stackoom
  简体   繁体   中英

Does Python ldap module support LDAP channel binding and LDAP signing

 原文  2020-01-29 15:52:20       python/ active-directory/ ldap/ python-ldap

Question

There will be a Microsoft Active Directory update in March 2020 that enables LDAP channel binding and LDAP signing as default, see https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Will the Python ldap modules still work when LDAP channel binding and LDAP signing is activated to query Active Directory for data?

Do I have to change anything or will it work out of the box?

I connect to Active directory like this:

conn = ldap.initialize('url', bytes_mode=False)
conn.set_option(ldap.OPT_REFERRALS, 0)
conn.start_tls_s()
conn.simple_bind_s('username', 'password')

What is the minimum required Python and ldap module version that I have to use after the update?

Thanks in advance.

2 answers

solution1
 3  2020-02-18 18:59:47

If you are using simple bind (like in your code example) then there is no changes needed in your client. It will continue to work with LdapEnforceChannelBinding=2 .

If you make request signing mandatory ( LDAPServerIntegrity=2 ) then you will not be able to use simple bind without ldaps or STARTLS (But your sample code seems to request STARTTLS so it should keep working).

However I haven't tested yet if Pyton-ldap with SASL sets the binding information, it would be relevant if you want to use GSSAPI/Kerberos or SASL/Digest-md5. Both do no longer work with unmodified clients (for example fails with Java sun-ldap JNDI Provider).

solution2
 3  2020-02-28 14:11:48

I think channel binding does not affect LDAP simple binds over TLS ( LDAPS ). Channel signing is another thing but is ok too with TLS.

For what i understand is that Channel binding is for CBT tokens and are part of SASL/NTLM for NTLMv2 by example and then not directly implemented by LDAP but by its usage of SASL. From a github project https://github.com/jborean93/ntlm-auth/blob/master/README.md i can find CBT defined as some value derived from server certificate, i guess it might be covered by rfc 5929, and channel binding token is defined within chapter 4 'tls-server-end-point' Channel Binding Type.

This is the same for GSSAPI/Kerberos ( see https://github.com/requests/requests-kerberos/blob/master/requests_kerberos/kerberos_.py _get_channel_bindings_application_data )

I didn't looked about SASL/Digest-md5 CBT though.

Channel binding is CBT : https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Does Python 3 have LDAP module? Trying to connect to an LDAP server with TLS using python-ldap module Unable to connect to ldap using python ldap3 module "Missing required 'ldap' module (pip install python-ldap) Cannot use ldap_entry in ansible (Missing required 'ldap' module (pip install python-ldap)) Python ldap module not throwing any exception Installing python ldap module under cygwin I cant import LDAP module in Python ImportError: No module named 'ldap' Python 3.5 python ldap3 function for massive ldap searches
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM