Authenticate users using command line tool against AD in python

Michael Ströder michael at stroeder.com
Tue Jul 28 09:56:16 CEST 2015


Prasad Katti wrote:
> I am writing a command line tool in python to generate one time
> passwords/tokens. The command line tool will have certain sub-commands like
> --generate-token and --list-all-tokens for example. I want to restrict
> access to certain sub-commands. In this case, when user tries to generate a
> new token, I want him/her to authenticate against AD server first.

This does not sound secure:
The user can easily use a modified copy of your script.

> I have looked at python-ldap and I am even able to bind to the AD server.
> In my application I have a function
> 
>     def authenticate_user(username, password): pass
> 
> which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials?

You probably want to use

http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s

Check whether password is non-zero before because most LDAP servers consider
an empty password as anon simple bind even if the bind-DN is set.

Ciao, Michael.



More information about the Python-list mailing list