Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-ldap3 for openSUSE:Factory
checked in at 2021-09-02 23:20:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-ldap3 (Old)
and /work/SRC/openSUSE:Factory/.python-ldap3.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-ldap3"
Thu Sep 2 23:20:10 2021 rev:15 rq:915566 version:2.9.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-ldap3/python-ldap3.changes
2021-01-28 21:28:52.320235008 +0100
+++ /work/SRC/openSUSE:Factory/.python-ldap3.new.1899/python-ldap3.changes
2021-09-02 23:20:20.616555636 +0200
@@ -1,0 +2,17 @@
+Wed Sep 1 09:19:50 UTC 2021 - John Paul Adrian Glaubitz
<adrian.glaub...@suse.com>
+
+- Update to 2.9.1
+ * new feature: added support for using Kerberos authentication on windows
+ clients using the native winkerberos library
+ * new feature: added support for using Channel Bind tokens with Kerberos
+ authentication on windows clients
+ * fixed a bug related to using start_tls with a RESTARTABLE strategy that
+ caused errors to be raised erroneously.
+ * fixed a bug around the type checking of Reverse DNS Settings
+ with Kerberos authentication
+ * fixed an issue related to decoding unicode strings in LDAP referrals
+ and attributes in python 2
+ * minor documentation updates and corrections
+- Fix filename pattern matching in %files section
+
+-------------------------------------------------------------------
Old:
----
v2.9.tar.gz
New:
----
v2.9.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-ldap3.spec ++++++
--- /var/tmp/diff_new_pack.kqXdwi/_old 2021-09-02 23:20:21.120556264 +0200
+++ /var/tmp/diff_new_pack.kqXdwi/_new 2021-09-02 23:20:21.120556264 +0200
@@ -18,7 +18,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-ldap3
-Version: 2.9
+Version: 2.9.1
Release: 0
Summary: A strictly RFC 4511 conforming LDAP V3 pure Python client
License: LGPL-3.0-only
@@ -66,6 +66,6 @@
%license COPYING.LESSER.txt COPYING.txt LICENSE.txt
%doc README.rst
%{python_sitelib}/ldap3
-%{python_sitelib}/ldap3-%{version}*-py*.egg-info
+%{python_sitelib}/ldap3-*-py*.egg-info
%changelog
++++++ v2.9.tar.gz -> v2.9.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/CHANGES.txt new/ldap3-2.9.1/CHANGES.txt
--- old/ldap3-2.9/CHANGES.txt 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/CHANGES.txt 2021-07-17 20:29:49.000000000 +0200
@@ -1,3 +1,16 @@
+# 2.9 - 2021.01.24
+ - new feature: SafeRestartable strategy (SAFE_RESTARTABLE) for using a
restartable Connection object in a multi-threading program
+ - tested against Python 3.9
+ - added requirements-dev.txt
+ - fixed logging unicode exceptions in python2.7
+ - added more granular control over use of reverse dns with Kerberos
(thanks Azaria)
+ - support MS Active Directory persistent search (thanks eLeX)
+ - added support for LDAP signing when using DIGEST-MD5 authentication
(thanks Augustin-FL)
+ - check only for searchResEntries in LDIF conversion (thanks Jay)
+ - modify-increment now works properly in mock strategies (thanks
Saint-Marcel)
+ - objectGUID are now converted properly (thanks Janne)
+ - default timeout in asynchronous strategies raised to 20 seconds
+
# 2.8.1 - 2020.09.07
- fixed regression in 2.8 for members returned in AD auto-range search
(thanks Felix)
- fixed regression in 2.8 for attribute error in restartable class (thanks
Christian)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/_changelog.txt
new/ldap3-2.9.1/_changelog.txt
--- old/ldap3-2.9/_changelog.txt 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/_changelog.txt 2021-07-17 20:29:49.000000000 +0200
@@ -1,4 +1,12 @@
-# 2.9 - not yet released
+# 2.9.1 - 2021.07.17
+ - new feature: added support for using Kerberos authentication on windows
clients using the native winkerberos library
+ - new feature: added support for using Channel Bind tokens with Kerberos
authentication on windows clients
+ - fixed a bug related to using start_tls with a RESTARTABLE strategy that
caused errors to be raised erroneously.
+ - fixed a bug around the type checking of Reverse DNS Settings with
Kerberos authentication
+ - fixed an issue related to decoding unicode strings in LDAP referrals and
attributes in python 2
+ - minor documentation updates and corrections
+
+# 2.9 - 2021.01.24
- new feature: SafeRestartable strategy (SAFE_RESTARTABLE) for using a
restartable Connection object in a multi-threading program
- tested against Python 3.9
- added requirements-dev.txt
@@ -9,6 +17,7 @@
- check only for searchResEntries in LDIF conversion (thanks Jay)
- modify-increment now works properly in mock strategies (thanks
Saint-Marcel)
- objectGUID are now converted properly (thanks Janne)
+ - default timeout in asynchronous strategies raised to 20 seconds
# 2.8.1 - 2020.09.07
- fixed regression in 2.8 for members returned in AD auto-range search
(thanks Felix)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/_version.json new/ldap3-2.9.1/_version.json
--- old/ldap3-2.9/_version.json 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/_version.json 2021-07-17 20:29:49.000000000 +0200
@@ -6,6 +6,6 @@
"url": "https://github.com/cannatag/ldap3";,
"description": "A strictly RFC 4510 conforming LDAP V3 pure Python client
library",
"author": "Giovanni Cannata",
- "version": "2.9-dev",
+ "version": "2.9",
"license": "LGPL v3"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/docs/manual/source/connection.rst
new/ldap3-2.9.1/docs/manual/source/connection.rst
--- old/ldap3-2.9/docs/manual/source/connection.rst 2021-01-11
21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/docs/manual/source/connection.rst 2021-07-17
20:29:49.000000000 +0200
@@ -33,7 +33,7 @@
from ldap3 import Server, Connection, SAFE_SYNC
server = Server('my_server')
- conn = Connection(s, 'my_user', 'my_password', strategy=SAFE_SYNC,
auto_bind=True)
+ conn = Connection(s, 'my_user', 'my_password',
client_strategy=SAFE_SYNC, auto_bind=True)
status, result, response, _ = conn.search('o=test', '(objectclass=*)')
# usually you don't need the original request (4th element of the return tuple)
The SafeSync and SafeRestartable strategies can be used with the Abstract
Layer, but the Abstract Layer currently is NOT thread safe.
@@ -285,7 +285,7 @@
* closed: True if the socket is not open
-* strategy_type: the strategy type used by the connection
+* strategy_type: the client strategy type used by the connection
* strategy: the strategy instance used by the connection
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/docs/manual/source/searches.rst
new/ldap3-2.9.1/docs/manual/source/searches.rst
--- old/ldap3-2.9/docs/manual/source/searches.rst 2021-01-11
21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/docs/manual/source/searches.rst 2021-07-17
20:29:49.000000000 +0200
@@ -372,7 +372,7 @@
paged_size = 5,
generator=False)
for entry in entry_list:
- print entry['attributes']
+ print(entry['attributes'])
total_entries = len(entry_list)
print('Total entries retrieved:', total_entries)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/ldap3-2.9/docs/manual/source/tutorial_abstraction_writer.rst
new/ldap3-2.9.1/docs/manual/source/tutorial_abstraction_writer.rst
--- old/ldap3-2.9/docs/manual/source/tutorial_abstraction_writer.rst
2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/docs/manual/source/tutorial_abstraction_writer.rst
2021-07-17 20:29:49.000000000 +0200
@@ -51,14 +51,14 @@
The entry is in **Writable** status now, so you can try to update some values.
