ldap usage

[Jed Parsons]

Hi,

authenticates a user against our ldap server.: User types in name and
password, and module sees if name and password check out right with the
ldap server.

I see that it's pretty straightforward to do this with:

import ldap
l = ldap.open('our.ldap.server')
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
authenticated = True
except:
authenticated = False

But this uses the plaintext of the user's password. Is there a proper
way to send a cryptographic hash to the ldap server? Or do I have to
negotiate this through an ssl tunnel or something?

Thanks for any tips. Cheers!
j

--
Jed Parsons Industrial Light + Magic (415) 746-2974

grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));

 

[=?ISO-8859-1?Q?Michael_Str=F6der?=]

import ldap
l = ldap.open('our.ldap.server')
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
authenticated = True
except:
authenticated = False

^^^
Identiation is wrong here.

Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):

try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
except ldap.INVALID_CREDENTIALS:
authenticated = False
else:
authenticated = True

But this uses the plaintext of the user's password.

Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.

Is there a proper
way to send a cryptographic hash to the ldap server? Or do I have to
negotiate this through an ssl tunnel or something?

SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Demo/initialize.py).

Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.

Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.

Ciao, Michael.

 

[Jed Parsons]

Hi, Michael,

Thanks very much for your response. I think I can work it out now.

> ^^^
> Identiation is wrong here.

Yes, sorry about that - doesn't always work on this email client

As an addendum, I discovered one little gotcha, namely that this:

l.bind_s(username, password, ldap.AUTH_SIMPLE)

throws an ldap.INVALID_CREDENTIALS error if the password contains the
wrong text, but works if the password is empty. I guess this is
tantamount to binding as ("", ""), but I wasn't expecting it; I figured
if a username was specified, the password would have to agree. So my
little authentication example also needs to test for empty passwords.

Neither here nor there, really; just thought I'd mention it since I ran
into it.

Now I'm off to check out the Demo/*.py scripts you pointed me to.

Thanks again. Cheers!
j

^^^
Identiation is wrong here.

Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):

try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
except ldap.INVALID_CREDENTIALS:
authenticated = False
else:
authenticated = True


Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.


SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Demo/initialize.py).

Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.

Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.

Ciao, Michael.

--
Jed Parsons Industrial Light + Magic (415) 746-2974

grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));

 

[=?ISO-8859-1?Q?Michael_Str=F6der?=]

As an addendum, I discovered one little gotcha, namely that this:

l.bind_s(username, password, ldap.AUTH_SIMPLE)

throws an ldap.INVALID_CREDENTIALS error if the password contains the
wrong text, but works if the password is empty. I guess this is
tantamount to binding as ("", ""), but I wasn't expecting it; I figured
if a username was specified, the password would have to agree.

Yes, this is by design. Empty cred means just switching to anon
bind. LDAP was not intended to be used for password checking at that time.

Which LDAP server are you using? You can switch off this behaviour with

So my
little authentication example also needs to test for empty passwords.

Yes!

Ciao, Michael.

 

[Jed Parsons]

> Which LDAP server are you using? You can switch off this behaviour
> with OpenLDAP. See man 5 slapd.conf, allow <features>.

I don't have anything other than user access. Good to know about this
feature, though.

You've been very helpful - I really appreciate it.

Can you recommend any favorite books or sites where I can learn more
about ldap?

Many thanks,
j

Yes, this is by design. Empty cred means just switching to anon
bind. LDAP was not intended to be used for password checking at that time.

Which LDAP server are you using? You can switch off this behaviour with


Yes!

Ciao, Michael.

--
Jed Parsons Industrial Light + Magic (415) 746-2974

grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));

 

[=?ISO-8859-1?Q?Michael_Str=F6der?=]

I don't have anything other than user access. Good to know about this
feature, though.

In case you're programming for different LDAP servers it's good to catch
empty passwords at the client-side anyway and not rely on server-side
features.

Can you recommend any favorite books or sites where I can learn more
about ldap?

Better consult LDAP link farms. After doing several years of LDAP
consulting I can't remember how I learned it. ;-)

But IMHO you're on the right track. Programming a LDAP client and
carefully examining the results different LDAP server products are
producing is probably the best you can do. That's how web2ldap
started...

Ciao, Michael.