Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
- A string containing the hostname
The optional second element is what authorization ID to request.
- If omitted or None, the authentication ID is used as the authorization ID
- If a string, the authorization ID to use. Should start with "dn:" or "user:".
"""
target_name = None
authz_id = b""
if connection.sasl_credentials:
if len(connection.sasl_credentials) >= 1 and connection.sasl_credentials[0]:
if connection.sasl_credentials[0] is True:
hostname = socket.gethostbyaddr(connection.socket.getpeername()[0])[0]
target_name = gssapi.Name('ldap@' + hostname, gssapi.NameType.hostbased_service)
else:
target_name = gssapi.Name('ldap@' + connection.sasl_credentials[0], gssapi.NameType.hostbased_service)
if len(connection.sasl_credentials) >= 2 and connection.sasl_credentials[1]:
authz_id = connection.sasl_credentials[1].encode("utf-8")
if target_name is None:
target_name = gssapi.Name('ldap@' + connection.server.host, gssapi.NameType.hostbased_service)
creds = gssapi.Credentials(name=gssapi.Name(connection.user), usage='initiate') if connection.user else None
ctx = gssapi.SecurityContext(name=target_name, mech=gssapi.MechType.kerberos, creds=creds)
in_token = None
try:
while True:
out_token = ctx.step(in_token)
if out_token is None:
out_token = ''
result = send_sasl_negotiation(connection, controls, out_token)
in_token = result['saslCreds']
try:
# This raised an exception in gssapi<1.1.2 if the context was
# while kerb auth might be available, if we require wrapping and the
# extension is not available then we can't use it
if encryption_required and not HAS_GSSAPI_ENCRYPTION:
available_mechs.pop(0)
ntlm_oid = GSSAPIContext._AUTH_PROVIDERS['ntlm']
ntlm_mech = gssapi.OID.from_int_seq(ntlm_oid)
# GSS_NTLMSSP_RESET_CRYPTO_OID_LENGTH
# github.com/simo5/gss-ntlmssp/blob/master/src/gssapi_ntlmssp.h#L68
reset_mech = gssapi.OID.from_int_seq("1.3.6.1.4.1.7165.655.1.3")
try:
# we don't actually care about the account used here so just use
# a random username and password
ntlm_context = GSSAPIContext._get_security_context(
gssapi.NameType.user,
ntlm_mech,
"http@server",
"username",
"password",
False,
encryption_required
)
ntlm_context.step()
gssapi.raw.set_sec_context_option(reset_mech, context=ntlm_context,
value=b"\x00" * 4)
# gss-ntlmssp is available which in turn means we can use native
# SPNEGO or NTLM with the GSSAPI
available_mechs.extend(["auto", "ntlm"])
except gssapi.exceptions.GSSError as exc:
# failed to init NTLM and verify gss-ntlmssp is available, this
for SPNEGO and NTLM to work properly.
:return: list - A list of supported mechs available in the installed
version of GSSAPI
"""
ntlm_oid = GSSAPIContext._AUTH_MECHANISMS['ntlm']
ntlm_mech = gssapi.OID.from_int_seq(ntlm_oid)
# GSS_NTLMSSP_RESET_CRYPTO_OID_LENGTH
# github.com/simo5/gss-ntlmssp/blob/master/src/gssapi_ntlmssp.h#L68
reset_mech = gssapi.OID.from_int_seq("1.3.6.1.4.1.7165.655.1.3")
try:
# we don't actually care about the account used here so just use
# a random username and password
ntlm_context = GSSAPIContext._get_security_context(
gssapi.NameType.user,
ntlm_mech,
"http@server",
"username",
"password"
)
ntlm_context.step()
set_sec_context_option(reset_mech, context=ntlm_context,
value=b"\x00" * 4)
except gssapi.exceptions.GSSError as exc:
# failed to init NTLM and verify gss-ntlmssp is available, this
# means NTLM is either not available or won't work
# (not gss-ntlmssp) so we return kerberos as the only available
# mechanism for the GSSAPI Context
log.debug("Failed to init test NTLM context with GSSAPI: %s"
% str(exc))
return ['kerberos']