Active Directory Authentication

D

D

Is it possible to have Python authenticate with Active Directory?
Specifically what I'd like to do is have a user enter a
username/password, then have Python check the credentials with AD - if
what they entered is valid, for example, it returns a 1, otherwise a
0.. Thanks!
 
S

Stephan Diehl

Is it possible to have Python authenticate with Active Directory?
Specifically what I'd like to do is have a user enter a
username/password, then have Python check the credentials with AD - if
what they entered is valid, for example, it returns a 1, otherwise a
0.. Thanks!
Click to expand...

It's possible and you need the python-ldap package for it.
The actual authentication will look like (simplified):

def authenticate(user='',passwd=''):
dn = find_user_dn(user)
try:
l = ldap.open(AD_HOST_URL)
l.protocol_version = ldap.VERSION3
l.simple_bind_s(dn,passwd)
l.search_s(SEARCHDN,ldap.SCOPE_SUBTREE,'objectType=bla')
l.unbind_s()
return True
except ldap.LDAPError:
return False

obviously, you need to supply some function 'find_user_dn' that maps
the user to its DN.
 
C

Christoph Haas

Is it possible to have Python authenticate with Active Directory?
Specifically what I'd like to do is have a user enter a
username/password, then have Python check the credentials with AD - if
what they entered is valid, for example, it returns a 1, otherwise a
0.. Thanks!
Click to expand...

Can't you query the AD through LDAP? Then
http://python-ldap.sourceforge.net/ might help.

Kindly
Christoph
 
B

Benji York

D said:
Is it possible to have Python authenticate with Active Directory?
Specifically what I'd like to do is have a user enter a
username/password, then have Python check the credentials with AD - if
what they entered is valid, for example, it returns a 1, otherwise a
0.. Thanks!
Click to expand...

Install the Win32 extensions from
http://starship.python.net/crew/skippy/win32/Downloads.html and do
something like this:

try:
handle=win32security.LogonUser(username, None, password,
win32security.LOGON32_LOGON_NETWORK,
win32security.LOGON32_PROVIDER_DEFAULT)

# We're not going to use the handle, just seeing if we can get it.
handle.Close()
return True
except pywintypes.error, e:
# Because of the sheer number of Windows-specific errors that can
# occur here, we have to assume any of them mean that the
# credentials were not valid.
return False
 
P

Philippe Martin

Benji said:
Install the Win32 extensions from
http://starship.python.net/crew/skippy/win32/Downloads.html and do
something like this:

try:
handle=win32security.LogonUser(username, None, password,
win32security.LOGON32_LOGON_NETWORK,
win32security.LOGON32_PROVIDER_DEFAULT)

# We're not going to use the handle, just seeing if we can get it.
handle.Close()
return True
except pywintypes.error, e:
# Because of the sheer number of Windows-specific errors that can
# occur here, we have to assume any of them mean that the
# credentials were not valid.
return False
Click to expand...

I assume then that you can also change user information using the same
principle ? I'm trying to switch some VB6 code to python.

Philippe
 
R

Roger Upole

If you have Pywin32 installed, you can use the win32com.adsi
package to open an object with username/password credentials.
See adsi.ADsOpenObject for details. Adsi also contains a number
of interfaces for dealing with users, containers, etc.

Roger
 
?

=?ISO-8859-1?Q?Michael_Str=F6der?=

Stephan said:
It's possible and you need the python-ldap package for it.
The actual authentication will look like (simplified):

def authenticate(user='',passwd=''):
dn = find_user_dn(user)
try:
l = ldap.open(AD_HOST_URL)
l.protocol_version = ldap.VERSION3
l.simple_bind_s(dn,passwd)
l.search_s(SEARCHDN,ldap.SCOPE_SUBTREE,'objectType=bla')
l.unbind_s()
return True
except ldap.LDAPError:
return False

obviously, you need to supply some function 'find_user_dn' that maps
the user to its DN.
Click to expand...

Since MS AD does not allow anonymous search in its default configuration
find_user_dn() would have to bind as an application user with search
rights to search the user entry by UPN.

Hack not LDAPv3 compliant:
When sending a simple bind request to MS AD over LDAP you can also
directly use the UPN for 'dn' when invoking l.simple_bind_s(). Note that
this is a special semantic of LDAP bind request for MS AD. It is not a
LDAPv3 compliant! But if you're sure you won't use this code for binding
to another LDAP server you could use this hack.

The nice thing about python-ldap is that it also works on other
platforms than Win32. The caveat is that you might need to build the
OpenLDAP libs. If you're solely on Win32 using ADSI through Win32
extensions for Python as stated by others in this thread might be the
better approach.

Ciao, Michael.
 
D

D

Thanks to everyone for your help..I'm not familiar with the packages
mentioned, so this will definitely be a learning experience!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory user creation with python-ldap 0
connecting problem in vb.net with ldap to active directory 1
What language should I learn to create an authentication website? 2
Authenticate against Active Directory 4
Chatbox for website 0
Chatbox for website 1
Trouble with signup PHP 2
Forms authentication with Active Directory 0

Members online

Total: 426 (members: 2, guests: 424)
Robots: 127

Forum statistics

Threads
474,294
Messages
2,571,511
Members
48,213
Latest member
DonnellTol

Latest Threads

Top