ldap usage

Michael Ströder michael at stroeder.com
Wed Mar 29 13:22:00 CEST 2006

Jed Parsons wrote:
>     import ldap
>     l = ldap.open('our.ldap.server')
>     try:
>         l.bind_s(username, password, ldap.AUTH_SIMPLE)
>         authenticated = True
>     except:
>     authenticated = False
Identiation is wrong here.

Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):

         l.bind_s(username, password, ldap.AUTH_SIMPLE)
     except ldap.INVALID_CREDENTIALS:
         authenticated = False
         authenticated = True

> But this uses the plaintext of the user's password.

Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.

>  Is there a proper
> way to send a cryptographic hash to the ldap server?  Or do I have to
> negotiate this through an ssl tunnel or something?

SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see

Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.

Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.

Ciao, Michael.

More information about the Python-list mailing list