All modifications are stored in memory until committed or the entry
is returned to its original values::
- >>> w[0].sn += 'Smyth' # Add 'Smith' value from the sn
+ >>> w[0].sn += 'Smith' # Add 'Smith' value from the sn
>>> w[0].sn += 'Johnson' # Add 'Johnson' value from the sn
>>> w[0].sn -= 'Young' # remove the 'Young' value from the sn
Now let's revise the modifications we have requested::
>>> w[0].entry_changes
- OrderedDict([('sn', [('MODIFY_ADD', ['Smyth']), ('MODIFY_ADD',
['Johnson']), ('MODIFY_DELETE', ['Young'])])])
+ OrderedDict([('sn', [('MODIFY_ADD', ['Smith']), ('MODIFY_ADD',
['Johnson']), ('MODIFY_DELETE', ['Young'])])])
Modifications to an Entry are stored in a way (OrderedDict) that preserves the
insertion sequence. This can be helpful with specific LDAP
operations that request that an attribute is modified before an other one in
the same LDAP operation
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/ldap3/__init__.py
new/ldap3-2.9.1/ldap3/__init__.py
--- old/ldap3-2.9/ldap3/__init__.py 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/ldap3/__init__.py 2021-07-17 20:29:49.000000000 +0200
@@ -141,6 +141,7 @@
from .core.connection import Connection
from .core.tls import Tls
from .core.pooling import ServerPool
+from .core.rdns import ReverseDnsSetting
from .abstract.objectDef import ObjectDef
from .abstract.attrDef import AttrDef
from .abstract.attribute import Attribute, WritableAttribute,
OperationalAttribute
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/ldap3/core/rdns.py
new/ldap3-2.9.1/ldap3/core/rdns.py
--- old/ldap3-2.9/ldap3/core/rdns.py 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/ldap3/core/rdns.py 2021-07-17 20:29:49.000000000 +0200
@@ -32,6 +32,8 @@
REQUIRE_RESOLVE_IP_ADDRESSES_ONLY = 2,
OPTIONAL_RESOLVE_ALL_ADDRESSES = 3,
OPTIONAL_RESOLVE_IP_ADDRESSES_ONLY = 4,
+ SUPPORTED_VALUES = {OFF, REQUIRE_RESOLVE_ALL_ADDRESSES,
REQUIRE_RESOLVE_IP_ADDRESSES_ONLY,
+ OPTIONAL_RESOLVE_ALL_ADDRESSES,
OPTIONAL_RESOLVE_IP_ADDRESSES_ONLY}
def get_hostname_by_addr(addr, success_required=True):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/ldap3/protocol/convert.py
new/ldap3-2.9.1/ldap3/protocol/convert.py
--- old/ldap3-2.9/ldap3/protocol/convert.py 2021-01-11 21:26:26.000000000
+0100
+++ new/ldap3-2.9.1/ldap3/protocol/convert.py 2021-07-17 20:29:49.000000000
+0200
@@ -31,6 +31,16 @@
from ..protocol.formatters.standard import find_attribute_validator
+def to_str_or_normalized_unicode(val):
+ """ Attempt to convert value to a string. If that would error, convert it
to normalized unicode.
+ Python 3 string conversion handles unicode -> str without issue, but
python 2 doesn't.
+ """
+ try:
+ return str(val)
+ except:
+ return val.encode('ascii', 'backslashreplace')
+
+
def attribute_to_dict(attribute):
try:
return {'type': str(attribute['type']), 'values': [str(val) for val in
attribute['vals']]}
@@ -48,13 +58,13 @@
def referrals_to_list(referrals):
if isinstance(referrals, list):
- return [str(referral) for referral in referrals if referral] if
referrals else None
+ return [to_str_or_normalized_unicode(referral) for referral in
referrals if referral] if referrals else None
else:
- return [str(referral) for referral in referrals if referral] if
referrals is not None and referrals.hasValue() else None
+ return [to_str_or_normalized_unicode(referral) for referral in
referrals if referral] if referrals is not None and referrals.hasValue() else
None
def search_refs_to_list(search_refs):
- return [str(search_ref) for search_ref in search_refs if search_ref] if
search_refs else None
+ return [to_str_or_normalized_unicode(search_ref) for search_ref in
search_refs if search_ref] if search_refs else None
def search_refs_to_list_fast(search_refs):
@@ -85,7 +95,7 @@
def attributes_to_list(attributes):
- return [str(attribute) for attribute in attributes]
+ return [to_str_or_normalized_unicode(attribute) for attribute in
attributes]
def ava_to_dict(ava):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/ldap3/protocol/sasl/kerberos.py
new/ldap3-2.9.1/ldap3/protocol/sasl/kerberos.py
--- old/ldap3-2.9/ldap3/protocol/sasl/kerberos.py 2021-01-11
21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/ldap3/protocol/sasl/kerberos.py 2021-07-17
