来自 Windows 客户端的无密码 Python LDAP3 身份验证 [英] Passwordless Python LDAP3 authentication from Windows client

问题描述

我正在使用很棒的 ldap3 包，我正在尝试连接 Active Directory 服务器，但不需要以纯文本形式提供实际凭据.

I am using the great ldap3 package and I am trying to connect with a active directory server but without requiring to provide actual credentials in plain text.

支持以下 SASL 机制.['GSSAPI', 'GSS-SPNEGO', 'EXTERNAL', 'DIGEST-MD5']

Following SASL mechanisms are supported. ['GSSAPI', 'GSS-SPNEGO', 'EXTERNAL', 'DIGEST-MD5']

我尝试安装包 GSSAPI，但这在我的 Windows 机器上不起作用.pip install gssapi 上的错误是:subprocess.CalledProcessError:命令'krb5-config --libs gssapi'返回非零退出状态1.

I tried to install the package GSSAPI but that doesn't work on my Windows machine. Error on pip install gssapi was: subprocess.CalledProcessError: Command 'krb5-config --libs gssapi' returned non-zero exit status 1.

谁能提供一个简单的例子?我相信 GSS-SPNEGO 可能是解决方案，但我没有在互联网上找到任何易于理解的示例.

Can anybody provide a simple example for that? I believe GSS-SPNEGO could be the solution but I did't find any comprehensible example in the internet.

推荐答案

感谢您提出这个问题.我今天给了它最后一次机会，让它开始工作.

Thank you for asking this. I gave it one last shot today and got it to work.

查看大卫的回答

它需要你有 ldap3 包并安装 winkerberos 包:

It requires you to have the ldap3 package and to install the winkerberos package:

pip install winkerberos

然后您需要将站点包中的 kerberos.py 文件(PYTHON_HOMELibsite-packagesldap3protocolsaslkerberos.py)替换为他链接到的那个替换kerberos.py.

Then you need to replace the kerberos.py file in your site-packages (PYTHON_HOMELibsite-packagesldap3protocolsaslkerberos.py) with the one he links to replacement kerberos.py.

您需要在替换 kerberos.py 文件中更改以下行:

You need to change the following line in the replacement kerberos.py file:

from treadmill import kerberoswrapper as kerberos 

改为

import winkerberos as kerberos

然后你可以像这样连接:

Then you can connect like this:

from ldap3 import Server, Connection, Tls, SASL, GSSAPI
import ssl

tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server('server_fqdn', use_ssl=True, tls=tls)
c = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI)
c.bind()
print(c.extend.standard.who_am_i())
c.unbind()

将 server_fqdn 替换为您的 AD 服务器的完全限定域名.

Replace server_fqdn with the fully qualified domain name of your AD server.

您可能希望将版本值更改为您的 AD 服务器使用的任何协议.

You may want to change the version value to whatever protocol your AD server uses.

如果有人有更简单的方法来完成此操作，请加入！

If someone has a less messy method to accomplish this please chime in!

这篇关于来自 Windows 客户端的无密码 Python LDAP3 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！