-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kerberos support for LDAP connector #564
Kerberos support for LDAP connector #564
Conversation
Before I review, can we get the build passing? I believe the dependency issue that Danimae fixed in #561 is causing the failure. I've merged that PR, so if you merge or rebase v2 to your branch the build should work. |
@bhunut-adobe FYI - I just merged another build-related PR, so make sure you pull v2 again before you rebase/merge. |
@bhunut-adobe is this ready for review? |
Hi Kevin,
I am bit confused why would someone use TLS/SSL over port 389 instead of 636. Is that common practice in AD world? Have you implemented it for Kerberos?
I read some information from https://kurtroggen.wordpress.com/2018/08/03/are-you-using-ldap-over-ssl-tls/
* LDAP using StartTLS over port 389 (DC) or 3268 (GC) where the StartTLS operation is used to establish secure communications. It requires the LDAP client to support this StartTLS operation.
Regards,
Atif
Atif Bajwa | Solution Developer, Creative Cloud Enterprise | Adobe | c. +44 (0) 7748 761564 | bajwa@adobe.com<mailto:bajwa@adobe.com>
PTO: 27 Mar – 9 Apr, Public Holidays: 10 Apr, 13 April
From: Kevin Bhunut <notifications@github.com>
Sent: 07 February 2020 18:25
To: adobe-apiplatform/user-sync.py <user-sync.py@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Subject: [adobe-apiplatform/user-sync.py] Kerberos support for LDAP connector (#564)
Added Kerberos Authentication support for Windows
This enabled UST to no longer required username and password in configuration file.
UST will automatically use OS authenticated user.
LDAP Channel Binding is supported.
set the following in connector-ldap.yml
authentication_method: kerberos
Implemented Require_TLS_Cert.
This allow ldap (389) to have encrypted traffic over TLS.
This integrates with the system wide Certification Authorities. No need to specify CA cert path.
set the following in connector-ldap.yml
require_tls_cert: True
…________________________________
You can view, comment on, or merge this pull request online at:
#564<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896642988&sdata=dz9zirrwBVcMmKsON%2BNsYHmsVm5O7VPKuVUYGBA8H%2BQ%3D&reserved=0>
Commit Summary
* Added Kerberos Support for LDAP Connector
* Removed the need for external LDAP3 wheel
* Skip LDAP Channel Binding if SSL/TLS does exist
* Resolved TLS being use during ldap binding issue
File Changes
* M examples/config files - basic/connector-ldap.yml<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-0&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896642988&sdata=jHqQ7IjwnYoRNaCm7Ia%2FIdE80rx6ZQsSJM4jmSO06QM%3D&reserved=0> (3)
* M setup.py<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-1&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896652984&sdata=ulgSIHfGDgfiAwZCNpl5j1zrjX4vlbNDpBxa3oy25S8%3D&reserved=0> (6)
* M user_sync/connector/directory_ldap.py<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-2&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896652984&sdata=LTYjfpmNrrIU0OJL%2Falux9%2BvW0v7ow%2FagA0ohet2xxE%3D&reserved=0> (27)
* A user_sync/connector/ldap3_extended/Connection.py<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-3&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896662977&sdata=eEPBAJLq8WZDOzdncHjjclDKXKQza6B7M8mOqRhmlto%3D&reserved=0> (185)
* A user_sync/connector/ldap3_extended/__init__.py<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%2Ffiles%23diff-4&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896662977&sdata=bgagB1XiorQ5pGrFHQj77CLyD1ufC%2Fih9aCIJbGqV0o%3D&reserved=0> (20)
Patch Links:
* #564.patch<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564.patch&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896672971&sdata=9umkp6Mnuy2cVnN%2FbjYA%2Bf1DXb7g6whM99ugbQCShkY%3D&reserved=0>
* #564.diff<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564.diff&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896672971&sdata=8RflZlmfRx1djTWoLZ0Nzb7%2FklQZ35TMl1XxGsESlrY%3D&reserved=0>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fpull%2F564%3Femail_source%3Dnotifications%26email_token%3DAG2MWFGAJ4F7KPE35CJ5PD3RBWRO7A5CNFSM4KRS3Y62YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IL4LX4A&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896672971&sdata=5gImIOsWLgWfFgiiEBdcJrZtOYqSLFS%2BoNDQCp0I9v4%3D&reserved=0>, or unsubscribe<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAG2MWFC2A35AXCRIFDMWWG3RBWRO7ANCNFSM4KRS3Y6Q&data=02%7C01%7Cbajwa%40adobe.com%7Cbb87e007ba1c4776b78f08d7abfb03e0%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637166966896682968&sdata=WdfpDwUdsJJP%2FDO7il0qBvWP5pX2uwKALN1Z4yc3bOc%3D&reserved=0>.
|
a89366e
to
489780d
Compare
489780d
to
f88b66f
Compare
@adorton-adobe Ok i fixed my rebase mess. It is ready now for review |
@bajwa-adobe It is not common to use 389 + TLS. I just added the support incase someone actually use it. For Kerberos support, the only requirement are Windows server joined to AD Domain and running UST with a domain user not local account. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty good. I'll need to test it before I can approve it. I have a couple of comments and one thing to change.
Hi any update on when this will be added to sync tool? |
I think we need to generate an error when With With Here's what we need to do - when |
@adorton-adobe I made the change so it raise an exception when those two fields are specified |
Added Kerberos Authentication support for Windows #565
This enabled UST to no longer required username and password in configuration file.
UST will automatically use OS authenticated user.
LDAP Channel Binding is supported.
set the following in connector-ldap.yml
authentication_method: kerberos
Implemented Require_TLS_Cert. #566
This allow ldap (389) to have encrypted traffic over TLS.
This integrates with the system wide Certification Authorities. No need to specify CA cert path.
set the following in connector-ldap.yml
require_tls_cert: True