Closed adament closed 2 years ago
The current version of the pull request has at least two issues at the moment:
I generally open to the idea, even if it breaks the API. I don't think many people depend on setting GSS-SPNEGO mechanism without credentials and expect an anonymous bind. Also with OpenLDAP and Kerberos you have something similar (GSSAPI mech without extra creds) when you previously obtained a Kerberos ticket.
But I'm not too comfortable about the bifurcation. I'll try to look some other approach to minimise it.
What would be really helpful is some tests about the preferred results (the connection is bound using the current user's credentials) with documentation how to allow the current user to authenticate in Active Directory/OpenLDAP.
I ended up using a simpler approach: https://github.com/noirello/bonsai/commit/a16436c0882ba6178feeeb0f56d9a25ca63a7262 Not providing user and password will fall back to acquiring logon credentials.
Sounds great! Thank you.
The WinLDAP API supports binding using the current user using the GSS-SPNEGO mechanism without supplying any password or username. It is quite underdocumented but it is hinted at in the ldap_bind_s documentation under the remarks for LDAP_AUTH_NEGOTIATE. I have no experience with libldap2 or WinLDAP so I do not know if passing NULL credentials to other authentication mechanisms or on other platforms is valid.
In this pull request I have implemented a variant of PyObject2char named PyObject2char_advanced which allows to convert None to NULL strings rather than empty strings. And then I have applied this version to user, realm, auth_zid and password for WIN32 platforms. And with GSS-SPNEGO this has the desired effect on Windows.
I don't think the implementation in this pull request is ready for merge, but I hope that we can discuss how to implement this feature properly.