Attachment #10608 for bug #47932





def _get_kerberos_ticket(principal, password, ucr=None):
	# type: (str, str, Optional[ConfigRegistry]) -> None
	try:
		return univention.uldap.access.get_kerberos_ticket(principal, password)
	except ldap.LOCAL_ERROR as exc:
		raise connectionFailed(str(exc))

	# We need to remove the target credential cache first,
	# otherwise kinit may use an old ticket and run into "krb5_get_init_creds: Clock skew too great".
	cmd1 = ("/usr/bin/kdestroy",)
	p1 = subprocess.Popen(cmd1, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
	stdout, stderr = p1.communicate()
	if p1.returncode != 0:
		ud.debug(ud.MODULE, ud.ERROR, "kdestroy failed:\n%s" % stdout.decode('UTF-8', 'replace'))

	with tempfile.NamedTemporaryFile('w+') as f:
		os.fchmod(f.fileno(), 0o600)
		f.write(password)
		f.flush()

		cmd2 = ("/usr/bin/kinit", "--no-addresses", "--password-file=%s" % (f.name,), principal)
		p1 = subprocess.Popen(cmd2, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
		stdout, stderr = p1.communicate()
		if p1.returncode != 0:
			msg = "kinit failed:\n%s" % (stdout.decode('UTF-8', 'replace'),)
			ud.debug(ud.MODULE, ud.ERROR, msg)
			raise connectionFailed(msg)
		if stdout:
			ud.debug(ud.MODULE, ud.WARN, "kinit output:\n%s" % stdout.decode('UTF-8', 'replace'))


def check_connection(ad_domain_info, username, password):

(-)base/univention-python/modules/uldap.py (+41 lines)

Lines 30-38	Link Here

# /usr/share/common-licenses/AGPL-3; if not, see

# /usr/share/common-licenses/AGPL-3; if not, see

# <https://www.gnu.org/licenses/>.

# <https://www.gnu.org/licenses/>.

import os

import re

import re

from functools import wraps

from functools import wraps

import random

import random

import subprocess

from tempfile import NamedTemporaryFile

import six

import six

import ldap

import ldap

Lines 319-324 class access(object):	Link Here

319

		self.binddn = self.whoami()

322

		self.binddn = self.whoami()

320

		univention.debug.debug(univention.debug.LDAP, univention.debug.INFO, 'SAML bind binddn=%s' % self.binddn)

323

		univention.debug.debug(univention.debug.LDAP, univention.debug.INFO, 'SAML bind binddn=%s' % self.binddn)

321

324

325

	@_fix_reconnect_handling

326

	def bind_sasl_gssapi(self, binddn, bindpw, credentials_cache=None):

327

		# type: (str, str, Optional[str]) -> None

328

		if credentials_cache:

329

			os.environ['KRB5CCNAME'] = credentials_cache

330

331

		self.get_kerberos_ticket()

332

		self.lo.sasl_interactive_bind_s("", ldap.sasl.gssapi(""))

333

334

	@staticmethod

335

	def get_kerberos_ticket(principal, password):

336

		# type: (str, str) -> None

337

		ud = univention.debug

338

		ud.debug(ud.MODULE, ud.INFO, "running _get_kerberos_ticket")

339

340

		# We need to remove the target credential cache first,

341

		# otherwise kinit may use an old ticket and run into "krb5_get_init_creds: Clock skew too great".

342

		cmd1 = ("/usr/bin/kdestroy",)

343

		p1 = subprocess.Popen(cmd1, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)

344

		stdout, stderr = p1.communicate()

345

		if p1.returncode != 0:

346

			ud.debug(ud.MODULE, ud.ERROR, "kdestroy failed:\n%s" % stdout.decode('UTF-8', 'replace'))

347

348

		with NamedTemporaryFile('w+') as f:

349

			os.fchmod(f.fileno(), 0o600)

350

			f.write(password)

351

			f.flush()

352

353

			cmd2 = ("/usr/bin/kinit", "--no-addresses", "--password-file=%s" % (f.name,), principal)

354

			p1 = subprocess.Popen(cmd2, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)

355

			stdout, stderr = p1.communicate()

356

			if p1.returncode != 0:

357

				msg = "kinit failed:\n%s" % (stdout.decode('UTF-8', 'replace'),)

358

				ud.debug(ud.MODULE, ud.ERROR, msg)

359

				raise ldap.LOCAL_ERROR(msg)

360

			if stdout:

361

				ud.debug(ud.MODULE, ud.WARN, "kinit output:\n%s" % stdout.decode('UTF-8', 'replace'))

362

322

	def unbind(self):

363

	def unbind(self):

