diff --git a/services/univention-ad-connector/modules/univention/connector/ad/__init__.py b/services/univention-ad-connector/modules/univention/connector/ad/__init__.py index 2e479cb..2d3dbec 100644 --- a/services/univention-ad-connector/modules/univention/connector/ad/__init__.py +++ b/services/univention-ad-connector/modules/univention/connector/ad/__init__.py @@ -756,7 +756,7 @@ def format_escaped(format_string, *args, **kwargs): """ return LDAPEscapeFormatter().format(format_string, *args, **kwargs) -class Simple_AD_Connection(): +class Simple_AD_Connection(object): ''' stripped down univention.connector.ad.ad class difference: accept "bindpwd" directly instead of "bindpw" filename @@ -765,6 +765,22 @@ class Simple_AD_Connection(): difference: don't use TLS ''' + def bind_sasl_gssapi(self, binddn, bindpw, access): + ENV_KRB5CCNAME = 'KRB5CCNAME' + princ = binddn + if ldap.dn.is_dn(princ): + princ = ldap.dn.str2dn(princ)[0][0][1] + os.environ[ENV_KRB5CCNAME] = '/var/cache/univention-ad-connector/krb5.cc.well' + with NamedTemporaryFile('w') as tmp_file: + tmp_file.write(bindpw) + tmp_file.flush() + cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % tmp_file.name, princ] + p1 = subprocess.Popen(cmd_block, close_fds=True) + stdout, stderr = p1.communicate() + auth = ldap.sasl.gssapi("") + access.lo.sasl_interactive_bind_s("", auth) + return access + def __init__(self, CONFIGBASENAME, ucr, host, port, base, binddn, bindpw, certificate): self.CONFIGBASENAME = CONFIGBASENAME @@ -776,37 +792,27 @@ class Simple_AD_Connection(): self.bindpw = bindpw self.certificate = certificate self.ucr = ucr - self.protocol = 'ldaps' if ucr.is_true('%s/ad/ldap/ldaps' % CONFIGBASENAME, False) else 'ldap' - self.uri = "%s://%s:%d" % (self.protocol, self.host, int(self.port)) - - if self.certificate: - ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.certificate) - - #ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095) - #ldap._trace_level = 9 - #ldap.set_option(ldap.OPT_X_SASL_SSF_MIN, 1) - #ldap.set_option(ldap.OPT_X_SASL_SECPROPS, "minssf=1") - - self.lo = ldap.ldapobject.ReconnectLDAPObject(self.uri, retry_max=10, retry_delay=1) - + self.ldaps = self.ucr.is_true('%s/ad/ldap/ldaps' % self.CONFIGBASENAME, False) + + access = univention.uldap.access( + host=self.host, + port=int(self.port), + base=self.base, + binddn=None, + bindpw=None, + start_tls=0, + use_ldaps=self.ldaps, + ca_certfile=self.certificate, + follow_referral=True, + decode_ignorelist=['objectSid', 'objectGUID', 'repsFrom', 'replUpToDateVector', 'ipsecData', 'logonHours', 'userCertificate', 'dNSProperty', 'dnsRecord', 'member']) + + # TODO move sasl/gssapi ldap authentication to uldap.access if ucr.is_true('%s/ad/ldap/kerberos' % CONFIGBASENAME): - princ = self.binddn - if ldap.dn.is_dn(self.binddn): - princ = ldap.dn.str2dn(self.binddn)[0][0][1] - os.environ['KRB5CCNAME'] = '/var/cache/univention-ad-connector/krb5.cc.well' - with NamedTemporaryFile('w') as tmp_file: - tmp_file.write(self.bindpw) - tmp_file.flush() - cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % tmp_file.name, princ] - p1 = subprocess.Popen(cmd_block, close_fds=True) - stdout, stderr = p1.communicate() - auth = ldap.sasl.gssapi("") - self.lo.sasl_interactive_bind_s("", auth) + access = self.bind_sasl_gssapi(self.binddn, self.bindpw, access) else: - self.lo.simple_bind_s(self.binddn, self.bindpw) - - self.lo.set_option(ldap.OPT_REFERRALS, 0) + access.bind(self.binddn, self.bindpw) + self.lo = access.lo self.ad_sid = None result = self.lo.search_ext_s(self.base, ldap.SCOPE_BASE, 'objectclass=domain', ['objectSid'], timeout=-1, sizelimit=0) if 'objectSid' in result[0][1]: diff --git a/test/ucs-ec2-tools b/test/ucs-ec2-tools index 755b752..612aa4a 160000 --- a/test/ucs-ec2-tools +++ b/test/ucs-ec2-tools @@ -1 +1 @@ -Subproject commit 755b752d461b62ba29666294762e04f00ea9a74f +Subproject commit 612aa4a35d7ee61d9a57b4102981d8444bdcb22e