Test SASL data security layer / SSF behavior

ldap_sasl.py

#!/usr/bin/python
"""Test SASL data security layer / SSF behavior
"""
from __future__ import print_function

import socket
import ldap
import ldap.sasl

FQDN = socket.getfqdn()
SASL_GSSAPI = ldap.sasl.sasl({}, "GSSAPI")
SASL_GSS_SPNEGO = ldap.sasl.sasl({}, "GSS-SPNEGO")

schemes = [
    ("ldap", False),
    ("ldap", True),
    ("ldaps", False),
]
mechs = [SASL_GSSAPI, SASL_GSS_SPNEGO]
max_ssfs = [0, 1, 256]


def vendor_version():
    conn = ldap.initialize("ldap://{fqdn}".format(fqdn=FQDN))
    try:
        vendor = conn.read_rootdse_s()["vendorVersion"][0].decode("utf-8")
        conn.unbind_s()
    except AttributeError:
        pass
    else:
        print("Vendor: {vendor}\n".format(vendor=vendor))


def check_conn(prefix, starttls, mech, max_ssf, sasl_flags=ldap.SASL_QUIET):
    uri = "{prefix}://{fqdn}".format(prefix=prefix, fqdn=FQDN)

    conn = ldap.initialize(uri)
    conn.set_option(ldap.OPT_X_SASL_SSF_MIN, 0)
    conn.set_option(ldap.OPT_X_SASL_SSF_MAX, max_ssf)
    if starttls:
        conn.start_tls_s()

    print(
        "URI: {}://, StartTLS {}, mech: {}, max SSF: {}".format(
            prefix, starttls, mech.mech.decode("ascii"), max_ssf
        )
    )

    try:
        conn.sasl_interactive_bind_s("", mech, sasl_flags=sasl_flags)
    except Exception as e:
        print("SASL bind failed:", e)
    try:
        conn.whoami_s()
    except Exception as e:
        print("LDAP whoami failed:", e)

    try:
        ssf = conn.get_option(ldap.OPT_X_SASL_SSF)
    except ValueError:
        ssf = None
    print("Actual SSF: {}".format(ssf))
    print()


def main():
    vendor_version()
    for prefix, starttls in schemes:
        for mech in mechs:
            for max_ssf in max_ssfs:
                check_conn(prefix, starttls, mech, max_ssf)


if __name__ == "__main__":
    main()