Yet another toot about #ldap3: I have created the pipy package βldap3-bleeding-edgeβ. This package is based on ldap3 2.10.1 (unreleased on pipy) + 6 pending PRs. It may be unstable but... "works on my machine" π€·
sources: https://github.com/ThePirateWhoSmellsOfSunflowers/ldap3/tree/bleeding_edge
π»
Good news dear LDAP hackers π #ldap3 is now compatible with Channel Binding and LDAP Signing. You can use the library against hardened domain controllers. Thanks cannatag and CravateRouge.
Get the last version: https://github.com/cannatag/ldap3
More info: https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
The conclusion of my last post (https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html) is Β« Since a lot of #impacketβs examples are based on #ldap3, it seems easy to adapt them to work against hardened domain controllers Β». Good job Daniel!
The correct spelling of "DOMAIN\username" in LDAP search syntax is "DOMAIN\5cusername".
We're lucky one of our example users had valid hex in their username's first two characters and that the byte with this hex value had the high bit set so that it caused a UTF-8 decoding error, because Python package ldap3 "helpfully" treats \ as \ if the following two characters are invalid hex.
#ldap3 is incompatible with #Python 3.7 https://github.com/cannatag/ldap3/issues/428 #Cubicweb π€£