323

		# type: () -> None

364

		# type: () -> None

324

"""

365

"""




import calendar
import string
import base64
import subprocess
from tempfile import NamedTemporaryFile

import six
import ldap

		sid = self.samr.LookupDomain(handle, sam_domain)
		self.dom_handle = self.samr.OpenDomain(handle, security.SEC_FLAG_MAXIMUM_ALLOWED, sid)

	def get_kerberos_ticket(self):
		p1 = subprocess.Popen(['kdestroy', ], close_fds=True)
		p1.wait()
		with NamedTemporaryFile('w') as fd:
			fd.write(self.ad_ldap_bindpw)
			fd.flush()
			cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % (fd.name,), self.ad_ldap_binddn]
			p1 = subprocess.Popen(cmd_block, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)
			stdout, stderr = p1.communicate()
		if p1.returncode != 0:
			raise kerberosAuthenticationFailed('The following command failed: "%s" (%s): %s' % (' '.join(cmd_block), p1.returncode, stdout.decode('UTF-8', 'replace')))

	def ad_search_ext_s(self, *args, **kwargs):
		return fix_dn_in_search(self.lo_ad.lo.search_ext_s(*args, **kwargs))


		except Exception:  # FIXME: which exception is to be caught
			self._debug_traceback(ud.ERROR, 'Failed to lookup AD LDAP base, using UCR value.')

		self.lo_ad = univention.uldap.access(
			host=self.ad_ldap_host, port=int(self.ad_ldap_port),
			base=self.ad_ldap_base, binddn=None, bindpw=None,
			start_tls=tls_mode, use_ldaps=ldaps,
			ca_certfile=self.ad_ldap_certificate,
		)

		if self.configRegistry.is_true('%s/ad/ldap/kerberos' % self.CONFIGBASENAME):
			try:
				self.lo_ad.bind_sasl_gssapi(self.ad_ldap_binddn, self.ad_ldap_bindpw, '/var/cache/univention-ad-connector/krb5.cc')
			except ldap.LOCAL_ERROR as exc:
				raise kerberosAuthenticationFailed(str(exc))
			self.get_kerberos_ticket()
			self.lo_ad.lo.sasl_interactive_bind_s("", auth)
		else:
			self.lo_ad.bind(self.ad_ldap_binddn, self.ad_ldap_bindpw)

		self.lo_ad.lo.set_option(ldap.OPT_REFERRALS, 0)


(-)test/ucs-test/lib/ldap_glue.py (-11 / +3 lines)

Lines 1-5	Link Here

import os

import os

import subprocess

import ldap

import ldap

import ldap.dn

import ldap.dn

Lines 7-12 from univention.config_registry import ConfigRegistry	Link Here

from ldap.controls import LDAPControl

from ldap.controls import LDAPControl

import ldap.modlist as modlist

import ldap.modlist as modlist

import univention.uldap

ucr = ConfigRegistry()

ucr = ConfigRegistry()

ucr.load()

ucr.load()

Lines 72-78 class LDAPConnection(object):	Link Here

		try:

		try:

			if self.kerberos:

			if self.kerberos:

				os.environ['KRB5CCNAME'] = '/tmp/ucs-test-ldap-glue.cc'

				os.environ['KRB5CCNAME'] = '/tmp/ucs-test-ldap-glue.cc'

				self.get_kerberos_ticket()

				univention.uldap.access.get_kerberos_ticket(self.principal, open(self.pw_file).read().strip())

				auth = ldap.sasl.gssapi("")

				auth = ldap.sasl.gssapi("")

				self.lo.sasl_interactive_bind_s("", auth)

				self.lo.sasl_interactive_bind_s("", auth)

			else:

			else:

Lines 88-102 class LDAPConnection(object):	Link Here

		self.lo.set_option(ldap.OPT_REFERRALS, 0)

		self.lo.set_option(ldap.OPT_REFERRALS, 0)

	def get_kerberos_ticket(self):

		p1 = subprocess.Popen(['kdestroy', ], close_fds=True)

		p1.wait()

		cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % self.pw_file, self.principal]

		p1 = subprocess.Popen(cmd_block, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True)

		stdout, stderr = p1.communicate()

		if p1.returncode != 0:

			raise Exception('The following command failed: "%s" (%s): %s' % (''.join(cmd_block), p1.returncode, stdout.decode('UTF-8')))

100

	def exists(self, dn):

	def exists(self, dn):

101

		try:

		try:

102

			self.lo.search_ext_s(dn, ldap.SCOPE_BASE, timeout=10)

			self.lo.search_ext_s(dn, ldap.SCOPE_BASE, timeout=10)

Return to bug 47932