20:29:49.000000000 +0200
@@ -23,19 +23,31 @@
# along with ldap3 in the COPYING and COPYING.LESSER files.
# If not, see <http://www.gnu.org/licenses/>.
-# original code by Hugh Cole-Baker, modified by Peter Foley
+# original code by Hugh Cole-Baker, modified by Peter Foley, modified again by
Azaria Zornberg
# it needs the gssapi package
+import base64
import socket
from ...core.exceptions import LDAPPackageUnavailableError,
LDAPCommunicationError
from ...core.rdns import ReverseDnsSetting, get_hostname_by_addr, is_ip_addr
+posix_gssapi_unavailable = True
try:
# noinspection PyPackageRequirements,PyUnresolvedReferences
import gssapi
from gssapi.raw import ChannelBindings
+ posix_gssapi_unavailable = False
except ImportError:
- raise LDAPPackageUnavailableError('package gssapi missing')
+ pass
+
+windows_gssapi_unavailable = True
+# only attempt to import winkerberos if gssapi is unavailable
+if posix_gssapi_unavailable:
+ try:
+ import winkerberos
+ windows_gssapi_unavailable = False
+ except ImportError:
+ raise LDAPPackageUnavailableError('package gssapi (or winkerberos)
missing')
from .sasl import send_sasl_negotiation, abort_sasl_negotiation
@@ -66,7 +78,11 @@
digest = hashes.Hash(hash_algorithm, default_backend())
digest.update(server_certificate)
application_data = b'tls-server-end-point:' + digest.finalize()
- return ChannelBindings(application_data=application_data)
+ # posix gssapi and windows winkerberos use different channel bindings
classes
+ if not posix_gssapi_unavailable:
+ return ChannelBindings(application_data=application_data)
+ else:
+ return winkerberos.channelBindings(application_data=application_data)
def sasl_gssapi(connection, controls):
@@ -76,73 +92,140 @@
sasl_credentials can be empty or a tuple with one or two elements.
The first element determines which service principal to request a ticket
for and can be one of the following:
-
+
- None or False, to use the hostname from the Server object
- True to perform a reverse DNS lookup to retrieve the canonical hostname
for the hosts IP address
- A string containing the hostname
-
+
The optional second element is what authorization ID to request.
-
+
- If omitted or None, the authentication ID is used as the authorization ID
- If a string, the authorization ID to use. Should start with "dn:" or
"user:".
The optional third element is a raw gssapi credentials structure which can
be used over
the implicit use of a krb ccache.
"""
- target_name = None
+ if not posix_gssapi_unavailable:
+ return _posix_sasl_gssapi(connection, controls)
+ else:
+ return _windows_sasl_gssapi(connection, controls)
+
+
+def _common_determine_target_name(connection):
+ """ Common logic for determining our target name for kerberos negotiation,
regardless of whether we are using
+ gssapi on a posix system or winkerberos on windows.
+ Returns a string in the form "ldap@" + a target hostname.
+ The hostname can either be user specified, come from the connection, or
resolved using reverse DNS based
+ on parameters set in sasl_credentials.
+ The default if no sasl_credentials are specified is to use the host in the
connection server object.
+ """
+ # if we don't have any sasl_credentials specified, or the first entry is
False (which is the legacy equivalent
+ # to ReverseDnsSetting.OFF that has value 0) then our gssapi name is just
+ if (not connection.sasl_credentials or len(connection.sasl_credentials) == 0
+ or not connection.sasl_credentials[0]):
+ return 'ldap@' + connection.server.host
+ # older code will still be using a boolean True for the equivalent of
+ # ReverseDnsSetting.REQUIRE_RESOLVE_ALL_ADDRESSES
+ if connection.sasl_credentials[0] is True:
+ hostname = get_hostname_by_addr(connection.socket.getpeername()[0])
+ target_name = 'ldap@' + hostname
+ elif connection.sasl_credentials[0] in ReverseDnsSetting.SUPPORTED_VALUES:
+ rdns_setting = connection.sasl_credentials[0]
+ # if the rdns_setting is OFF then we won't enter any branch here and
will leave hostname as server host,
+ # so we'll just use the server host, whatever it is
+ peer_ip = connection.socket.getpeername()[0]
+ hostname = connection.server.host
+ if rdns_setting == ReverseDnsSetting.REQUIRE_RESOLVE_ALL_ADDRESSES:
+ # resolve our peer ip and use it as our target name
+ hostname = get_hostname_by_addr(peer_ip)
+ elif rdns_setting ==
ReverseDnsSetting.REQUIRE_RESOLVE_IP_ADDRESSES_ONLY:
+ # resolve our peer ip (if the server host is an ip address) and
use it as our target name
+ if is_ip_addr(hostname):
+ hostname = get_hostname_by_addr(peer_ip)
+ elif rdns_setting == ReverseDnsSetting.OPTIONAL_RESOLVE_ALL_ADDRESSES:
+ # try to resolve our peer ip in dns and if we can, use it as our
target name.
+ # if not, just use the server host
+ resolved_hostname = get_hostname_by_addr(peer_ip,
success_required=False)
+ if resolved_hostname is not None:
+ hostname = resolved_hostname
+ elif rdns_setting ==
ReverseDnsSetting.OPTIONAL_RESOLVE_IP_ADDRESSES_ONLY:
+ # try to resolve our peer ip in dns if our server host is an ip.
if we can, use it as our target
+ # name. if not, just use the server host
+ if is_ip_addr(hostname):
+ resolved_hostname = get_hostname_by_addr(peer_ip,
success_required=False)
+ if resolved_hostname is not None:
+ hostname = resolved_hostname
+ # construct our target name
+ target_name = 'ldap@' + hostname
+ else: # string hostname directly provided
+ target_name = 'ldap@' + connection.sasl_credentials[0]
+ return target_name
+
+
+def _common_determine_authz_id_and_creds(connection):
+ """ Given our connection, figure out the authorization id (i.e. the
kerberos principal) and kerberos credentials
+ being used for our SASL bind.
+ On posix systems, we can actively negotiate with raw credentials and
receive a kerberos client ticket during our
+ SASL bind. So credentials can be specified.
+ However, on windows systems, winkerberos expects to use the credentials
cached by the system because windows
+ machines are generally domain-joined. So no initiation is supported, as
the TGT must already be valid prior
+ to beginning the SASL bind, and the windows system credentials will be
used as needed with that.
+ """
authz_id = b""
- raw_creds = None
creds = None
+ # the default value for credentials is only something we should
instantiate on systems using the
+ # posix GSSAPI, as windows kerberos expects that a tgt already exists
(i.e. the machine is domain-joined)
+ # and does not support initiation from raw credentials
+ if not posix_gssapi_unavailable:
+ creds = gssapi.Credentials(name=gssapi.Name(connection.user),
usage='initiate', store=connection.cred_store) if connection.user else None
if connection.sasl_credentials:
- if len(connection.sasl_credentials) >= 1 and
connection.sasl_credentials[0]:
- # older code will still be using a boolean True for the equivalent
of
- # ReverseDnsSetting.REQUIRE_RESOLVE_ALL_ADDRESSES
- if connection.sasl_credentials[0] is True:
- hostname =
get_hostname_by_addr(connection.socket.getpeername()[0])
- target_name = gssapi.Name('ldap@' + hostname,
gssapi.NameType.hostbased_service)
- elif isinstance(connection.sasl_credentials[0], ReverseDnsSetting):
- rdns_setting = connection.sasl_credentials[0]
- # if the rdns_setting is OFF then we won't enter any branch
here and will leave hostname as server host,
- # so we'll just use the server host, whatever it is
- peer_ip = connection.socket.getpeername()[0]
- hostname = connection.server.host
- if rdns_setting ==
ReverseDnsSetting.REQUIRE_RESOLVE_ALL_ADDRESSES:
- # resolve our peer ip and use it as our target name
- hostname = get_hostname_by_addr(peer_ip)
- elif rdns_setting ==
ReverseDnsSetting.REQUIRE_RESOLVE_IP_ADDRESSES_ONLY:
- # resolve our peer ip (if the server host is an ip
address) and use it as our target name
- if is_ip_addr(target_name):
- hostname = get_hostname_by_addr(peer_ip)
- elif rdns_setting ==
ReverseDnsSetting.OPTIONAL_RESOLVE_ALL_ADDRESSES:
- # try to resolve our peer ip in dns and if we can, use it
as our target name.
- # if not, just use the server host
- resolved_hostname = get_hostname_by_addr(peer_ip,
success_required=False)
- if resolved_hostname is not None:
- hostname = resolved_hostname
- elif rdns_setting ==
ReverseDnsSetting.OPTIONAL_RESOLVE_IP_ADDRESSES_ONLY:
- # try to resolve our peer ip in dns if our server host is
an ip. if we can, use it as our target
- # name. if not, just use the server host
- if is_ip_addr(target_name):
- resolved_hostname = get_hostname_by_addr(peer_ip,
success_required=False)
- if resolved_hostname is not None:
- hostname = resolved_hostname
- # construct our target name
- target_name = gssapi.Name('ldap@' + hostname,
gssapi.NameType.hostbased_service)
- else: # string hostname directly provided
- target_name = gssapi.Name('ldap@' +
connection.sasl_credentials[0], gssapi.NameType.hostbased_service)
if len(connection.sasl_credentials) >= 2 and
connection.sasl_credentials[1]:
authz_id = connection.sasl_credentials[1].encode("utf-8")
if len(connection.sasl_credentials) >= 3 and
connection.sasl_credentials[2]:
+ if posix_gssapi_unavailable:
+ raise LDAPPackageUnavailableError('The winkerberos package
does not support specifying raw credentials'
+ 'to initiate GSSAPI Kerberos
communication. A ticket granting ticket '
+ 'must have already been
obtained for the user before beginning a '
+ 'SASL bind.')
raw_creds = connection.sasl_credentials[2]
- if target_name is None:
- target_name = gssapi.Name('ldap@' + connection.server.host,
gssapi.NameType.hostbased_service)
+ creds = gssapi.Credentials(base=raw_creds, usage='initiate',
store=connection.cred_store)
+ return authz_id, creds
- if raw_creds is not None:
- creds = gssapi.Credentials(base=raw_creds, usage='initiate',
store=connection.cred_store)
- else:
- creds = gssapi.Credentials(name=gssapi.Name(connection.user),
usage='initiate', store=connection.cred_store) if connection.user else None
- ctx = gssapi.SecurityContext(name=target_name,
mech=gssapi.MechType.kerberos, creds=creds,
channel_bindings=get_channel_bindings(connection.socket))
+def _common_process_end_token_get_security_layers(negotiated_token):
+ """ Process the response we got at the end of our SASL negotiation wherein
the server told us what
+ minimum security layers we need, and return a bytearray for the client
security layers we want.
+ This function throws an error on a malformed token from the server.
+ The ldap3 library does not support security layers, and only supports
authentication with kerberos,
+ so an error will be thrown for any tokens that indicate a security layer
requirement.
+ """
+ if len(negotiated_token) != 4:
+ raise LDAPCommunicationError("Incorrect response from server")
+
+ server_security_layers = negotiated_token[0]
+ if not isinstance(server_security_layers, int):
+ server_security_layers = ord(server_security_layers)
+ if server_security_layers in (0, NO_SECURITY_LAYER):
+ if negotiated_token[1:] != '\x00\x00\x00':
+ raise LDAPCommunicationError("Server max buffer size must be 0 if
no security layer")
+ if not (server_security_layers & NO_SECURITY_LAYER):
+ raise LDAPCommunicationError("Server requires a security layer, but
this is not implemented")
+
+ # this is here to encourage anyone implementing client security layers to
do it
+ # for both windows and posix
+ client_security_layers = bytearray([NO_SECURITY_LAYER, 0, 0, 0])
+ return client_security_layers
+
+def _posix_sasl_gssapi(connection, controls):
+ """ Performs a bind using the Kerberos v5 ("GSSAPI") SASL mechanism
+ from RFC 4752 using the gssapi package that works natively on most
+ posix operating systems.
+ """
+ target_name = gssapi.Name(_common_determine_target_name(connection),
gssapi.NameType.hostbased_service)
+ authz_id, creds = _common_determine_authz_id_and_creds(connection)
+
+ ctx = gssapi.SecurityContext(name=target_name,
mech=gssapi.MechType.kerberos, creds=creds,
+
channel_bindings=get_channel_bindings(connection.socket))
in_token = None
try:
while True:
@@ -161,21 +244,59 @@
pass
unwrapped_token = ctx.unwrap(in_token)
- if len(unwrapped_token.message) != 4:
- raise LDAPCommunicationError("Incorrect response from server")
-
- server_security_layers = unwrapped_token.message[0]
- if not isinstance(server_security_layers, int):
- server_security_layers = ord(server_security_layers)
- if server_security_layers in (0, NO_SECURITY_LAYER):
- if unwrapped_token.message[1:] != '\x00\x00\x00':
- raise LDAPCommunicationError("Server max buffer size must be 0
if no security layer")
- if not (server_security_layers & NO_SECURITY_LAYER):
- raise LDAPCommunicationError("Server requires a security layer,
but this is not implemented")
-
- client_security_layers = bytearray([NO_SECURITY_LAYER, 0, 0, 0])
+ client_security_layers =
_common_process_end_token_get_security_layers(unwrapped_token.message)
out_token = ctx.wrap(bytes(client_security_layers)+authz_id, False)
return send_sasl_negotiation(connection, controls, out_token.message)
except (gssapi.exceptions.GSSError, LDAPCommunicationError):
abort_sasl_negotiation(connection, controls)
raise
+
+
+def _windows_sasl_gssapi(connection, controls):
+ """ Performs a bind using the Kerberos v5 ("GSSAPI") SASL mechanism
+ from RFC 4752 using the winkerberos package that works natively on most
+ windows operating systems.
