First Last Prev Next    This bug is not in your last search results.
Bug 47932 - simplify Simple_AD_Connection and add sasl gssapi bind to univention.uldap.access
simplify Simple_AD_Connection and add sasl gssapi bind to univention.uldap.ac...
Status: RESOLVED MOVED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: Florian Best
Samba maintainers
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-09 11:37 CEST by Felix Botner
Modified: 2021-11-12 14:21 CET (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Simple_AD_Connection.patch (3.98 KB, patch)
2018-10-09 11:38 CEST, Felix Botner 		Details | Diff
patch (git:fbest/47932-unify-ad-ldap-connection) (8.60 KB, patch)
2021-02-01 22:02 CET, Florian Best 		Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2018-10-09 11:37:46 CEST 
univention.connector.ad.Simple_AD_Connection should use univention.uldap.access and ulap.access should support sasl gssapi binds.

The attached patch fixes Simple_AD_Connection to use uldap.access and adds bind_sasl_gssapi to Simple_AD_Connection, this should be moved to uldap.access.
Comment 1 Felix Botner univentionstaff 2018-10-09 11:38:57 CEST 
Created attachment 9695 [details]
Simple_AD_Connection.patch
Comment 2 Florian Best univentionstaff 2019-04-11 14:29:58 CEST 
I rebased the patch and:
* added the new kdestroy handling
* use absolute paths kinit → /usr/bin/kinit
* don't let kinit/kdestroy output got to stdout/stderr
* ad.open_ad() uses the same handling
→ different error message on failure
* TODO: use the implementation also in univention-adsearch
* TODO: check behavior of scripts/make-deleted-objects-readable-for-this-machine and scripts/well-known-sid-object-rename

I dislike a little bit to set a global environment variable ('KRB5CCNAME') but I can't find a way to tell lo.sasl_interactive_bind_s("", ldap.sasl.gssapi("")) to use a specific credentials cache file except this environment variable. Calling it twice e.g. with different credential caches would destroy the other instance, e.g. during a automatic reconnect.

fbest/47932-unify-ad-ldap-connection
https://git.knut.univention.de/univention/ucs/tree/fbest/47932-unify-ad-ldap-connection
Comment 3 Ingo Steuwer univentionstaff 2019-10-28 14:34:21 CET 
Does this work if Kerberos isn't correctly configured (i.e. UCS uses it's on DNS only and not the AD DNS)?
Comment 4 Florian Best univentionstaff 2019-10-28 14:50:31 CET 
(In reply to Ingo Steuwer from comment #3)
> Does this work if Kerberos isn't correctly configured (i.e. UCS uses it's on
> DNS only and not the AD DNS)?
This is a code cleanup bug and not a behavior change.
Comment 5 Florian Best univentionstaff 2021-02-01 22:02:38 CET 
Created attachment 10608 [details]
patch (git:fbest/47932-unify-ad-ldap-connection)

The situation relaxed in UCS 5.0:
* services/univention-ad-connector/univention-adsearch has been changed from a python script to ldbsearch
* Simple_AD_Connection has been removed
* scripts/make-deleted-objects-readable-for-this-machine and scripts/well-known-sid-object-rename are inheriting behavior from "ad".

A new patch has been attached which:
* moves get_kerberos_ticket from admember.py to uldap.acceess
* adds bind_gssapi to uldap.acceess
* uses these methods in AD-Connector, ucs-test and admember.py
First Last Prev Next    This bug is not in your last search results.