Windows客户端的无密码Python LDAP3身份验证 [英] Passwordless Python LDAP3 authentication from Windows client

问题描述

我正在使用出色的ldap3软件包，并且尝试与活动目录服务器建立连接，但无需提供纯文本形式的实际凭据.

I am using the great ldap3 package and I am trying to connect with a active directory server but without requiring to provide actual credentials in plain text.

支持以下SASL机制. ['GSSAPI', 'GSS-SPNEGO', 'EXTERNAL', 'DIGEST-MD5']

Following SASL mechanisms are supported. ['GSSAPI', 'GSS-SPNEGO', 'EXTERNAL', 'DIGEST-MD5']

我尝试安装软件包GSSAPI，但在Windows计算机上不起作用. pip install gssapi上的错误为: subprocess.CalledProcessError: Command 'krb5-config --libs gssapi' returned non-zero exit status 1.

I tried to install the package GSSAPI but that doesn't work on my Windows machine. Error on pip install gssapi was: subprocess.CalledProcessError: Command 'krb5-config --libs gssapi' returned non-zero exit status 1.

有人可以为此提供一个简单的例子吗? 我相信GSS-SPNEGO可能是解决方案，但我在互联网上找不到任何可理解的例子.

Can anybody provide a simple example for that? I believe GSS-SPNEGO could be the solution but I did't find any comprehensible example in the internet.

推荐答案

谢谢您提出这个问题.我今天给了它最后一枪，让它起作用.

Thank you for asking this. I gave it one last shot today and got it to work.

在此链接中查看Davide的答案:如何安装gssapi python模块在Windows上?

See Davide's answer in this link: How to install gssapi python module on windows?

它要求您具有ldap3软件包并安装winkerberos软件包:

It requires you to have the ldap3 package and to install the winkerberos package:

pip安装winkerberos

pip install winkerberos

然后，您需要用他链接到的站点包(PYTHON_HOME \ Lib \ site-packages \ ldap3 \ protocol \ sasl \ kerberos.py)替换站点包中的kerberos.py文件. //github.com/Morgan-Stanley/treadmill/blob/master/lib/python/treadmill/ldap3kerberos.py"rel =" noreferrer>替换kerberos.py .

Then you need to replace the kerberos.py file in your site-packages (PYTHON_HOME\Lib\site-packages\ldap3\protocol\sasl\kerberos.py) with the one he links to replacement kerberos.py.

您需要在替换的kerberos.py文件中更改以下行:

You need to change the following line in the replacement kerberos.py file:

从跑步机上将kerberoswrapper导入为kerberos

更改为

将winkerberos导入为kerberos

然后您可以像这样连接:

Then you can connect like this:

from ldap3 import Server, Connection, Tls, SASL, GSSAPI
import ssl

tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server('server_fqdn', use_ssl=True, tls=tls)
c = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI)
c.bind()
print(c.extend.standard.who_am_i())
c.unbind()

用您的AD服务器的完全限定域名替换server_fqdn.

Replace server_fqdn with the fully qualified domain name of your AD server.

您可能希望将版本值更改为AD服务器使用的任何协议.

You may want to change the version value to whatever protocol your AD server uses.

如果有人没有那么麻烦的方法来完成此操作，请进来！

If someone has a less messy method to accomplish this please chime in!

这篇关于Windows客户端的无密码Python LDAP3身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！