I'm trying to get all project list from bit bucket, using username and app password. But getting 401 error.
I'm using atlasian python library for client connection, and below is the code.
bitbucket = Bitbucket(url='https://api.bitbucket.org',username="",password="")
data = bitbucket.project_list()
for data in data:
print(data)
Even tried with bitbucket user name and password still same.
Is there any way to generate key or something which can be used all the time not like oauth as it has expiration time.
You need to use App passwords as mentioned here
Using an app password
An app password is a substitute password for your user account, when authenticating with Bitbucket:
your Bitbucket username (not email) which can be found in the settings
the app password
My company uses an LDAP server for authentication against an Active Directory. I need to authenticate users of a remotely hosted Shiny app using this. I managed to authenticate in Python, but need to port this to R:
import ldap
from getpass import getpass
username = "user_name"
password = getpass(prompt='Password: ', stream=None)
ldap_server = "ldap://company-ldap-server:636"
try:
# Create connection with LDAP server and set options
conn = ldap.initialize(ldap_server)
conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
# Authenticate by trying to connect
conn.simple_bind_s(username, password)
# Retrieve this user's name and email (for authorization)
info = conn.search_s("DC=ad,DC=company,DC=com", ldap.SCOPE_SUBTREE, f"cn={username}*")
conn.unbind_s()
except Exception:
print("ERROR: Could not connect")
Here's what I've tried in R:
library(RCurl)
ldap_server <- "ldap://company-ldap-server:636"
user <- "user_name"
RCurl::getURL(ldap_server, .opts=list(userpwd = paste0(user, "#ad.company.com:",
.rs.askForPassword("Password: "))
)
)
All I get is:
Error in function (type, msg, asError = TRUE) : LDAP local: bind ldap_result Can't contact LDAP server
In curlOptions() there are some items similar to OPT_X_TLS_REQUIRE_CERT and OPT_X_TLS_NEWCTX, but curlSetOpts with any of those names don't seem to work.
This question and answer comes close, but I want to authenticate a user by securely passing their username and password.
In this answer, they're trying to convert Shiny LDAP to flask (basically the opposite of mine). But I'm not sure where/how they specify that auth_active_dir configuration...perhaps R Studio Connect or Shiny Open Server Pro. Neither of which are options for me.
It could be that the server is down at the moment. In the meantime, are these equivalent or is there something I'm missing in the R code?
# Python
conn = ldap.initialize(ldap_server)
conn.simple_bind_s(username, password)
# R
getURL(ldap_server, .opts=list(userpwd = "...."))
The format of your url (ldap_server) is not enough. How about you try:
Following the post here: How do I run a ldap query using R?
ldap_server <- "ldap://company-ldap-server:636/OU=[value],dc=ad,dc=company,dc=com?cn,mail?sub?filter"
Replace the [value] by removing bracket with your OU (which is company for me).
sub is scope (base/one/sub) as values
Replace "cn, mail" with whatever attributes you want to query
filter is search filter making subset of the query: eg(sn=LastName).
Check out https://docs.oracle.com/cd/E19396-01/817-7616/ldurl.html for curl url.
I'm using the Python requests library to make a call to an API that requires Windows Authentication. In C# I have always used the Directory Services, which has allowed me to avoid putting passwords in any of my code or configurations. From what I have found online, it seems that my only option in Python is to have a password somewhere. I have a service account that I will use, but I need to store the password securely. What is the best way to securely store and retrieve a service account password in Python without hard coding plain text?
The code that I am currently using is below. I have the username and password stored in plain text in my configuration:
auth = HttpNtlmAuth(
config.ServiceAccount["Username"],
config.ServiceAccount["Password"]
)
content = requests.post(call_string, json=parameters, auth=auth)
Edit: I should mention that this will not be a user-facing application. It will run as a batch job. So there will not be any way for a user to enter the username/password while running the application.
You could just not store the password at all and require the user to provide the password at runtime
import getpass
user = getpass.getuser()
password = getpass.getpass()
Otherwise, you could do something similar to git and just have the user store their password in plaintext in a config file in their home directory that you then read at runtime.
I know I asked this question a while ago, but I found a better solution to the NTLM/Windows authentication. I used the requests_negotiate_sspi library to avoid any passwords:
from requests_negotiate_sspi import HttpNegotiateAuth
auth = HttpNegotiateAuth()
content = requests.post(call_string, json=parameters, auth=auth)
I was trying to connect to remote machine via WinRM in Python (pywinrm) using domain account, following the instruction in
How to connect to remote machine via WinRM in Python (pywinrm) using domain account?
using
session = winrm.Session(server, auth=('user#DOMAIN', 'doesNotMatterBecauseYouAreUsingAKerbTicket'), transport='kerberos')
but I got this:
NotImplementedError("Can't use 'principal' argument with kerberos-sspi.")
I googled "principal argument" and I got its meaning in mathematics,which is in complex_analysis (https://en.m.wikipedia.org/wiki/Argument_(complex_analysis)) and definitely not the right meaning. I'm not a native English speaker and I got stuck here.
The original code is here:
https://github.com/requests/requests-kerberos/blob/master/requests_kerberos/kerberos_.py
def generate_request_header(self, response, host, is_preemptive=False):
"""
Generates the GSSAPI authentication token with kerberos.
If any GSSAPI step fails, raise KerberosExchangeError
with failure detail.
"""
# Flags used by kerberos module.
gssflags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
if self.delegate:
gssflags |= kerberos.GSS_C_DELEG_FLAG
try:
kerb_stage = "authGSSClientInit()"
# contexts still need to be stored by host, but hostname_override
# allows use of an arbitrary hostname for the kerberos exchange
# (eg, in cases of aliased hosts, internal vs external, CNAMEs
# w/ name-based HTTP hosting)
kerb_host = self.hostname_override if self.hostname_override is not None else host
kerb_spn = "{0}#{1}".format(self.service, kerb_host)
kwargs = {}
# kerberos-sspi: Never pass principal. Raise if user tries to specify one.
if not self._using_kerberos_sspi:
kwargs['principal'] = self.principal
elif self.principal:
raise NotImplementedError("Can't use 'principal' argument with kerberos-sspi.")
Any help will be greatly appreciated.
There are two ways to authenticate a user using Django Auth LDAP
Search/Bind and
Direct Bind.
The first one involves connecting to the LDAP server either anonymously or with a fixed account and searching for the distinguished name of the authenticating user. Then we can attempt to bind again with the user’s password.
The second method is to derive the user’s DN from his username and attempt to bind as the user directly.
I want to be able to do a direct bind using the userid (sAMAccountName) and password of the user who is trying to gain access to the application. Please let me know if there is a way to achieve this? At the moment, I cannot seem to make this work due to the problem explained below.
In my case, the DN of users in LDAP is of the following format
**'CN=Steven Jones,OU=Users,OU=Central,OU=US,DC=client,DC=corp'**
This basically translates to 'CN=FirstName LastName,OU=Users,OU=Central,OU=US,DC=client,DC=corp'
This is preventing me from using Direct Bind as the sAMAccountName of the user is sjones and this is the parameter that corresponds to the user name (%user) and I can't figure out a way to frame a proper AUTH_LDAP_USER_DN_TEMPLATE to derive the User's DN using.
Due to the above explained problem, I am using Search/Bind for now but this requires me to have a fixed user credential to be specified in AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD.
Here is my current settings.py configuration
AUTH_LDAP_SERVER_URI = "ldap://10.5.120.161:389"
AUTH_LDAP_BIND_DN='CN=Steven Jones,OU=Users,OU=Central,OU=US,DC=client,DC=corp'
AUTH_LDAP_BIND_PASSWORD='fga.1234'
#AUTH_LDAP_USER_DN_TEMPLATE = 'CN=%(user)s,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp'
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
LDAPSearch("OU=Users, OU=Central,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
LDAPSearch("OU=Users,OU=Regional,OU=Locales,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"),
)
AUTH_LDAP_USER_ATTR_MAP = {"first_name": "givenName", "last_name": "sn","email":"mail"}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("CN=GG_BusinessApp_US,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp",ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_REQUIRE_GROUP = 'CN=GG_BusinessApp_US,OU=Appl Groups,OU=Central,OU=US,DC=client,DC=corp'
Looking forward for some guidance from the wonderful folks in here.
I had the same issue.
I ran across ticket 21 in the now-deleted bitbucket repository. (cant-bind-and-search-on-activedirectory). The issues were not migrated to their github, but the author brought up a way to change the library files for django-auth-ldap so that it could do a direct bind.
It came down to changing <python library path>/django_auth_ldap/backend.py to include two lines in _authenticate_user_dn:
if sticky and ldap_settings.AUTH_LDAP_USER_SEARCH:
self._search_for_user_dn()
I was able to get this to work on my local machine that was running Arch Linux 3.9.8-1-ARCH, but I was unable to replicate it on the dev server running Ubuntu 13.04.
