Is anyone successfully using keytab authentication with python ldap on *nix

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 5
Registered: ‎03-01-2013
#1 of 12 13,915

Is anyone successfully using keytab authentication with python ldap on *nix

I am developing a number of tools which leverage keytab's for authentication - some of these tools use the python ldap library. I can succesfully read AD/Centrify objects using the module using a simple bind [IE username/password] but object reading after the keytab is initialised [instead of a simple authentication] in the process space yields "a successful bind must be completed on the connection"

 

Has anyone successfully used python ldap with AD/Centrify and kerberos authentication - if so would you mind sharing some of your bare bones code as a reference?

 

Thanks

 

 

 

Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#2 of 12 13,912

Re: Is anyone successfully using keytab authentication with python ldap on *nix

[ Edited ]

Hi,

 

You should look into using Python LDAP with GSSAPI.  This would allow you to use GSSAPI (Kerberos) with LDAP in Python.

 

Searching the web you will find several references that will point you in the right direction.

 

Happy Holidays,

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 5
Registered: ‎03-01-2013
#3 of 12 13,872

Re: Is anyone successfully using keytab authentication with python ldap on *nix

Hi Felderi - thanks for your message

 

As stated in my original post I am already using python ldap and can succesfully carry out a simple bind using a user/password combo which enables me to interrogate AD.

 

What I want to do is leverage keytab authentication rather than having a user and password

 

First I call /usr/share/centrifydc/kerberos/bin/kinit -kt mykeytab mykeytabfile

This is successfull

 

I then ...

 

auth_tokens = ldap.sasl.gssapi()

ad = ldap.initialize('ldap://acme.com',trace_level=2)
ad.protocol_version = 3
ad.set_option(ldap.OPT_REFERRALS, 0)
ad.set_option(ldap.OPT_DEBUG_LEVEL, 255)

ad.sasl_interactive_bind_s("", auth_tokens)

 

Ticket cache: KCM:0
Default principal: MYUSER@ACME.COM

Valid starting     Expires            Service principal
12/24/14 10:46:28  12/24/14 20:46:28  krbtgt/ACME.COM@ACME.COM
        renew until 12/25/14 10:46:28, Flags: RIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
        Addresses: (none)
*** ldap://acme.com - SimpleLDAPObject.set_option ((17, 3),{})
*** ldap://acme.com - SimpleLDAPObject.set_option ((17, 3),{})
*** ldap://acme.com - SimpleLDAPObject.set_option ((8, 0),{})
*** ldap://acme.com - SimpleLDAPObject.set_option ((20481, 255),{})
*** ldap://acme.com - SimpleLDAPObject.sasl_interactive_bind_s (('', <ldap.sasl.gssapi instance at 0x2ba8ec123320>, None, None, 2),{})
=> LDAPError - LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found)', 'desc': 'Local error'}

 

 

 

 

Centrify Guru I
Posts: 2,431
Registered: ‎07-26-2012
#4 of 12 13,867

Re: Is anyone successfully using keytab authentication with python ldap on *nix

[ Edited ]

KevSmith 

(I hope no reference to the MallRats director)

 

What Felderi means is that you should try to use and get working the GSSAPI layer prior to trying to getting your job done inside Python.

 

Unlike many of the tools that we provide in our package, the Python package is not using our native libraries, so you have to go through an intermediate layer (like GSSAPI, SASL, etc) to get this done.

 

To give you an example.  The ldapsearch binary that is included with our package can do an AD bind using the computer's account credentials  (because we maintain a keytab for the computer object), that is because it was compiled with support to our shared libraries.

 

 ldd /usr/share/centrifydc/bin/ldapsearch
        linux-vdso.so.1 =>  (0x00007fffbeadb000)
        libgssapi_krb5.so.2 => /usr/share/centrifydc/kerberos/lib64/libgssapi_krb5.so.2 (0x00002b9120f45000)
        libkrb5.so.3 => /usr/share/centrifydc/kerberos/lib64/libkrb5.so.3 (0x00002b912105e000)
        libcom_err.so.3 => /usr/share/centrifydc/kerberos/lib64/libcom_err.so.3 (0x00002b91211fa000)
        libc.so.6 => /lib64/libc.so.6 (0x00000038a6800000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00000038a9800000)
        libk5crypto.so.3 => /usr/share/centrifydc/kerberos/lib64/libk5crypto.so.3 (0x00002b9121309000)
        libkrb5support.so.0 => /usr/share/centrifydc/kerberos/lib64/libkrb5support.so.0 (0x00002b912141e000)
        libssl.so.0.9.8 => /usr/share/centrifydc/lib64/libssl.so.0.9.8 (0x00002b9121523000)
        libcrypto.so.0.9.8 => /usr/share/centrifydc/lib64/libcrypto.so.0.9.8 (0x00002b9121673000)
        libstdc++.so.5 => /usr/share/centrifydc/lib64/libstdc++.so.5 (0x00002b91218f8000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000038a6c00000)
        /lib64/ld-linux-x86-64.so.2 (0x00000038a6400000)
        libm.so.6 => /lib64/libm.so.6 (0x00000038a7400000)
        libgcc_s.so.1 => /usr/share/centrifydc/lib64/libgcc_s.so.1 (0x00002b9121acd000)

 

Some of the building blocks for you to get this done were outlined in this post:

 

http://community.centrify.com/t5/Standard-Edition-DirectControl/MongoDB-AD-Integration-made-easy-wit...

 

I am not a Python person (nor a programmer) so I would not even dive into the intricacies of using  GSSAPI calls inside of it.

