[python-ldap] ldap_sasl_bind_s()
rene.kijewski at fu-berlin.de
rene.kijewski at fu-berlin.de
Tue Mar 17 10:04:18 CET 2015
Hello,
in [1] I added a method to invoke ldap_sasl_bind_s.
This function is especially useful I your application is only a
"man-in-the-middle" and you don't want/need to know the password of the
client:
1) Invoke ldap_sasl_bind_s(self->ldap, NULL, "DIGEST-MD5", NULL, NULL, NULL, &challenge)
2) Send the challenge to the client
3) Let the client calculate the response, e.g. using [2]
4) Invoke ldap_sasl_bind_s(self->ldap, NULL, "DIGEST-MD5", &response, NULL, NULL, NULL)
With the added ldap_sasl_bind_s and [3] it was very easy to implement an
authenticator that does not send the plaintext password over the wire at
all.
I cannot tell if my change fits the coding standards of your fine project,
neither do I know if you it is bug free. I do not know if returning either
a string, an integer or raising an exception really is a proper interface.
Maybe returning a tuple (ldaperror, challenge) would be better?
Either way, please provide ldap_sasl_bind_s in the master branch, since
it might be advisable to transfer as little (exploitable) information as
possible.
Best
René
1: https://github.com/Kijewski/python-ldap/commit/3b666b5a4205a30b7ad04695846409b3c89feb58
2: https://github.com/jaredhanson/js-sasl-digest-md5
3: https://github.com/kennethreitz/flask-sockets
--
“I can give you everything you desire,” said the fairy. “Wealth, a crown
and scepter, fame, a long happy life. Choose. But what little you ask for
you will have to pay dearly.”
More information about the python-ldap
mailing list