我目前正在尝试让gssapi module for python在Windows上运行。我的目标是使用python模块ldap3对Active Directory进行身份验证。 gssapi是这项工作的必要条件。但是,安装失败,因为找不到krb5-config。在Linux上,install很容易。我安装了Kerberos for Windows,但它没有krb5-config,我在其他地方找不到它(除了Linux)。有谁知道在哪里可以找到所需的工具或如何继续(如果可能的话)?
答案 0 :(得分:1)
根据@keithhendry(https://github.com/cannatag/ldap3/issues/190)的建议,我将kerberos.py下的ldap3\protocol\sasl\替换为this one。
要使用Windows的GSSAPI,您还需要安装winkerberos软件包和 替换kerberos.py中第15行的kerberos导入,如下所示:
import winkerberos as kerberos
这是透明的,因为winkerberos遵循与pykerberos相同的API结构,而kerberos.py就是基于pykerberos的。
现在,您可以在使用ldap3构建authentication=SASL, sasl_mechanism=GSSAPI时使用Connection,并且所有内容都应该自动运行(假设Kerberos可能导致的其他999件事没有出错)。
答案 1 :(得分:0)
我无法在Windows上安装gssapi模块,但我确实设法让ldap3模块使用以下代码对Windows上的Active Directory进行身份验证:
import ssl
import ldap3
tls_configuration = ldap3.Tls(validate=ssl.CERT_NONE,
version=ssl.PROTOCOL_TLSv1_2)
server = ldap3.Server(host='domaincontroller.example.com', port=636,
use_ssl=True, tls=tls_configuration,
get_info=ldap3.ALL)
con = ldap3.Connection(server, version=3,
auto_bind=True,
raise_exceptions=True,
user='EXAMPLE\\username',
password='MySecret',
authentication=ldap3.NTLM)
答案 2 :(得分:0)
使用此answer并避免猴子补丁,可以根据提供的there文件和ldap3\core\connection.py模块使用以下代码。
"""Replaces the use of python-gssapi with kerberos in ldap3.
"""
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals
import base64
import socket
import ldap3
from ldap3.core.exceptions import LDAPCommunicationError
from ldap3.protocol.sasl.sasl import send_sasl_negotiation
from ldap3.protocol.sasl.sasl import abort_sasl_negotiation
from ldap3.protocol.sasl.external import sasl_external
from ldap3.protocol.sasl.digestMd5 import sasl_digest_md5
from ldap3.protocol.sasl.plain import sasl_plain
from ldap3.utils.log import log, log_enabled, BASIC
from ldap3 import EXTERNAL, DIGEST_MD5, GSSAPI
import winkerberos as kerberos
NO_SECURITY_LAYER = 1
INTEGRITY_PROTECTION = 2
CONFIDENTIALITY_PROTECTION = 4
class Connection(ldap3.Connection):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
def do_sasl_bind(self,
controls):
if log_enabled(BASIC):
log(BASIC, 'start SASL BIND operation via <%s>', self)
self.last_error = None
with self.connection_lock:
result = None
if not self.sasl_in_progress:
self.sasl_in_progress = True
try:
if self.sasl_mechanism == EXTERNAL:
result = sasl_external(self, controls)
elif self.sasl_mechanism == DIGEST_MD5:
result = sasl_digest_md5(self, controls)
elif self.sasl_mechanism == GSSAPI:
result = sasl_gssapi(self, controls)
elif self.sasl_mechanism == 'PLAIN':
result = sasl_plain(self, controls)
finally:
self.sasl_in_progress = False
if log_enabled(BASIC):
log(BASIC, 'done SASL BIND operation, result <%s>', result)
return result
def sasl_gssapi(connection, controls):
"""
Performs a bind using the Kerberos v5 ("GSSAPI") SASL mechanism
from RFC 4752. Does not support any security layers, only authentication!
sasl_credentials can be empty or a tuple with one or two elements.
The first element determines which service principal to request a ticket
for and can be one of the following:
- None or False, to use the hostname from the Server object
- True to perform a reverse DNS lookup to retrieve the canonical hostname
for the hosts IP address
- A string containing the hostname
The optional second element is what authorization ID to request.
- If omitted or None, the authentication ID is used as the authorization ID
- If a string, the authorization ID to use. Should start with "dn:" or
"user:".
"""
# pylint: disable=too-many-branches
target_name = None
authz_id = b''
if connection.sasl_credentials:
if (len(connection.sasl_credentials) >= 1 and
connection.sasl_credentials[0]):
if connection.sasl_credentials[0] is True:
hostname = \
socket.gethostbyaddr(connection.socket.getpeername()[0])[0]
target_name = 'ldap@' + hostname
else:
target_name = 'ldap@' + connection.sasl_credentials[0]
if (len(connection.sasl_credentials) >= 2 and
connection.sasl_credentials[1]):
authz_id = connection.sasl_credentials[1].encode("utf-8")
if target_name is None:
target_name = 'ldap@' + connection.server.host
gssflags = (
kerberos.GSS_C_MUTUAL_FLAG |
kerberos.GSS_C_SEQUENCE_FLAG |
kerberos.GSS_C_INTEG_FLAG |
kerberos.GSS_C_CONF_FLAG
)
_, ctx = kerberos.authGSSClientInit(target_name, gssflags=gssflags)
in_token = b''
try:
while True:
status = kerberos.authGSSClientStep(
ctx,
base64.b64encode(in_token).decode('ascii')
)
out_token = kerberos.authGSSClientResponse(ctx) or ''
result = send_sasl_negotiation(
connection,
controls,
base64.b64decode(out_token)
)
in_token = result['saslCreds'] or b''
if status == kerberos.AUTH_GSS_COMPLETE:
break
kerberos.authGSSClientUnwrap(
ctx,
base64.b64encode(in_token).decode('ascii')
)
unwrapped_token = base64.b64decode(
kerberos.authGSSClientResponse(ctx) or ''
)
if len(unwrapped_token) != 4:
raise LDAPCommunicationError('Incorrect response from server')
server_security_layers = unwrapped_token[0]
if not isinstance(server_security_layers, int):
server_security_layers = ord(server_security_layers)
if server_security_layers in (0, NO_SECURITY_LAYER):
if unwrapped_token.message[1:] != '\x00\x00\x00':
raise LDAPCommunicationError(
'Server max buffer size must be 0 if no security layer'
)
if not server_security_layers & NO_SECURITY_LAYER:
raise LDAPCommunicationError(
'Server requires a security layer, but this is not implemented'
)
client_security_layers = bytearray([NO_SECURITY_LAYER, 0, 0, 0])
kerberos.authGSSClientWrap(
ctx,
base64.b64encode(
bytes(client_security_layers) + authz_id
).decode('ascii')
)
out_token = kerberos.authGSSClientResponse(ctx) or ''
return send_sasl_negotiation(
connection,
controls,
base64.b64decode(out_token)
)
except (kerberos.GSSError, LDAPCommunicationError):
abort_sasl_negotiation(connection, controls)
raise
安装 winkerberos :pip install winkerberos
在脚本中,使用以下代码(connect_timeout,mode和receive_timeout参数仅作为示例,可以省略或更改):
import ldap
import ldap3kerberos
server = ldap3.Server(fqdn, connect_timeout=10, mode=ldap3.IP_V4_ONLY)
conn = ldap3kerberos.Connection(
server, authentication=ldap3.SASL, sasl_mechanism=ldap3.GSSAPI,
auto_bind=True, receive_timeout=10
)
如果一个AD域中有多个域控制器服务器,请确保要连接到某些特定的服务器,否则将出现异常:
winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable