Reputation: 459
LDAP Signing with LDAP3 module in python
I am using LDAP3 module to query information from Active Directory. To get information like GMSA password blob(ManagedPassword attribute), Active Directory expects that either connection is secure(LDAPS) or LDAP signing(Integrity) is used. I ran into a case where the environment doesn't have LDAPS cert installed, and possibility of installing is ruled out. So the only option I am left with is using the LDAP signing. Anyone has an idea how to use LDAP signing while connecting to Active Directory over 389 either with LDAP3 module or some other?
Upvotes: 1
Views: 1424
Answers (1)
Reputation: 10171
There are two sides to TLS (the S in LDAPS):
- The server trusts the client
- The client trusts the server
This has nothing to do with LDAP, but with TLS, the same TLS you use with https. So I'll use https for my lecture before I actually answer your question.
1. Server trusts the client
Most of the time, the server is unable to trust the client. Imagine if you had to establish a trust relationship every time you visited a new https web page! So the server is hardly ever configure to trust its clients. Even if your LDAP server is in a better position to trust its clients (for example, it could hold their certificates), it is usually not configured like that. When it is, we call it mutual TLS or two-way TLS.
The trust will come by authentiating with a password or a Kerberos ticket over a secure connection, after a single-sided TLS connection is established. So nothing to worry about here.
2. Client trusts the server
Some servers have misconfigured TLS. Here is a test server that uses a certificate that your browser (or operating system) does not trust.
But if you click on "Advanced" and proceed to visit the website (in Chrome, ymmv), the content (a large red page) is shown to you because you decided to "trust" the website anyway by ignoring/accepting the untrusted certificate this one time.
Of course, if you cannot trust the server with certificates, there is a possibility you are sending your credentials to a rogue server. That is probably unlikely so I'll let deal with that possibility and answer your question.
Connecting to LDAPS without any certificates
Just instruct your LDAPS library to skip the certificate validation and continue, just like you did manually on that test page.
For python-ldap, add this right before you call ldap.initialize:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap.initialize("ldaps://ad.example.com")
or ldap3 before you create the server:
import ssl
tls_configuration = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1)
server = Server("ldaps://ad.example.com", use_ssl=True, tls=tls_configuration)
Upvotes: 1
Related Questions
- Convert bytes to a string in Python 3
- What are CN, OU, DC in an LDAP search?
- Relative imports in Python 3
- Proper way to declare custom exceptions in modern Python?
- Reset Active Directory password using Python and ldap3
- I can't install python-ldap
- Why is "1000000000000000 in range(1000000000000001)" so fast in Python 3?
- What is the Python 3 equivalent of "python -m SimpleHTTPServer"
- can not bind to the LDAP directory with secure connection with php