ldap3.protocol.sasl package

Submodules

ldap3.protocol.sasl.digestMd5 module

ldap3.protocol.sasl.digestMd5.decode_directives(directives_string)[source]

converts directives to dict, unquote values

ldap3.protocol.sasl.digestMd5.md5_h(value)[source]
ldap3.protocol.sasl.digestMd5.md5_hex(value)[source]
ldap3.protocol.sasl.digestMd5.md5_hmac(k, s)[source]
ldap3.protocol.sasl.digestMd5.md5_kd(k, s)[source]
ldap3.protocol.sasl.digestMd5.sasl_digest_md5(connection, controls)[source]

ldap3.protocol.sasl.external module

ldap3.protocol.sasl.external.sasl_external(connection, controls)[source]

ldap3.protocol.sasl.kerberos module

ldap3.protocol.sasl.kerberos.sasl_gssapi(connection, controls)[source]

Performs a bind using the Kerberos v5 (“GSSAPI”) SASL mechanism from RFC 4752. Does not support any security layers, only authentication!

sasl_credentials can be empty or a tuple with one or two elements. The first element determines which service principal to request a ticket for and can be one of the following:

  • None or False, to use the hostname from the Server object
  • True to perform a reverse DNS lookup to retrieve the canonical hostname for the hosts IP address
  • A string containing the hostname

The optional second element is what authorization ID to request.

  • If omitted or None, the authentication ID is used as the authorization ID
  • If a string, the authorization ID to use. Should start with “dn:” or “user:”.

The optional third element is a raw gssapi credentials structure which can be used over the implicit use of a krb ccache.

ldap3.protocol.sasl.sasl module

ldap3.protocol.sasl.sasl.abort_sasl_negotiation(connection, controls)[source]
ldap3.protocol.sasl.sasl.random_hex_string(size)[source]
ldap3.protocol.sasl.sasl.sasl_prep(data)[source]

implement SASLPrep profile as per RFC4013: it defines the “SASLprep” profile of the “stringprep” algorithm [StringPrep]. The profile is designed for use in Simple Authentication and Security Layer ([SASL]) mechanisms, such as [PLAIN], [CRAM-MD5], and [DIGEST-MD5]. It may be applicable where simple user names and passwords are used. This profile is not intended for use in preparing identity strings that are not simple user names (e.g., email addresses, domain names, distinguished names), or where identity or password strings that are not character data, or require different handling (e.g., case folding).

ldap3.protocol.sasl.sasl.send_sasl_negotiation(connection, controls, payload)[source]
ldap3.protocol.sasl.sasl.validate_simple_password(password, accept_empty=False)[source]

validate simple password as per RFC4013 using sasl_prep:

Module contents