Passwordless Python LDAP3 authentication from Windows client

Question

I am using the great ldap3 package and I am trying to connect with a active directory server but without requiring to provide actual credentials in plain text.

Following SASL mechanisms are supported. ['GSSAPI', 'GSS-SPNEGO', 'EXTERNAL', 'DIGEST-MD5']

I tried to install the package GSSAPI but that doesn't work on my Windows machine. Error on pip install gssapi was: subprocess.CalledProcessError: Command 'krb5-config --libs gssapi' returned non-zero exit status 1.

Can anybody provide a simple example for that? I believe GSS-SPNEGO could be the solution but I did't find any comprehensible example in the internet.

Answer 1

Thank you for asking this. I gave it one last shot today and got it to work.

See Davide's answer

It requires you to have the ldap3 package and to install the winkerberos package:

pip install winkerberos

Then you need to replace the kerberos.py file in your site-packages (PYTHON_HOME\Lib\site-packages\ldap3\protocol\sasl\kerberos.py) with the one he links to replacement kerberos.py.

You need to change the following line in the replacement kerberos.py file:

from treadmill import kerberoswrapper as kerberos 

Change to

import winkerberos as kerberos

Then you can connect like this:

from ldap3 import Server, Connection, Tls, SASL, GSSAPI
import ssl

tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server('server_fqdn', use_ssl=True, tls=tls)
c = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI)
c.bind()
print(c.extend.standard.who_am_i())
c.unbind()

Replace server_fqdn with the fully qualified domain name of your AD server.

You may want to change the version value to whatever protocol your AD server uses.

If someone has a less messy method to accomplish this please chime in!