Bug 2277165

Summary: python-ldap3 should use Cryptodome instead of Crypto
Product: [Fedora] Fedora EPEL Reporter: griznog <griznog>
Component: python-ldap3Assignee: Avram Lubkin <aviso>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel9CC: aviso, igor.raits, karlthered, mairacanal, python-packagers-sig
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description griznog 2024-04-25 14:00:05 UTC 
Description of problem:

python3-ldap3 wants to load MD4 from Crypto, which isn't available on Rocky 9 and appears to now be provided by Cryptodome?

Version-Release number of selected component (if applicable):

python3-ldap3-2.8.1-4.el9.noarch

How reproducible:

I discovered this when trying to use a script developed on Rocky 8 on a new Rocky 9 system, so it's reproducible on every Rocky 9 system. 

Steps to Reproduce:

1. Try to use ntlm auth to bind to AD with the python-ldap3 package. 

Actual results:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/ldap3/utils/ntlm.py", line 500, in ntowf_v2
    from Crypto.Hash import MD4  # try with the Crypto library if present
ModuleNotFoundError: No module named 'Crypto'

Expected results:

The script would authenticate and return results from Active Directory. 

Additional info:

The fix I am using is to install python3-pycryptodomex and patch /usr/lib/python3.9/site-packages/ldap3/utils/ntlm.py as shown here:

--- utils/ntlm.py.orig	2020-08-18 14:22:20.000000000 -0700
+++ utils/ntlm.py	2024-04-25 06:35:29.844194294 -0700
@@ -497,7 +497,7 @@
                 password_digest = hashlib.new('MD4', self._password.encode('utf-16-le')).digest()
             except ValueError as e:
                 try:
-                    from Crypto.Hash import MD4  # try with the Crypto library if present
+                    from Cryptodome.Hash import MD4  # try with the Cryptodome library if present
                     password_digest = MD4.new(self._password.encode('utf-16-le')).digest()
                 except ImportError:
                     raise e  # raise original exception
Comment 1 griznog 2024-04-25 14:17:20 UTC 
Upon closer inspection it appears that the local script we use when ran on Rocky 8 does not authenticate in the same way and so doesn't try to import the MD4 hash. But I don't understand the internals of this well enough to guess why. In both cases we're doing a kinit to get a credential then running the script. Patching to use Cryptodome definitely fixes it for us in Rocky 9 though.