michael at stroeder.com
Wed Mar 29 13:22:00 CEST 2006
Jed Parsons wrote:
> import ldap
> l = ldap.open('our.ldap.server')
> l.bind_s(username, password, ldap.AUTH_SIMPLE)
> authenticated = True
> authenticated = False
Identiation is wrong here.
Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):
l.bind_s(username, password, ldap.AUTH_SIMPLE)
authenticated = False
authenticated = True
> But this uses the plaintext of the user's password.
Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.
> Is there a proper
> way to send a cryptographic hash to the ldap server? Or do I have to
> negotiate this through an ssl tunnel or something?
SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.
Just follow-up here or on the python-ldap-dev mailing list if you have
More information about the Python-list