[python-ldap] Issue with sasl binds

William Brown william at blackhats.net.au
Tue Nov 14 01:07:28 EST 2017


On Tue, 2017-11-14 at 16:05 +1000, William Brown wrote:
> Hi there,
> 
> I have a very odd issue.
> 
> I can properly use ldapwhoami from the cli with TLS EXTERNAL:
> 
> LDAPTLS_KEY=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
> LDAPTLS_CERT=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
> LDAPTLS_CACERT=/opt/dirsrv/etc/dirsrv/ssca/ca.crt ldapwhoami -Y
> EXTERNAL -H ldaps://localhost:63601/
> 
> SASL/EXTERNAL authentication started
> SASL username: cn=testuser_a,o=testing,l=389ds,st=Queensland,c=AU
> SASL SSF: 0
> dn: cn=testuser_a,O=testing,L=389ds,ST=Queensland,C=AU
> 
> However, the same with python-ldap does not work.
> 
> import ldap
> 
> tls_locs = {
> 'ca': '/opt/dirsrv/etc/dirsrv/ssca/ca.crt',
> 'crt': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt',
> 'key': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key',
> }
> 
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
> 
> conn = ldap.initialize('ldaps://localhost:63601')
> 
> conn.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
> conn.set_option(ldap.OPT_X_TLS_CERTFILE, tls_locs['crt'])
> conn.set_option(ldap.OPT_X_TLS_KEYFILE, tls_locs['key'])
> 
> print(conn.get_option(ldap.OPT_X_TLS_CACERTFILE))
> print(conn.get_option(ldap.OPT_X_TLS_CERTFILE))
> print(conn.get_option(ldap.OPT_X_TLS_KEYFILE))
> 
> sasl_auth = ldap.sasl.external()
> conn.sasl_interactive_bind_s("", sasl_auth)
> 
> assert(conn.whoami_s().lower() == "dn: %s" % dn.lower())
> conn.unbind_s()
> 
> 
> ----------
> 
> /opt/dirsrv/etc/dirsrv/ssca/ca.crt
> /opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
> /opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
> Traceback (most recent call last):
>   File "works.py", line 23, in <module>
>     conn.sasl_interactive_bind_s("", sasl_auth)
>   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
> 410, in sasl_interactive_bind_s
>     return
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestContr
> ol
> Tuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
>   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line
> 265, in _ldap_call
>     result = func(*args,**kwargs)
> ldap.AUTH_UNKNOWN: {'desc': 'Unknown authentication method', 'info':
> 'SASL(-4): no mechanism available: '}
> 
> I'm really quite stumped on this one, and what's going on. Trace
> level
> 9 has no real extra help here. It seems like a problem with actually
> detecting the available mechs, because the server logs don't get far
> at
> all:
> 
> [14/Nov/2017:16:03:56.517461686 +1000] conn=9 fd=64 slot=64 SSL
> connection from ::1 to ::1
> [14/Nov/2017:16:03:56.536788945 +1000] conn=9 TLS1.2 128-bit AES-GCM
> [14/Nov/2017:16:03:56.556707754 +1000] conn=9 op=0 UNBIND
> [14/Nov/2017:16:03:56.556823805 +1000] conn=9 op=0 fd=64 closed - U1
> 
> Ideas? 
> 
> note: affects pyldap as well.
> 

Sorry, sent the pyldap output for python 3.6. Here's the 2.7 output for
python-ldap:

/opt/dirsrv/etc/dirsrv/ssca/ca.crt
/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
Traceback (most recent call last):
  File "works.py", line 23, in <module>
    conn.sasl_interactive_bind_s("", sasl_auth)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
244, in sasl_interactive_bind_s
    return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControl
Tuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
106, in _ldap_call
    result = func(*args,**kwargs)
ldap.AUTH_UNKNOWN: {'info': 'SASL(-4): no mechanism available: ',
'desc': 'Unknown authentication method'}

> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap


More information about the python-ldap mailing list