+ """
+ target_name = _common_determine_target_name(connection)
+ # initiation happens before beginning the SASL bind when using windows
kerberos
+ authz_id, _ = _common_determine_authz_id_and_creds(connection)
+ gssflags = (
+ winkerberos.GSS_C_MUTUAL_FLAG |
+ winkerberos.GSS_C_SEQUENCE_FLAG |
+ winkerberos.GSS_C_INTEG_FLAG |
+ winkerberos.GSS_C_CONF_FLAG
+ )
+ _, ctx = winkerberos.authGSSClientInit(target_name, gssflags=gssflags)
+
+ in_token = b''
+ try:
+ negotiation_complete = False
+ while not negotiation_complete:
+ # GSSAPI is a "client goes first" SASL mechanism. Send the first
"response" to the server and
+ # recieve its first challenge.
+ # Despite this, we can get channel binding, which includes CBTs
for windows environments computed from
+ # the peer certificate, before starting.
+ status = winkerberos.authGSSClientStep(ctx,
base64.b64encode(in_token).decode('utf-8'),
+
channel_bindings=get_channel_bindings(connection.socket))
+ # figure out if we're done with our sasl negotiation
+ negotiation_complete = (status == winkerberos.AUTH_GSS_COMPLETE)
+ out_token = winkerberos.authGSSClientResponse(ctx) or ''
+ out_token_bytes = base64.b64decode(out_token)
+ result = send_sasl_negotiation(connection, controls,
out_token_bytes)
+ in_token = result['saslCreds'] or b''
+
+ winkerberos.authGSSClientUnwrap(
ctx,base64.b64encode(in_token).decode('utf-8'))
+ negotiated_token = ''
+ if winkerberos.authGSSClientResponse(ctx):
+ negotiated_token =
base64.standard_b64decode(winkerberos.authGSSClientResponse(ctx))
+ client_security_layers =
_common_process_end_token_get_security_layers(negotiated_token)
+ # manually construct a message indicating use of authorization-only
layer
+ # see winkerberos example:
https://github.com/mongodb/winkerberos/blob/master/test/test_winkerberos.py
+ authz_only_msg = base64.b64encode(bytes(client_security_layers) +
authz_id).decode('utf-8')
+ winkerberos.authGSSClientWrap(ctx, authz_only_msg)
+ out_token = winkerberos.authGSSClientResponse(ctx) or ''
+
+ return send_sasl_negotiation(connection, controls,
base64.b64decode(out_token))
+ except (winkerberos.GSSError, LDAPCommunicationError):
+ abort_sasl_negotiation(connection, controls)
+ raise
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/ldap3/strategy/restartable.py
new/ldap3-2.9.1/ldap3/strategy/restartable.py
--- old/ldap3-2.9/ldap3/strategy/restartable.py 2021-01-11 21:26:26.000000000
+0100
+++ new/ldap3-2.9.1/ldap3/strategy/restartable.py 2021-07-17
20:29:49.000000000 +0200
@@ -149,7 +149,7 @@
try: # reopening connection
self.connection.open(reset_usage=False,
read_server_info=False)
if self._restart_tls: # restart tls if start_tls was
previously used
- if self.connection.start_tls(read_server_info=False):
+ if not
self.connection.start_tls(read_server_info=False):
error = 'restart tls in restartable not
successful' + (' - ' + self.connection.last_error if self.connection.last_error
else '')
if log_enabled(ERROR):
log(ERROR, '%s for <%s>', error, self)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/ldap3/utils/config.py
new/ldap3-2.9.1/ldap3/utils/config.py
--- old/ldap3-2.9/ldap3/utils/config.py 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/ldap3/utils/config.py 2021-07-17 20:29:49.000000000
+0200
@@ -77,7 +77,7 @@
# communication
_POOLING_LOOP_TIMEOUT = 10 # number of seconds to wait before restarting a
cycle to find an active server in the pool
_RESPONSE_SLEEPTIME = 0.05 # seconds to wait while waiting for a response in
asynchronous strategies
-_RESPONSE_WAITING_TIMEOUT = 3 # waiting timeout for receiving a response in
asynchronous strategies
+_RESPONSE_WAITING_TIMEOUT = 20 # waiting timeout for receiving a response in
