checkPass via kerberos / gssapi

[cornelinux]

Password checking could be done in the LDAP resolver using kerberos mechanism / ldap3 gssapi.

See the orignial pull request: #678

In favour of code dedupllication we do not create a new resolver but rather add another way to verify the password to the existing resolver.

http://ldap3.readthedocs.io/bind.html#kerberos

• We must assume, that e.g. AD does not support simplebind anymore
• Passwords must be verified by requesting a TGT (which is granted by providing the correct password)
• However, if we need to search, we need a service ticket. Searches are done only with the service account
• Service Account
  • initially fetch TGT
  • Service Tickets for searching LDAP
• User, for whom we need to check the password:
  • always reuqest TGT (never need service ticket)

[wheldom01]

I'm more than happy yo help out with this, just a little short on time at the moment.

[ignitediris]

I'll test it out in my infrastructure and provide debug info as needed. Beta testing of sorts if you'd like.

[plettich]

According to the ldap3-docs we need the gssapi package which (currently) doesn't provide a wheel for ubuntu20.
Thus we need to install the python3-dev and libkrb5-devpackages as well as gcc in order to build the extension.

Things to do:

• Documentation (necessary packages, Domain join, ...)
• Prerequisites (which additional information do we need in the LDAP-Resolver)
• Fetch/Renew TGT for service account from Python Code
• Use the TGT fetching for verifying the user password
• Use the Service Account TGT to perform LDAP search requests (service ticket)
• Implementation and error checking (not in domain, no TGT, ...)
• Tests

[cornelinux]

When validating user passwords we need to verify

• will a fail counter in AD be increased
• if user is blocked/deactivated - will the authentication fail (in comparison to a simple bind, which will fail)
• password is changed in AD

The behaviour should be same as with bind.