By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,625 Members | 1,267 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,625 IT Pros & Developers. It's quick & easy.

ldap usage

P: n/a

Hi,

authenticates a user against our ldap server.: User types in name and
password, and module sees if name and password check out right with the
ldap server.

I see that it's pretty straightforward to do this with:

import ldap
l = ldap.open('our.ldap.server')
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
authenticated = True
except:
authenticated = False

But this uses the plaintext of the user's password. Is there a proper
way to send a cryptographic hash to the ldap server? Or do I have to
negotiate this through an ssl tunnel or something?

Thanks for any tips. Cheers!
j

--
Jed Parsons Industrial Light + Magic (415) 746-2974

grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));
Mar 29 '06 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Jed Parsons wrote:

import ldap
l = ldap.open('our.ldap.server')
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
authenticated = True
except:
authenticated = False ^^^
Identiation is wrong here.

Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):

try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
except ldap.INVALID_CREDENTIALS:
authenticated = False
else:
authenticated = True
But this uses the plaintext of the user's password.
Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.
Is there a proper
way to send a cryptographic hash to the ldap server? Or do I have to
negotiate this through an ssl tunnel or something?


SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Demo/initialize.py).

Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.

Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.

Ciao, Michael.
Mar 29 '06 #2

P: n/a

Hi, Michael,

Thanks very much for your response. I think I can work it out now.
authenticated = False ^^^
Identiation is wrong here.


Yes, sorry about that - doesn't always work on this email client :(

As an addendum, I discovered one little gotcha, namely that this:

l.bind_s(username, password, ldap.AUTH_SIMPLE)

throws an ldap.INVALID_CREDENTIALS error if the password contains the
wrong text, but works if the password is empty. I guess this is
tantamount to binding as ("", ""), but I wasn't expecting it; I figured
if a username was specified, the password would have to agree. So my
little authentication example also needs to test for empty passwords.

Neither here nor there, really; just thought I'd mention it since I ran
into it.

Now I'm off to check out the Demo/*.py scripts you pointed me to.

Thanks again. Cheers!
j

Michael Ströder wrote: Jed Parsons wrote:
import ldap
l = ldap.open('our.ldap.server')
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
authenticated = True
except:
authenticated = False

^^^
Identiation is wrong here.

Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):

try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
except ldap.INVALID_CREDENTIALS:
authenticated = False
else:
authenticated = True
But this uses the plaintext of the user's password.


Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.
Is there a proper
way to send a cryptographic hash to the ldap server? Or do I have to
negotiate this through an ssl tunnel or something?


SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Demo/initialize.py).

Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.

Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.

Ciao, Michael.


--
Jed Parsons Industrial Light + Magic (415) 746-2974

grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));

Mar 30 '06 #3

P: n/a
Jed Parsons wrote:

As an addendum, I discovered one little gotcha, namely that this:

l.bind_s(username, password, ldap.AUTH_SIMPLE)

throws an ldap.INVALID_CREDENTIALS error if the password contains the
wrong text, but works if the password is empty. I guess this is
tantamount to binding as ("", ""), but I wasn't expecting it; I figured
if a username was specified, the password would have to agree.
Yes, this is by design. Empty cred means just switching to anon
bind. LDAP was not intended to be used for password checking at that time.

Which LDAP server are you using? You can switch off this behaviour with
OpenLDAP. See man 5 slapd.conf, allow <features>.
So my
little authentication example also needs to test for empty passwords.


Yes!

Ciao, Michael.
Mar 30 '06 #4

P: n/a
Which LDAP server are you using? You can switch off this behaviour
with OpenLDAP. See man 5 slapd.conf, allow <features>.
I don't have anything other than user access. Good to know about this
feature, though.

You've been very helpful - I really appreciate it.

Can you recommend any favorite books or sites where I can learn more
about ldap?

Many thanks,
j

Michael Ströder wrote: Jed Parsons wrote:
As an addendum, I discovered one little gotcha, namely that this:

l.bind_s(username, password, ldap.AUTH_SIMPLE)

throws an ldap.INVALID_CREDENTIALS error if the password contains the
wrong text, but works if the password is empty. I guess this is
tantamount to binding as ("", ""), but I wasn't expecting it; I figured
if a username was specified, the password would have to agree.


Yes, this is by design. Empty cred means just switching to anon
bind. LDAP was not intended to be used for password checking at that time.

Which LDAP server are you using? You can switch off this behaviour with
OpenLDAP. See man 5 slapd.conf, allow <features>.
So my
little authentication example also needs to test for empty passwords.


Yes!

Ciao, Michael.


--
Jed Parsons Industrial Light + Magic (415) 746-2974

grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));

Mar 30 '06 #5

P: n/a
Jed Parsons wrote:
Which LDAP server are you using? You can switch off this behaviour
with OpenLDAP. See man 5 slapd.conf, allow <features>.
I don't have anything other than user access. Good to know about this
feature, though.


In case you're programming for different LDAP servers it's good to catch
empty passwords at the client-side anyway and not rely on server-side
features.
Can you recommend any favorite books or sites where I can learn more
about ldap?


Better consult LDAP link farms. After doing several years of LDAP
consulting I can't remember how I learned it. ;-)

But IMHO you're on the right track. Programming a LDAP client and
carefully examining the results different LDAP server products are
producing is probably the best you can do. That's how web2ldap
started... :-)

Ciao, Michael.
Mar 31 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.