapwhoami from the cli with TLS EXTERNAL:
LDAPTLS_KEY=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
LDAPTLS_CERT=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
LDAPTLS_CACERT=/opt/dirsrv/etc/dirsrv/ssca/ca.crt ldapwhoami -Y
EXTERNAL -H ldaps://localhost:63601/
SASL/EXTERNAL authentication started
SASL username: cn=testuser_a,o=testing,l=389ds,st=Queensland,c=AU
SASL SSF: 0
dn: cn=testuser_a,O=testing,L=389ds,ST=Queensland,C=AU
However, the same with python-ldap does not work.
import ldap
tls_locs = {
'ca': '/opt/dirsrv/etc/dirsrv/ssca/ca.crt',
'crt': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt',
'key': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key',
}
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
conn = ldap.initialize('ldaps://localhost:63601')
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
conn.set_option(ldap.OPT_X_TLS_CERTFILE, tls_locs['crt'])
conn.set_option(ldap.OPT_X_TLS_KEYFILE, tls_locs['key'])
print(conn.get_option(ldap.OPT_X_TLS_CACERTFILE))
print(conn.get_option(ldap.OPT_X_TLS_CERTFILE))
print(conn.get_option(ldap.OPT_X_TLS_KEYFILE))
sasl_auth = ldap.sasl.external()
conn.sasl_interactive_bind_s("", sasl_auth)
assert(conn.whoami_s().lower() == "dn: %s" % dn.lower())
conn.unbind_s()
----------
/opt/dirsrv/etc/dirsrv/ssca/ca.crt
/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
Traceback (most recent call last):
File "works.py", line 23, in <module>
conn.sasl_interactive_bind_s("", sasl_auth)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
410, in sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControl
Tuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
265, in _ldap_call
result = func(*args,**kwargs)
ldap.AUTH_UNKNOWN: {'desc': 'Unknown authentication method', 'info':
'SASL(-4): no mechanism available: '}
I'm really quite stumped on this one, and what's going on. Trace level
9 has no real extra help here. It seems like a problem with actually
detecting the available mechs, because the server logs don't get far at
all:
[14/Nov/2017:16:03:56.517461686 +1000] conn=9 fd=64 slot=64 SSL
connection from ::1 to ::1
[14/Nov/2017:16:03:56.536788945 +1000] conn=9 TLS1.2 128-bit AES-GCM
[14/Nov/2017:16:03:56.556707754 +1000] conn=9 op=0 UNBIND
[14/Nov/2017:16:03:56.556823805 +1000] conn=9 op=0 fd=64 closed - U1
Ideas?
note: affects pyldap as well.
More information about the python-ldap
mailing list