Kerberos support for LDAP connector

[bhunut-adobe]

Added Kerberos Authentication support for Windows #565
This enabled UST to no longer required username and password in configuration file.
UST will automatically use OS authenticated user.
LDAP Channel Binding is supported.

set the following in connector-ldap.yml
authentication_method: kerberos

Implemented Require_TLS_Cert. #566
This allow ldap (389) to have encrypted traffic over TLS.
This integrates with the system wide Certification Authorities. No need to specify CA cert path.

set the following in connector-ldap.yml
require_tls_cert: True

[adorton-adobe]

Before I review, can we get the build passing? I believe the dependency issue that Danimae fixed in #561 is causing the failure. I've merged that PR, so if you merge or rebase v2 to your branch the build should work.

[adorton-adobe]

@bhunut-adobe FYI - I just merged another build-related PR, so make sure you pull v2 again before you rebase/merge.

[adorton-adobe]

@bhunut-adobe is this ready for review?

[bajwa-adobe]

Hi Kevin, I am bit confused why would someone use TLS/SSL over port 389 instead of 636. Is that common practice in AD world? Have you implemented it for Kerberos? I read some information from https://kurtroggen.wordpress.com/2018/08/03/are-you-using-ldap-over-ssl-tls/ * LDAP using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation is used to establish secure communications. It requires the LDAP client to support this StartTLS operation. Regards, Atif Atif Bajwa | Solution Developer, Creative Cloud Enterprise | Adobe | c. +44 (0) 7748 761564 | bajwa@adobe.com<mailto:bajwa@adobe.com> PTO: 27 Mar – 9 Apr, Public Holidays: 10 Apr, 13 April From: Kevin Bhunut <notifications@github.com> Sent: 07 February 2020 18:25 To: adobe-apiplatform/user-sync.py <user-sync.py@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: [adobe-apiplatform/user-sync.py] Kerberos support for LDAP connector (#564) Added Kerberos Authentication support for Windows This enabled UST to no longer required username and password in configuration file. UST will automatically use OS authenticated user. LDAP Channel Binding is supported. set the following in connector-ldap.yml authentication_method: kerberos Implemented Require_TLS_Cert. This allow ldap (389) to have encrypted traffic over TLS. This integrates with the system wide Certification Authorities. No need to specify CA cert path. set the following in connector-ldap.yml require_tls_cert: True

…

________________________________ You can view, comment on, or merge this pull request online at: #564<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896642988&sdata=dz9zirrwBVcMmKsON%2BNsYHmsVm5O7VPKuVUYGBA8H%2BQ%3D&reserved=0> Commit Summary * Added Kerberos Support for LDAP Connector * Removed the need for external LDAP3 wheel * Skip LDAP Channel Binding if SSL/TLS does exist * Resolved TLS being use during ldap binding issue File Changes * M examples/config files - basic/connector-ldap.yml<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-0&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896642988&sdata=jHqQ7IjwnYoRNaCm7Ia%2FIdE80rx6ZQsSJM4jmSO06QM%3D&reserved=0> (3) * M setup.py<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-1&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896652984&sdata=ulgSIHfGDgfiAwZCNpl5j1zrjX4vlbNDpBxa3oy25S8%3D&reserved=0> (6) * M user_sync/connector/directory_ldap.py<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-2&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896652984&sdata=LTYjfpmNrrIU0OJL%2Falux9%2BvW0v7ow%2FagA0ohet2xxE%3D&reserved=0> (27) * A user_sync/connector/ldap3_extended/Connection.py<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-3&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896662977&sdata=eEPBAJLq8WZDOzdncHjjclDKXKQza6B7M8mOqRhmlto%3D&reserved=0> (185) * A user_sync/connector/ldap3_extended/__init__.py<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-4&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896662977&sdata=bgagB1XiorQ5pGrFHQj77CLyD1ufC%2Fih9aCIJbGqV0o%3D&reserved=0> (20) Patch Links: * #564.patch<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564.patch&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896672971&sdata=9umkp6Mnuy2cVnN%2FbjYA%2Bf1DXb7g6whM99ugbQCShkY%3D&reserved=0> * #564.diff<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564.diff&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896672971&sdata=8RflZlmfRx1djTWoLZ0Nzb7%2FklQZ35TMl1XxGsESlrY%3D&reserved=0> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%3Femail_source%3Dnotifications%26email_token%3DAG2MWFGAJ4F7KPE35CJ5PD3RBWRO7A5CNFSM4KRS3Y62YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IL4LX4A&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896672971&sdata=5gImIOsWLgWfFgiiEBdcJrZtOYqSLFS%2BoNDQCp0I9v4%3D&reserved=0>, or unsubscribe<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAG2MWFC2A35AXCRIFDMWWG3RBWRO7ANCNFSM4KRS3Y6Q&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896682968&sdata=WdfpDwUdsJJP%2FDO7il0qBvWP5pX2uwKALN1Z4yc3bOc%3D&reserved=0>.

[bhunut-adobe]

@adorton-adobe Ok i fixed my rebase mess. It is ready now for review

[bhunut-adobe]

@bajwa-adobe It is not common to use 389 + TLS. I just added the support incase someone actually use it. For Kerberos support, the only requirement are Windows server joined to AD Domain and running UST with a domain user not local account.

[adorton-adobe]

Looks pretty good. I'll need to test it before I can approve it. I have a couple of comments and one thing to change.

[johndoenulc]

Hi

any update on when this will be added to sync tool?

[adorton-adobe]

I think we need to generate an error when username and/or password are specified when kerberos is enabled. Right now when I specify both of them, I get no error and the connector uses Kerberos to connect. When I specify one but not the other, I get errors that could be confusing.

With username but no password: ldap configuration: must contain setting for "password" or "secure_password_key"

With password but no username: Found unused keys: ['password'] in: ldap configuration

Here's what we need to do - when kerberos is not enabled, then we report errors in the manner we currently report them. When kerberos is enabled, we should report an error along the lines of 'password' and 'username' are not allowed when 'authentication_method' is 'kerberos'.

[bhunut-adobe]

@adorton-adobe I made the change so it raise an exception when those two fields are specified