[python-ldap] ldap_sasl_bind_s()
René Kijewski
rene.kijewski at fu-berlin.de
Mon Mar 23 15:18:49 CET 2015
Am Sun, 22 Mar 2015 23:18:39 +0100
schrieb Michael Ströder <michael at stroeder.com>:
> rene.kijewski at fu-berlin.de wrote:
> > in [1] I added a method to invoke ldap_sasl_bind_s.
> >
> > This function is especially useful I your application is only a
> > "man-in-the-middle" and you don't want/need to know the password of the
> > client:
>
> Do you have a small test application with which I could test it?
Hello Michael,
in [1] I wrote a small example application that uses my patch i.e.
ldap_sasl_bind_s. The login uses a websocket so you retain the connection
that gave you the "challenge".
The mechanism works like that:
LDAP server web application web browser
----------------------------------------------------------------------
asks user for credentials
<--- opens a web socket
What's your name? --->
<--- I'm $name
test if the user name
is valid according the
local naming standards
<--- asks for DIGEST-MD5 challenge
gives challenge --->
forward challenge --->
<--- calculate response
<--- forward response
confirms response
Afterwards the connection is bound, but the web application never saw the
password. The challenge contains a nonce, so even if there is a malicious
3rd party between the application and the user, it can't use the response.
Of course you should still use LDAPS and HTTPS.
Please ask if something is unclear.
Best regards,
René
1: https://github.com/Kijewski/ldap_sasl_bind_s-example
--
“Sometimes there is no point in giving up.” —Louis Wu
More information about the python-ldap
mailing list