RFC: Passing NULL credentials to bind.

noirello / bonsai

Simple Python 3 module for LDAP, using libldap2 and winldap C libraries.

MIT License

117 stars 33 forks source link

RFC: Passing NULL credentials to bind. #36

Closed adament closed 2 years ago

adament commented 4 years ago

The WinLDAP API supports binding using the current user using the GSS-SPNEGO mechanism without supplying any password or username. It is quite underdocumented but it is hinted at in the ldap_bind_s documentation under the remarks for LDAP_AUTH_NEGOTIATE. I have no experience with libldap2 or WinLDAP so I do not know if passing NULL credentials to other authentication mechanisms or on other platforms is valid.

In this pull request I have implemented a variant of PyObject2char named PyObject2char_advanced which allows to convert None to NULL strings rather than empty strings. And then I have applied this version to user, realm, auth_zid and password for WIN32 platforms. And with GSS-SPNEGO this has the desired effect on Windows.

I don't think the implementation in this pull request is ready for merge, but I hope that we can discuss how to implement this feature properly.

adament commented 4 years ago

The current version of the pull request has at least two issues at the moment:

Further bifurcation of the Win32 and Unix code. I don't know if this is actually necessary?
Breaks the API, previously not supplying any credentials with the GSS-SPNEGO mechanism resulted in anonymous bind. Maybe a special parameter other than None should be used to signify NULL to preserve backwards compatibility? In this case the Win32 #ifdef is not necessary either.

noirello commented 4 years ago

I generally open to the idea, even if it breaks the API. I don't think many people depend on setting GSS-SPNEGO mechanism without credentials and expect an anonymous bind. Also with OpenLDAP and Kerberos you have something similar (GSSAPI mech without extra creds) when you previously obtained a Kerberos ticket.

But I'm not too comfortable about the bifurcation. I'll try to look some other approach to minimise it.

What would be really helpful is some tests about the preferred results (the connection is bound using the current user's credentials) with documentation how to allow the current user to authenticate in Active Directory/OpenLDAP.

noirello commented 2 years ago

I ended up using a simpler approach: https://github.com/noirello/bonsai/commit/a16436c0882ba6178feeeb0f56d9a25ca63a7262 Not providing user and password will fall back to acquiring logon credentials.

adament commented 2 years ago

Sounds great! Thank you.