[Twisted-Python] PB auth with LDAP
Hi, Just noticed that PB's _PortalAuthChallenger implements IUsernameHashedPassword, IUsernameMD5Passwordauth, but not IUsernamePassword. This requires that I store my passwords in plain text or MD5 hash, then fetch the password to do a comparison at login. However, this is inconvenient when storing passwords in LDAP. First, LDAP doesn't like returning passwords (Unless you're requesting it as the database administrator). Second, storing passwords in plain text or even as MD5 hashes is less than ideal. Finally, LDAP already has a comparison operation (which I can do with minimal privileges), so I should never need to actually fetch the password. All this means that it would be very convenient for _PortalAuthChallenger to also implement IUsernamePassword (what's wrong with sending clear text passwords over SSL anyway?). However, it's not clear to me how I'd go about overriding the current behavior. I've tried the naive thing which is, in a separate file: from twisted.cred import credentials from twisted.spread.pb import *" then overriding the _PortalRoot, _PortalWrapper, and _PortalAuthChallenger classes, and registering the alternate adapter. However, the "registerAdapter(_PortalRoot, Portal, IPBRoot)" comes back to bite me with: exceptions.ValueError: an adapter (twisted.spread.pb._PortalRoot) was already registered. unless I comment it out in the actual twisted.spread.pb.py file. Is there a way to unregister an adapter? I'm sure there's a better way of doing this since I've seen mention of writing alternate login sequences, but I haven't been smart enough to figure it out. Any help would be appreciated. Thanks, Marvin
On Mon, 04 Sep 2006 11:02:57 -0700, Marvin McNett
Hi,
[snip]
from twisted.cred import credentials from twisted.spread.pb import *"
then overriding the _PortalRoot, _PortalWrapper, and _PortalAuthChallenger classes, and registering the alternate adapter. However, the "registerAdapter(_PortalRoot, Portal, IPBRoot)" comes back to bite me with:
exceptions.ValueError: an adapter (twisted.spread.pb._PortalRoot) was already registered.
unless I comment it out in the actual twisted.spread.pb.py file. Is there a way to unregister an adapter? I'm sure there's a better way of doing this since I've seen mention of writing alternate login sequences, but I haven't been smart enough to figure it out. Any help would be appreciated.
Instead of registering another adapter, instantiate your _PortalRoot class directly and pass that to PBServerFactory. Jean-Paul
Jean-Paul Calderone wrote:
On Mon, 04 Sep 2006 11:02:57 -0700, Marvin McNett
wrote: Hi,
[snip]
unless I comment it out in the actual twisted.spread.pb.py file. Is there a way to unregister an adapter? I'm sure there's a better way of doing this since I've seen mention of writing alternate login sequences, but I haven't been smart enough to figure it out. Any help would be appreciated.
Instead of registering another adapter, instantiate your _PortalRoot class directly and pass that to PBServerFactory.
Worked like a charm -- LDAP auth in PB without fetching passwords. Nice. Thanks, Marvin
participants (2)
-
Jean-Paul Calderone
-
Marvin McNett