ldap3 icon indicating copy to clipboard operation
ldap3 copied to clipboard

Published 20 hours ago verified publisher icon cannatag

How to tell Ldap3 to use current user credentials

Open mahdialibi opened this issue 4 years ago • 4 comments

Hi, I was searching for a way to say to ldap3 to use current user credentials without having to give clear credentials. server is supporting ['GSSAPI', 'GSS-SPNEGO', 'EXTERNAL', 'DIGEST-MD5'] Thank you. #

mahdialibi avatar Jan 12 '21 20:01 mahdialibi

hi @mahdialibi !

I know that, for GSSAPI and GSS-SPNEGO, if you specify "authentication=SASL, sasl_mechanism=GSSAPI" (or spnego as needed) in your connection, then you don't need to specify user/password at all. By default, the gss related authentication mechanisms will look for a credential cache for the current user based on where it lives on your OS (e.g. on ubuntu, kerberos credentials go in "/tmp/krb5cc_{uid}" where uid is the numeric id number of the user)

I think kerberos (GSSAPI/GSS-SPNEGO) is your best bet. in kerberized environments, logging in to a machine will populate your kerberos credential cache with a TGT so you can access other things on the network, so it will already be primed for use. and that's what it sounds like you want? if the user that the program runs as doesn't already have a credential cache, you can use the python gssapi to "initiate" which will populate that cache. initiation can be done with username/pw or with kerberos keytabs, the latter of which is probably what you'd want if the application runs with a machine identity

for EXTERNAL, I believe you need to specify a "Tls" object for the Server object which includes your user credentials. The TLS related options just build on python's ssl library, and there's no default user certificate for the python ssl library so I don't believe there's a way to have anything in python naturally pick up a user certificate.

DIGEST-MD5 uses a username and password, so the only way to have it use the current user's identity without typing in the credentials in your application is to have the password stored in plaintext somewhere, which is not great and presumably not what you want.

hopefully I understood your ask correctly, and this helps! if not, let me know :) and if you could clarify the use scenario that would be helpful

zorn96 avatar Jan 12 '21 21:01 zorn96

Thank you , will see with kerberos

mahdialibi avatar Jan 14 '21 20:01 mahdialibi

hi @mahdialibi ! if you haven't any further questions, i'll close this on monday :)

zorn96 avatar Feb 06 '21 00:02 zorn96

@mahdialibi Did you already figure out how to use Kerberos authentication? I'm always confused about this :( image

XiaoliChan avatar Mar 09 '22 10:03 XiaoliChan