asynchronous strategies
_SOCKET_SIZE = 4096 # socket byte size
_CHECK_AVAILABILITY_TIMEOUT = 2.5 # default timeout for socket connect when
checking availability
_RESET_AVAILABILITY_TIMEOUT = 5 # default timeout for resetting the
availability status when checking candidate addresses
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/ldap3/version.py
new/ldap3-2.9.1/ldap3/version.py
--- old/ldap3-2.9/ldap3/version.py 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/ldap3/version.py 2021-07-17 20:29:49.000000000 +0200
@@ -1,9 +1,9 @@
# THIS FILE IS AUTO-GENERATED. PLEASE DO NOT MODIFY# version file for ldap3
-# generated on 2020-09-07 08:48:35.409733
-# on system uname_result(system='Windows', node='ELITE10GC', release='10',
version='10.0.19041', machine='AMD64', processor='Intel64 Family 6 Model 58
Stepping 9, GenuineIntel')
-# with Python 3.8.5 - ('tags/v3.8.5:580fbb0', 'Jul 20 2020 15:57:54') - MSC
v.1924 64 bit (AMD64)
+# generated on 2021-01-24 22:40:17.890942
+# on system uname_result(system='Windows', node='ELITE10GC', release='10',
version='10.0.19041', machine='AMD64')
+# with Python 3.9.1 - ('tags/v3.9.1:1e5d33e', 'Dec 7 2020 17:08:21') - MSC
v.1927 64 bit (AMD64)
#
-__version__ = '2.8.1'
+__version__ = '2.9'
__author__ = 'Giovanni Cannata'
__email__ = 'canna...@gmail.com'
__url__ = 'https://github.com/cannatag/ldap3'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/test/testRdns.py
new/ldap3-2.9.1/test/testRdns.py
--- old/ldap3-2.9/test/testRdns.py 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/test/testRdns.py 2021-07-17 20:29:49.000000000 +0200
@@ -41,6 +41,15 @@
self.assertEqual(ReverseDnsSetting.OPTIONAL_RESOLVE_ALL_ADDRESSES,
(3,), fail_msg)
self.assertEqual(ReverseDnsSetting.OPTIONAL_RESOLVE_IP_ADDRESSES_ONLY,
(4,), fail_msg)
+ fail_msg = ('Removing values from the set of supported values for
reverse dns settings will break '
+ 'backwards compatibility for existing clients on older
versions of the ldap3 package. '
+ 'Please do not remove values.')
+ self.assertTrue(ReverseDnsSetting.OFF in
ReverseDnsSetting.SUPPORTED_VALUES, fail_msg)
+ self.assertTrue(ReverseDnsSetting.REQUIRE_RESOLVE_ALL_ADDRESSES in
ReverseDnsSetting.SUPPORTED_VALUES, fail_msg)
+ self.assertTrue(ReverseDnsSetting.REQUIRE_RESOLVE_IP_ADDRESSES_ONLY in
ReverseDnsSetting.SUPPORTED_VALUES, fail_msg)
+ self.assertTrue(ReverseDnsSetting.OPTIONAL_RESOLVE_ALL_ADDRESSES in
ReverseDnsSetting.SUPPORTED_VALUES, fail_msg)
+ self.assertTrue(ReverseDnsSetting.OPTIONAL_RESOLVE_IP_ADDRESSES_ONLY
in ReverseDnsSetting.SUPPORTED_VALUES, fail_msg)
+
def test_ipv4_ip_addr_checking(self):
valid = is_ip_addr('10.254.76.5')
self.assertTrue(valid, 'IPv4 addresses should be identified as ip
addresses')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ldap3-2.9/test-all.ps1 new/ldap3-2.9.1/test-all.ps1
--- old/ldap3-2.9/test-all.ps1 2021-01-11 21:26:26.000000000 +0100
+++ new/ldap3-2.9.1/test-all.ps1 2021-07-17 20:29:49.000000000 +0200
@@ -1,4 +1,4 @@
-$PythonVersions = @('2.7', '3.9')
+$PythonVersions = @('3.9', '2.7')
$Strategies = @('SYNC', 'ASYNC', 'SAFE_SYNC', 'RESTARTABLE',
'SAFE_RESTARTABLE')
$Servers = @('EDIR')
$Decoders = @('INTERNAL', 'EXTERNAL')
@@ -30,13 +30,15 @@
$env:DECODER=$Decoder
if ($Python -eq "2.7") {
- # Start-Process py -2.7 -m unittest discover -s test -c
py -2.7 -m unittest discover -s test -c
}
elseif ($Python -eq "3.9") {
- # Start-Process .\venv\Scripts\python -m unittest discover -s test -c
.\venv\Scripts\python -m unittest discover -s test -c
}
+ elseif ($Python -eq "2.6") {
+ $env:PYTHONIOENCODING="UTF8"
+ .\venv\Scripts\python -m unittest discover -s test -c
+ }
else {
Write-Host "Unknown Python version " + $Python
}
