Hi,
authenticates a user against our ldap server.: User types in name and
password, and module sees if name and password check out right with the
ldap server.
I see that it's pretty straightforward to do this with:
import ldap
l = ldap.open('our.ldap.server')
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
authenticated = True
except:
authenticated = False
But this uses the plaintext of the user's password. Is there a proper
way to send a cryptographic hash to the ldap server? Or do I have to
negotiate this through an ssl tunnel or something?
Thanks for any tips. Cheers!
j
--
Jed Parsons Industrial Light + Magic (415) 746-2974
grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?"))); 5 1821
Jed Parsons wrote: import ldap l = ldap.open('our.ldap.server') try: l.bind_s(username, password, ldap.AUTH_SIMPLE) authenticated = True except: authenticated = False
^^^
Identiation is wrong here.
Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
except ldap.INVALID_CREDENTIALS:
authenticated = False
else:
authenticated = True
But this uses the plaintext of the user's password.
Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.
Is there a proper way to send a cryptographic hash to the ldap server? Or do I have to negotiate this through an ssl tunnel or something?
SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Demo/initialize.py).
Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.
Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.
Ciao, Michael.
Hi, Michael,
Thanks very much for your response. I think I can work it out now. authenticated = False ^^^ Identiation is wrong here.
Yes, sorry about that - doesn't always work on this email client :(
As an addendum, I discovered one little gotcha, namely that this:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
throws an ldap.INVALID_CREDENTIALS error if the password contains the
wrong text, but works if the password is empty. I guess this is
tantamount to binding as ("", ""), but I wasn't expecting it; I figured
if a username was specified, the password would have to agree. So my
little authentication example also needs to test for empty passwords.
Neither here nor there, really; just thought I'd mention it since I ran
into it.
Now I'm off to check out the Demo/*.py scripts you pointed me to.
Thanks again. Cheers!
j
Michael Ströder wrote: Jed Parsons wrote: import ldap l = ldap.open('our.ldap.server') try: l.bind_s(username, password, ldap.AUTH_SIMPLE) authenticated = True except: authenticated = False ^^^ Identiation is wrong here. Also I'd recommend to catch the ldap.LDAPError exceptions more specifically (ldap.INVALID_CREDENTIALS indicates wrong password): try: l.bind_s(username, password, ldap.AUTH_SIMPLE) except ldap.INVALID_CREDENTIALS: authenticated = False else: authenticated = True But this uses the plaintext of the user's password. Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251. Is there a proper way to send a cryptographic hash to the ldap server? Or do I have to negotiate this through an ssl tunnel or something? SSL (either LDAPS or StartTLS extended operation) is one possibility to secure the whole connection including bind requests (see Demo/initialize.py). Another option is to use SASL with DIGEST-MD5 if your server supports it (see Demo/sasl_bind.py) and has the cleartext passwords available. Other options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on your IT infrastructure and LDAP server configuration. Just follow-up here or on the python-ldap-dev mailing list if you have further problems. Ciao, Michael.
--
Jed Parsons Industrial Light + Magic (415) 746-2974
grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));
Jed Parsons wrote: As an addendum, I discovered one little gotcha, namely that this:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
throws an ldap.INVALID_CREDENTIALS error if the password contains the wrong text, but works if the password is empty. I guess this is tantamount to binding as ("", ""), but I wasn't expecting it; I figured if a username was specified, the password would have to agree.
Yes, this is by design. Empty cred means just switching to anon
bind. LDAP was not intended to be used for password checking at that time.
Which LDAP server are you using? You can switch off this behaviour with
OpenLDAP. See man 5 slapd.conf, allow <features>.
So my little authentication example also needs to test for empty passwords.
Yes!
Ciao, Michael. Which LDAP server are you using? You can switch off this behaviour with OpenLDAP. See man 5 slapd.conf, allow <features>.
I don't have anything other than user access. Good to know about this
feature, though.
You've been very helpful - I really appreciate it.
Can you recommend any favorite books or sites where I can learn more
about ldap?
Many thanks,
j
Michael Ströder wrote: Jed Parsons wrote: As an addendum, I discovered one little gotcha, namely that this:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
throws an ldap.INVALID_CREDENTIALS error if the password contains the wrong text, but works if the password is empty. I guess this is tantamount to binding as ("", ""), but I wasn't expecting it; I figured if a username was specified, the password would have to agree. Yes, this is by design. Empty cred means just switching to anon bind. LDAP was not intended to be used for password checking at that time. Which LDAP server are you using? You can switch off this behaviour with OpenLDAP. See man 5 slapd.conf, allow <features>. So my little authentication example also needs to test for empty passwords. Yes! Ciao, Michael.
--
Jed Parsons Industrial Light + Magic (415) 746-2974
grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));
Jed Parsons wrote: Which LDAP server are you using? You can switch off this behaviour with OpenLDAP. See man 5 slapd.conf, allow <features>. I don't have anything other than user access. Good to know about this feature, though.
In case you're programming for different LDAP servers it's good to catch
empty passwords at the client-side anyway and not rely on server-side
features.
Can you recommend any favorite books or sites where I can learn more about ldap?
Better consult LDAP link farms. After doing several years of LDAP
consulting I can't remember how I learned it. ;-)
But IMHO you're on the right track. Programming a LDAP client and
carefully examining the results different LDAP server products are
producing is probably the best you can do. That's how web2ldap
started... :-)
Ciao, Michael. This discussion thread is closed Replies have been disabled for this discussion. Similar topics
5 posts
views
Thread by dmcconkey |
last post: by
|
2 posts
views
Thread by timjowers |
last post: by
|
7 posts
views
Thread by Amar |
last post: by
|
1 post
views
Thread by Angel |
last post: by
|
4 posts
views
Thread by m96 |
last post: by
|
4 posts
views
Thread by Terry Miller |
last post: by
| | |
reply
views
Thread by Sells, Fred |
last post: by
| | | | | | | | | | |