[python-ldap] Issue with sasl binds

William Brown william at blackhats.net.au
Tue Nov 14 17:53:45 EST 2017 

On Tue, 2017-11-14 at 09:54 +0100, Michael Ströder wrote:
> William Brown wrote:
> > I can properly use ldapwhoami from the cli with TLS EXTERNAL:
> > 
> > LDAPTLS_KEY=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
> > LDAPTLS_CERT=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
> > LDAPTLS_CACERT=/opt/dirsrv/etc/dirsrv/ssca/ca.crt ldapwhoami -Y
> > EXTERNAL -H ldaps://localhost:63601/
> > 
> > SASL/EXTERNAL authentication started
> > SASL username: cn=testuser_a,o=testing,l=389ds,st=Queensland,c=AU
> > SASL SSF: 0
> > dn: cn=testuser_a,O=testing,L=389ds,ST=Queensland,C=AU
> > 
> > However, the same with python-ldap does not work.
> > 
> > import ldap
> > 
> > tls_locs = {
> > 'ca': '/opt/dirsrv/etc/dirsrv/ssca/ca.crt',
> > 'crt': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt',
> > 'key': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key',
> > }
> > 
> > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
> > 
> > conn = ldap.initialize('ldaps://localhost:63601')
> > 
> > conn.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
> > conn.set_option(ldap.OPT_X_TLS_CERTFILE, tls_locs['crt'])
> > conn.set_option(ldap.OPT_X_TLS_KEYFILE, tls_locs['key'])
> > 
> > print(conn.get_option(ldap.OPT_X_TLS_CACERTFILE))
> > print(conn.get_option(ldap.OPT_X_TLS_CERTFILE))
> > print(conn.get_option(ldap.OPT_X_TLS_KEYFILE))
> > 
> > sasl_auth = ldap.sasl.external()
> > conn.sasl_interactive_bind_s("", sasl_auth)
> > 
> > assert(conn.whoami_s().lower() == "dn: %s" % dn.lower())
> > conn.unbind_s()
> > [..]
> > ldap.AUTH_UNKNOWN: {'desc': 'Unknown authentication method',
> > 'info':
> > 'SASL(-4): no mechanism available: '}
> 
> You typically get this error when TLS client cert was not used.
> 
> python-ldap is a wrapper above libldap and therefore inherits some of
> its strange API characteristics. In this case it's the initialization
> of
> the SSL context.
> 
> You have to use
> 
> conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
> 
> *after* setting *all* connection-specific TLS options which AFAIK
> triggers creating a new SSLContext in libldap.
> 
> The alternative is to set the options globally just like you did with
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, …). But this does not work
> if
> your application wants to have connections with different TLS
> parameters.

Indeed. This does the trick. Thanks for that mate, 

> 
> Ciao, Michael.
>

More information about the python-ldap mailing list