Hopefully this can help.
(This is actually a comment to #amethystdragon's answer, but it's a bunch of code, so posting as a separate answer.) The problem still seems to exist with django_auth_ldap 1.2.5. Here's an updated patch. If you don't want or can't modify the source code, monkey-patching is possible. Just put this code to eg. end of settings.py. (And yes, I know monkey-patching is ugly.)
import ldap
from django_auth_ldap import backend
def monkey(self, password):
"""
Binds to the LDAP server with the user's DN and password. Raises
AuthenticationFailed on failure.
"""
if self.dn is None:
raise self.AuthenticationFailed("failed to map the username to a DN.")
try:
sticky = self.settings.BIND_AS_AUTHENTICATING_USER
self._bind_as(self.dn, password, sticky=sticky)
#### The fix -->
if sticky and self.settings.USER_SEARCH:
self._search_for_user_dn()
#### <-- The fix
except ldap.INVALID_CREDENTIALS:
raise self.AuthenticationFailed("user DN/password rejected by LDAP server.")
backend._LDAPUser._authenticate_user_dn = monkey
I also had this issue, but I didn't want to modify the settings.py file. The fix for me was to comment out the line "AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=path,dc=to,dc=domain"". I also added NestedActiveDirectoryGroupType as part of my troubleshooting. Not sure if it's necessary, but it's working now so I'm leaving it. Here's my ldap_config.py file.
import ldap
# Server URI
AUTH_LDAP_SERVER_URI = "ldap://urlForLdap"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
# ldap.OPT_DEBUG_LEVEL: 1,
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=Netbox,OU=xxx,DC=xxx,DC=xxx"
AUTH_LDAP_BIND_PASSWORD = "password"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
from django_auth_ldap.config import LDAPSearch, NestedActiveDirectoryGroupType
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=xxx,DC=xxx,DC=xxx",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# If a user's DN is producible from their username, we don't need to search.
# AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=corp,dc=loc"
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, NestedActiveDirectoryGroupType
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=xxx,dc=xxx", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=NetBox_Users,OU=NetBox,OU=xxx,DC=xxx,DC=xxx"
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "CN=NetBox_Active,OU=NetBox,OU=xxx,DC=xxx,DC=xxx",
"is_staff": "CN=NetBox_Staff,OU=NetBox,OU=xxx,DC=xxx,DC=xxx",
"is_superuser": "CN=NetBox_Superuser,OU=NetBox,OU=xxx,DC=xxx,DC=xxx"
}
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
I also had this problem where the old ldap server had a dn that started with uid, but the DN of the new one starts with CN ('Steven Jones'). I used this configuration (which solved it for me) in setting.py:
AUTH_LDAP_BIND_DN = 'CN=adreader,CN=Users,DC=xxx, DC=yyy'
from django_auth_ldap.config import LDAPSearch
import ldap
AUTH_LDAP_USER_SEARCH = LDAPSearch(base_dn='ou=People, ou=xxx, dc=yyy, dc=zzz,
scope=ldap.SCOPE_SUBTREE, filterstr='(sAMAccountName=%(user)s)')
I think using direct bind (as shown below) and then passing the common name in the login interface would do the job, and thus it is not needed to set static authentication credentials.
AUTH_LDAP_USER_DN_TEMPLATE = "CN=%(user)s,OU=users,OU=OR-TN,DC=OrangeTunisie,DC=intra"
The above answers did not work for me, but I have found a way to make it work.
The trick is to use sAMAAcountname in combination with the domain name to bind.
modify the template DN in order for it to use username#domain.com format.
use modified monkey patch to lookup and store the real user CN (self._user_dn).
Settings:
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
AUTH_LDAP_USER_DN_TEMPLATE = '%(user)s#example.com'
Patch:
import ldap
from django_auth_ldap import backend
def monkey(self, password):
"""
Binds to the LDAP server with the user's DN and password. Raises
AuthenticationFailed on failure.
"""
if self.dn is None:
raise self.AuthenticationFailed("failed to map the username to a DN.")
try:
sticky = self.settings.BIND_AS_AUTHENTICATING_USER
self._bind_as(self.dn, password, sticky=sticky)
# Search for the user DN -->
if sticky and self.settings.USER_SEARCH:
self._user_dn = self._search_for_user_dn()
except ldap.INVALID_CREDENTIALS:
raise self.AuthenticationFailed("user DN/password rejected by LDAP server.")
backend._LDAPUser._authenticate_user_dn = monkey