 

Perhaps if you let us know what you're trying to accomplish (without implementation details) we may be able to point you in alternative directions.  (We know you want to do an LDAP bind with a keytab, but what we want to know is "what" is the end goal.  Using our layer yields better results than direct LDAP binds because we can locate DCs, do offline caching and abstract AD complexities like 1-way trusts). 

 

Typically a direct LDAP has an issue with AD like:

 

- Are you looking for an object that can only be located in a Global Catalog?

- What if the DC you hardcode as your LDAP is down?

- What if there's a 1-way trust  (won't work in Express, but with Standard it will)

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#5 of 12 13,862

Re: Is anyone successfully using keytab authentication with python ldap on *nix

It wasn't clear from original post that you were using GSSAPI. 

 

So great, you're using LDAP and GSSAPI in Python.  Your error is that the Python GSSAPI ldap bind is not finding the credential cache. 

 

Therefore check to make sure that the credential cache created with kinit is the one the Python LDAP GSSAPI call is trying to use.  You should make sure that the user your Python script is running as is the user that has obtained a Kerberos ticket with kinit or you can setup the environment variable KRB5CCNAME to point to the appropriate credential cache.

 

Searching the web I found this website that shows you how to accomplish what you're trying to do.

 

Regards,

 

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 5
Registered: ‎03-01-2013
#6 of 12 13,125

Re: Is anyone successfully using keytab authentication with python ldap on *nix

Thanks for ther website - sadly - the suggestions do not work. I am pretty sure that the python-ldap module will not work with the centrify implementation of kerberos. Despite rebulding the module from source and pointing it to the centrify ldap libs I can not get GSS / keytab authentication working with python ldap.

 

Interestingly I also tried a perl version as well - and this does not appear to work either.

 

I will look at using subprocess with the centrify version of ldapsearch instead which I know does work with GSS auth via a keytab

 

Sadly - the maintainer of python-ldap has stopped assisting me [rightly so] due to the module never being tested against centrify.

 

It's a shame really - as whilst I am aware you can do many things with powershell - in a primary UNIX environment this is not possible and we will have to write our own framework.

 

That is of course unless centrify want to take the challenge on of getting python-ldap working with GSS and their implementation of kerberos keytabs!

 

Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#7 of 12 13,122

Re: Is anyone successfully using keytab authentication with python ldap on *nix

[ Edited ]

Centrify ships an MIT Kerberos v5 client with its solution.  Therefore there is no Centrify specific implementation of GSS.

 

Any application that supports an MIT Kerberos v5 client will work with the MIT v5 client Centrify provides.  We have thousands of customers today integrating GSSAPI enabled applications with AD, leveraging Centrify.

 

You need to focus on addressing why the Python code cannot find the credential cache that contains the Kerberos credentials. 

 

We're happy to answer any Kerberos related questions but unfortunately we do not have the Python LDAP expertise.

 

Regards,

 

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Centrify Advisor IV
Posts: 159
Registered: ‎07-13-2012
#8 of 12 13,116

Re: Is anyone successfully using keytab authentication with python ldap on *nix

Hi Kev,

 

If the goal is to get an alternative to PowerShell API to manage Centify data stored in AD, I recommend to use adedit binary shipped with the agent. Main reason is that adedit does support Kerberos authentication through DirectControl.
From there you can create adedit subroutine in TCL that you call from your main Python code.

 

Hope that helps.

 

Cheers,

Fabrice

-----------------------------------------------------------------------------------------------------
Don't forget to mark posts as "Solution" to help other identify quickly the answers. And don't be afraid to deliver Kudos as well when you are happy with the solution ;)
Centrify Guru I
Posts: 2,431
Registered: ‎07-26-2012
#9 of 12 13,110

Re: Is anyone successfully using keytab authentication with python ldap on *nix

[ Edited ]

To echo Felderi, there's no "Centrify implementation of Kerberos" - maybe I got you confused by telling you about programs that we included that are compliled with support for our shared libraries.

 

However, the advise has been consistent - make sure you have it working at the OS level before going into Python-LDAP.

 

If you look at what what Fel told you, is to make sure that Python-LDAP is looking at the *right* credential cache, your output shows this:  Ticket cache: KCM:0

 

If you look at a user's credential cache, it has this format krb5cc_UID.  Make sure Python-LDAP is using the cache file for MYUSER@ACME.COM

 

$ id
uid=1627391058(dwirth) gid=1627391058(dwirth) groups=1(bin),9999999(apache-capone),1627391058(dwirth)
[dwirth@engcen5 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1627391058
Default principal: dwirth@CENTRIFYIMAGE.VMS

Valid starting     Expires            Service principal
01/03/15 20:54:13  01/03/15 22:09:36  krbtgt/CENTRIFYIMAGE.VMS@CENTRIFYIMAGE.VMS
        renew until 01/03/15 22:09:36


Kerberos 4 ticket cache: /tmp/tkt1627391058
klist: You have no tickets cached

 

OR,

 

You can start from the beginning and tell us what you want to accomplish (without implementation details) e.g.  "I want to go from A to B"  not "I want to design an engine that uses salt water"

 

And regarding this:

"That is of course unless centrify want to take the challenge on of getting python-ldap working with GSS and their implementation of kerberos keytabs!"

 

Commercial requirements drive these type of efforts.  Use the "Contact Sales" option. If this is a significant commercial opportunity, I'm sure you can drive us to take the challenge.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 5
Registered: ‎03-01-2013
#10 of 12 12,265

Re: Is anyone successfully using keytab authentication with python ldap on *nix

A brief update to those who may have read this. I was unable to get python-ldap working with Centrify keytab authentication and this is purely down to the implementation of the module and sasl/gss not knowing about the KCM ticket.

 

I've achieved what I wanted using adedit,TCL and keytab auth/binding

 

Thanks to all those who took time to reply