通过SSL的python和ldap [英] python and ldap via SSL

查看:507
本文介绍了通过SSL的python和ldap的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我尝试使用python查询Active Directory服务器,该方法工作正常.但是现在,我不想发送未加密的凭据,因此我想使用LDAP. 是否有捷径可寻?到目前为止,我发现我只需要添加此选项:

I try to query an Active Directory Server with python which works fine. But now I don't want to send my credentials unencrypted on the wire, so I'd like to use LDAPs. Is there an easy way to do this? All I found till now was that I had to add this option:

l.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/Ca.pem')

但是我实际上不想获得CA证书或正确的证书并进行验证.当然,从安全角度来看,我应该确认我的通讯伙伴是正确的,但是我不在乎我的内部网络,而是希望它更容易处理. 如果我只是将LDAP URL从ldap更改为ldaps,则会收到此错误:

But I actually don't want to get the CA cert or a correct cert and verify that as well. Sure, from a security perspective I should verify that my communication partner is the correct one, but I don't care on my internal network and want this just easier to handle. If I just change the LDAP URL from ldap to ldaps I get this error:

Traceback (most recent call last):
  File "./ldap-to-sql.py", line 21, in <module>
    bind = l.simple_bind_s(USERNAME, PASS)
  File "/usr/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 214, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 208, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
  File "/usr/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'info': 'SSLHandshake() failed: misc. bad certificate (-9825)', 'desc': "Can't contact LDAP server"}

推荐答案

我正在使用Samba4 DC和python ldap模块进行一些测试,而我已经完成了以下示例:

i was doing some tests with a Samba4 DC and python ldap module and i've done this example:

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

import ldap, ldapurl, subprocess, sys, shlex, os

GrupoLDAP = "Domain Users" #Grupo a recuperar
CACert = '/etc/cert/ca.cert.pem' #Certificado CA

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACert)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)

proto = 'ldaps' #Protocolo
server = 'domain.com' #Dirección del servidor (mismo nombre del Certificado)
port = 636 #Puerto seguro para ldaps

try:
    url = ldapurl.LDAPUrl(urlscheme=proto, hostport="%s:%s" % (server, str(port))).initializeUrl()
    ldap_obj = ldap.initialize(url)
    ldap_obj.simple_bind_s('user@domain.com','PassWord')

    base = 'OU=Users,DC=domain,DC=com' #Ruta y UO del grupo

    scope = ldap.SCOPE_SUBTREE

    query = '(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

    res_attrs = ['sAMAccountName', 'cn']
    #res_attrs = ['*']
    res = ldap_obj.search_s(base, scope, query, res_attrs)
except ldap.LDAPError as Error:
    print "Ha ocurrido un error al conectar o realizar la query al servidor LDAP:\n\n%s" % Error
    sys.exit(1)

证书需要CN中的FQDN,并由CA证书签名,以避免Certs错误.在我向同一FQDN添加第二个DC之前,它一直在工作,但是如果您只有一个DC,它应该可以工作. 我不知道它在Windows LDAP上如何工作,但似乎很相似.

The certificate needs the FQDN in CN and be signed by the CA cert to avoid Certs error. Was working until I've added a second DC to same FQDN but if you only have one DC it should work. I don't know how it works on a Windows LDAP, but seems to be similar.

问候!

这篇关于通过SSL的python和ldap的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