ldap usage

Jed Parsons jedp at ilm.com
Thu Mar 30 02:08:59 CEST 2006

Hi, Michael,

Thanks very much for your response.  I think I can work it out now.

 >>     authenticated = False
 >       ^^^
 > Identiation is wrong here.

Yes, sorry about that - doesn't always work on this email client :(

As an addendum, I discovered one little gotcha, namely that this:

	l.bind_s(username, password, ldap.AUTH_SIMPLE)

throws an ldap.INVALID_CREDENTIALS error if the password contains the 
wrong text, but works if the password is empty.  I guess this is 
tantamount to binding as ("", ""), but I wasn't expecting it; I figured 
if a username was specified, the password would have to agree.  So my 
little authentication example also needs to test for empty passwords.

Neither here nor there, really; just thought I'd mention it since I ran 
into it.

Now I'm off to check out the Demo/*.py scripts you pointed me to.

Thanks again.  Cheers!

Michael Ströder wrote:
> Jed Parsons wrote:
>>     import ldap
>>     l = ldap.open('our.ldap.server')
>>     try:
>>         l.bind_s(username, password, ldap.AUTH_SIMPLE)
>>         authenticated = True
>>     except:
>>     authenticated = False
>       ^^^
> Identiation is wrong here.
> Also I'd recommend to catch the ldap.LDAPError exceptions more
> specifically (ldap.INVALID_CREDENTIALS indicates wrong password):
>      try:
>          l.bind_s(username, password, ldap.AUTH_SIMPLE)
>      except ldap.INVALID_CREDENTIALS:
>          authenticated = False
>      else:
>          authenticated = True
>> But this uses the plaintext of the user's password.
> Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.
>>  Is there a proper
>> way to send a cryptographic hash to the ldap server?  Or do I have to
>> negotiate this through an ssl tunnel or something?
> SSL (either LDAPS or StartTLS extended operation) is one possibility to
> secure the whole connection including bind requests (see
> Demo/initialize.py).
> Another option is to use SASL with DIGEST-MD5 if your server supports it
> (see Demo/sasl_bind.py) and has the cleartext passwords available. Other
> options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
> your IT infrastructure and LDAP server configuration.
> Just follow-up here or on the python-ldap-dev mailing list if you have
> further problems.
> Ciao, Michael.

Jed Parsons       Industrial Light + Magic  (415) 746-2974
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0.  What!?")));

More information about the Python-list mailing list