Univention Bugzilla – Bug 47932
simplify Simple_AD_Connection and add sasl gssapi bind to univention.uldap.access
Last modified: 2021-11-12 14:21:00 CET
univention.connector.ad.Simple_AD_Connection should use univention.uldap.access and ulap.access should support sasl gssapi binds. The attached patch fixes Simple_AD_Connection to use uldap.access and adds bind_sasl_gssapi to Simple_AD_Connection, this should be moved to uldap.access.
Created attachment 9695 [details] Simple_AD_Connection.patch
I rebased the patch and: * added the new kdestroy handling * use absolute paths kinit → /usr/bin/kinit * don't let kinit/kdestroy output got to stdout/stderr * ad.open_ad() uses the same handling → different error message on failure * TODO: use the implementation also in univention-adsearch * TODO: check behavior of scripts/make-deleted-objects-readable-for-this-machine and scripts/well-known-sid-object-rename I dislike a little bit to set a global environment variable ('KRB5CCNAME') but I can't find a way to tell lo.sasl_interactive_bind_s("", ldap.sasl.gssapi("")) to use a specific credentials cache file except this environment variable. Calling it twice e.g. with different credential caches would destroy the other instance, e.g. during a automatic reconnect. fbest/47932-unify-ad-ldap-connection https://git.knut.univention.de/univention/ucs/tree/fbest/47932-unify-ad-ldap-connection
Does this work if Kerberos isn't correctly configured (i.e. UCS uses it's on DNS only and not the AD DNS)?
(In reply to Ingo Steuwer from comment #3) > Does this work if Kerberos isn't correctly configured (i.e. UCS uses it's on > DNS only and not the AD DNS)? This is a code cleanup bug and not a behavior change.
Created attachment 10608 [details] patch (git:fbest/47932-unify-ad-ldap-connection) The situation relaxed in UCS 5.0: * services/univention-ad-connector/univention-adsearch has been changed from a python script to ldbsearch * Simple_AD_Connection has been removed * scripts/make-deleted-objects-readable-for-this-machine and scripts/well-known-sid-object-rename are inheriting behavior from "ad". A new patch has been attached which: * moves get_kerberos_ticket from admember.py to uldap.acceess * adds bind_gssapi to uldap.acceess * uses these methods in AD-Connector, ucs-test and admember.py