[英]Passwordless Python LDAP3 authentication from Windows client
我正在使用很棒的 ldap3 包,我正在尝试与活动目录服务器连接,但不需要以纯文本形式提供实际凭据。
支持以下 SASL 机制。 ['GSSAPI', 'GSS-SPNEGO', 'EXTERNAL', 'DIGEST-MD5']
我尝试安装 GSSAPI 包,但这在我的 Windows 机器上不起作用。 pip install gssapi
上的错误是: pip install gssapi
subprocess.CalledProcessError: Command 'krb5-config --libs gssapi' returned non-zero exit status 1.
有人可以为此提供一个简单的例子吗? 我相信 GSS-SPNEGO 可能是解决方案,但我没有在互联网上找到任何可以理解的例子。
谢谢你问这个。 我今天给了它最后一次机会,让它开始工作。
它要求您拥有 ldap3 包并安装 winkerberos 包:
pip install winkerberos
然后,您需要将站点包( PYTHON_HOME\\Lib\\site-packages\\ldap3\\protocol\\sasl\\kerberos.py
)中的 kerberos.py 文件替换为他链接到替换 kerberos.py 的文件。
您需要更改替换 kerberos.py 文件中的以下行:
from treadmill import kerberoswrapper as kerberos
改成
import winkerberos as kerberos
然后你可以像这样连接:
from ldap3 import Server, Connection, Tls, SASL, GSSAPI
import ssl
tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server('server_fqdn', use_ssl=True, tls=tls)
c = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI)
c.bind()
print(c.extend.standard.who_am_i())
c.unbind()
将 server_fqdn 替换为 AD 服务器的完全限定域名。
您可能希望将版本值更改为您的 AD 服务器使用的任何协议。
如果有人有一个不那么凌乱的方法来完成这个,请加入!
使用最初的答案,并避免猴子修补,可以使用以下代码,基于那里提供的文件和ldap3\\core\\connection.py
模块。
"""Replaces the use of python-gssapi with kerberos in ldap3.
"""
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals
import base64
import socket
import ldap3
from ldap3.core.exceptions import LDAPCommunicationError
from ldap3.protocol.sasl.sasl import send_sasl_negotiation
from ldap3.protocol.sasl.sasl import abort_sasl_negotiation
from ldap3.protocol.sasl.external import sasl_external
from ldap3.protocol.sasl.digestMd5 import sasl_digest_md5
from ldap3.protocol.sasl.plain import sasl_plain
from ldap3.utils.log import log, log_enabled, BASIC
from ldap3 import EXTERNAL, DIGEST_MD5, GSSAPI
import winkerberos as kerberos
NO_SECURITY_LAYER = 1
INTEGRITY_PROTECTION = 2
CONFIDENTIALITY_PROTECTION = 4
class Connection(ldap3.Connection):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
def do_sasl_bind(self,
controls):
if log_enabled(BASIC):
log(BASIC, 'start SASL BIND operation via <%s>', self)
self.last_error = None
with self.connection_lock:
result = None
if not self.sasl_in_progress:
self.sasl_in_progress = True
try:
if self.sasl_mechanism == EXTERNAL:
result = sasl_external(self, controls)
elif self.sasl_mechanism == DIGEST_MD5:
result = sasl_digest_md5(self, controls)
elif self.sasl_mechanism == GSSAPI:
result = sasl_gssapi(self, controls)
elif self.sasl_mechanism == 'PLAIN':
result = sasl_plain(self, controls)
finally:
self.sasl_in_progress = False
if log_enabled(BASIC):
log(BASIC, 'done SASL BIND operation, result <%s>', result)
return result
def sasl_gssapi(connection, controls):
"""
Performs a bind using the Kerberos v5 ("GSSAPI") SASL mechanism
from RFC 4752. Does not support any security layers, only authentication!
sasl_credentials can be empty or a tuple with one or two elements.
The first element determines which service principal to request a ticket
for and can be one of the following:
- None or False, to use the hostname from the Server object
- True to perform a reverse DNS lookup to retrieve the canonical hostname
for the hosts IP address
- A string containing the hostname
The optional second element is what authorization ID to request.
- If omitted or None, the authentication ID is used as the authorization ID
- If a string, the authorization ID to use. Should start with "dn:" or
"user:".
"""
# pylint: disable=too-many-branches
target_name = None
authz_id = b''
if connection.sasl_credentials:
if (len(connection.sasl_credentials) >= 1 and
connection.sasl_credentials[0]):
if connection.sasl_credentials[0] is True:
hostname = \
socket.gethostbyaddr(connection.socket.getpeername()[0])[0]
target_name = 'ldap@' + hostname
else:
target_name = 'ldap@' + connection.sasl_credentials[0]
if (len(connection.sasl_credentials) >= 2 and
connection.sasl_credentials[1]):
authz_id = connection.sasl_credentials[1].encode("utf-8")
if target_name is None:
target_name = 'ldap@' + connection.server.host
gssflags = (
kerberos.GSS_C_MUTUAL_FLAG |
kerberos.GSS_C_SEQUENCE_FLAG |
kerberos.GSS_C_INTEG_FLAG |
kerberos.GSS_C_CONF_FLAG
)
_, ctx = kerberos.authGSSClientInit(target_name, gssflags=gssflags)
in_token = b''
try:
while True:
status = kerberos.authGSSClientStep(
ctx,
base64.b64encode(in_token).decode('ascii')
)
out_token = kerberos.authGSSClientResponse(ctx) or ''
result = send_sasl_negotiation(
connection,
controls,
base64.b64decode(out_token)
)
in_token = result['saslCreds'] or b''
if status == kerberos.AUTH_GSS_COMPLETE:
break
kerberos.authGSSClientUnwrap(
ctx,
base64.b64encode(in_token).decode('ascii')
)
unwrapped_token = base64.b64decode(
kerberos.authGSSClientResponse(ctx) or ''
)
if len(unwrapped_token) != 4:
raise LDAPCommunicationError('Incorrect response from server')
server_security_layers = unwrapped_token[0]
if not isinstance(server_security_layers, int):
server_security_layers = ord(server_security_layers)
if server_security_layers in (0, NO_SECURITY_LAYER):
if unwrapped_token.message[1:] != '\x00\x00\x00':
raise LDAPCommunicationError(
'Server max buffer size must be 0 if no security layer'
)
if not server_security_layers & NO_SECURITY_LAYER:
raise LDAPCommunicationError(
'Server requires a security layer, but this is not implemented'
)
client_security_layers = bytearray([NO_SECURITY_LAYER, 0, 0, 0])
kerberos.authGSSClientWrap(
ctx,
base64.b64encode(
bytes(client_security_layers) + authz_id
).decode('ascii')
)
out_token = kerberos.authGSSClientResponse(ctx) or ''
return send_sasl_negotiation(
connection,
controls,
base64.b64decode(out_token)
)
except (kerberos.GSSError, LDAPCommunicationError):
abort_sasl_negotiation(connection, controls)
raise
安装winkerberos : pip install winkerberos
在您的脚本中,使用以下代码( connect_timeout
、 mode
和receive_timeout
参数仅作为示例,可以省略或更改):
import ldap
import ldap3kerberos
server = ldap3.Server(fqdn, connect_timeout=10, mode=ldap3.IP_V4_ONLY)
conn = ldap3kerberos.Connection(
server, authentication=ldap3.SASL, sasl_mechanism=ldap3.GSSAPI,
auto_bind=True, receive_timeout=10
)
如果您有多个 AD 域的域控制器服务器,请确保您连接到某个特定服务器,否则您将收到异常:
winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.