Hi,
authenticates a user against our ldap server.: User types in name and
password, and module sees if name and password check out right with the
ldap server.
I see that it's pretty straightforward to do this with:
import ldap
l = ldap.open('our.ldap.server')
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
authenticated = True
except:
authenticated = False
But this uses the plaintext of the user's password. Is there a proper
way to send a cryptographic hash to the ldap server? Or do I have to
negotiate this through an ssl tunnel or something?
Thanks for any tips. Cheers!
j
--
Jed Parsons Industrial Light + Magic (415) 746-2974
grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?"))); 5 1959
Jed Parsons wrote: import ldap l = ldap.open('our.ldap.server') try: l.bind_s(username, password, ldap.AUTH_SIMPLE) authenticated = True except: authenticated = False
^^^
Identiation is wrong here.
Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
except ldap.INVALID_CREDENTIALS:
authenticated = False
else:
authenticated = True
But this uses the plaintext of the user's password.
Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.
Is there a proper way to send a cryptographic hash to the ldap server? Or do I have to negotiate this through an ssl tunnel or something?
SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Demo/initialize.py).
Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.
Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.
Ciao, Michael.
Hi, Michael,
Thanks very much for your response. I think I can work it out now. authenticated = False ^^^ Identiation is wrong here.
Yes, sorry about that - doesn't always work on this email client :(
As an addendum, I discovered one little gotcha, namely that this:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
throws an ldap.INVALID_CREDENTIALS error if the password contains the
wrong text, but works if the password is empty. I guess this is
tantamount to binding as ("", ""), but I wasn't expecting it; I figured
if a username was specified, the password would have to agree. So my
little authentication example also needs to test for empty passwords.
Neither here nor there, really; just thought I'd mention it since I ran
into it.
Now I'm off to check out the Demo/*.py scripts you pointed me to.
Thanks again. Cheers!
j
Michael Ströder wrote: Jed Parsons wrote: import ldap l = ldap.open('our.ldap.server') try: l.bind_s(username, password, ldap.AUTH_SIMPLE) authenticated = True except: authenticated = False ^^^ Identiation is wrong here. Also I'd recommend to catch the ldap.LDAPError exceptions more specifically (ldap.INVALID_CREDENTIALS indicates wrong password): try: l.bind_s(username, password, ldap.AUTH_SIMPLE) except ldap.INVALID_CREDENTIALS: authenticated = False else: authenticated = True But this uses the plaintext of the user's password. Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251. Is there a proper way to send a cryptographic hash to the ldap server? Or do I have to negotiate this through an ssl tunnel or something? SSL (either LDAPS or StartTLS extended operation) is one possibility to secure the whole connection including bind requests (see Demo/initialize.py). Another option is to use SASL with DIGEST-MD5 if your server supports it (see Demo/sasl_bind.py) and has the cleartext passwords available. Other options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on your IT infrastructure and LDAP server configuration. Just follow-up here or on the python-ldap-dev mailing list if you have further problems. Ciao, Michael.
--
Jed Parsons Industrial Light + Magic (415) 746-2974
grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));
Jed Parsons wrote: As an addendum, I discovered one little gotcha, namely that this:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
throws an ldap.INVALID_CREDENTIALS error if the password contains the wrong text, but works if the password is empty. I guess this is tantamount to binding as ("", ""), but I wasn't expecting it; I figured if a username was specified, the password would have to agree.
Yes, this is by design. Empty cred means just switching to anon
bind. LDAP was not intended to be used for password checking at that time.
Which LDAP server are you using? You can switch off this behaviour with
OpenLDAP. See man 5 slapd.conf, allow <features>.
So my little authentication example also needs to test for empty passwords.
Yes!
Ciao, Michael. Which LDAP server are you using? You can switch off this behaviour with OpenLDAP. See man 5 slapd.conf, allow <features>.
I don't have anything other than user access. Good to know about this
feature, though.
You've been very helpful - I really appreciate it.
Can you recommend any favorite books or sites where I can learn more
about ldap?
Many thanks,
j
Michael Ströder wrote: Jed Parsons wrote: As an addendum, I discovered one little gotcha, namely that this:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
throws an ldap.INVALID_CREDENTIALS error if the password contains the wrong text, but works if the password is empty. I guess this is tantamount to binding as ("", ""), but I wasn't expecting it; I figured if a username was specified, the password would have to agree. Yes, this is by design. Empty cred means just switching to anon bind. LDAP was not intended to be used for password checking at that time. Which LDAP server are you using? You can switch off this behaviour with OpenLDAP. See man 5 slapd.conf, allow <features>. So my little authentication example also needs to test for empty passwords. Yes! Ciao, Michael.
--
Jed Parsons Industrial Light + Magic (415) 746-2974
grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));
Jed Parsons wrote: Which LDAP server are you using? You can switch off this behaviour with OpenLDAP. See man 5 slapd.conf, allow <features>. I don't have anything other than user access. Good to know about this feature, though.
In case you're programming for different LDAP servers it's good to catch
empty passwords at the client-side anyway and not rely on server-side
features.
Can you recommend any favorite books or sites where I can learn more about ldap?
Better consult LDAP link farms. After doing several years of LDAP
consulting I can't remember how I learned it. ;-)
But IMHO you're on the right track. Programming a LDAP client and
carefully examining the results different LDAP server products are
producing is probably the best you can do. That's how web2ldap
started... :-)
Ciao, Michael. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: dmcconkey |
last post by:
Hi folks,
I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate...
|
by: timjowers |
last post by:
Searched through sourceforge to no avail. Ideas?
Requirement:
1. Lists users from LDAP
2. Allows multiple selection as well as free text entry
3. Has To, CC, and BCC lists.
4. Message and...
|
by: Amar |
last post by:
I am trying to connect to my college LDAP directory using ASP.NET. This LDap
does not have security as it returns only user demographic information.
i do not need to bind with a username or...
|
by: Angel |
last post by:
Hello all - I have a LDAP service running on a NT4 box (not a mbr of
my AD domain), I'd like to extract the users/attributes from that LDAP
service and populate my AD domain with those users and...
|
by: m96 |
last post by:
hi,
i'm trying to make a query to a ldap server (version v2 or v3 doen't
matter) with c#. the query works just fine but the problem is that i can't
read the custom attributes/fields, since .net...
| |
by: Terry Miller |
last post by:
I have DB2 V8.2 loaded on a Redhat Enterprise Linux version 3 (RHEL 3) box.
RHEL is configured to talk to LDAP for authenticaton besides the local
passwd file. I can verify this by executing an su...
|
by: crossroadsk |
last post by:
I have a problem in configuring JNDI properties for LDAP server
i created jndi.properties file in the current directory where i'm running a simple java code.
jndi.properties file which i...
|
by: rbukkara |
last post by:
Hi,
I have got the following error while trying to add a user in the LDAP Directory.
javax.naming.NameNotFoundException: ; remaining name 'uid=vassila,ou=People,dc=cs,dc=uno,dc=edu'
I have...
|
by: Sells, Fred |
last post by:
I'm running python 2.5 (or 2.4) in an XP environment.
I downloaded and installed the .dll's from OpenLDAP-2.4.8+OpenSSL-0.9.8g-Win32.zip and copied the .dll's in c:/windows/system32 as instructed...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |