Authenticate users using command line tool against AD in python
michael at stroeder.com
Fri Jul 31 22:08:24 CEST 2015
Prasad Katti wrote:
> On Tuesday, July 28, 2015 at 12:56:29 AM UTC-7, Michael Ströder wrote:
>> Prasad Katti wrote:
>>> I am writing a command line tool in python to generate one time
>>> passwords/tokens. The command line tool will have certain sub-commands like
>>> --generate-token and --list-all-tokens for example. I want to restrict
>>> access to certain sub-commands. In this case, when user tries to generate a
>>> new token, I want him/her to authenticate against AD server first.
>> This does not sound secure:
>> The user can easily use a modified copy of your script.
>>> I have looked at python-ldap and I am even able to bind to the AD server.
>>> In my application I have a function
>>> def authenticate_user(username, password): pass
>>> which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials?
>> You probably want to use
>> Check whether password is non-zero before because most LDAP servers consider
>> an empty password as anon simple bind even if the bind-DN is set.
> Thank you for the reply. I ended up using simple_bind_s to authenticate
> users. But apparently it transmits plain-text password over the wire which
> can be easily sniffed using a packed sniffer. So I am looking at the
> start_tls_s method right now.
Yes, use TLS if the server supports it. Make sure to the option for CA
certificate. See Demo/initialize.py in the source distribution tar.gz.
> About your other comment; How could I make it more secure?
If you want something to be inaccessible for a user you have to spread the
functionality across separate components which communicate with each other. In
this communication you can implement authorization based on sufficiently
More information about the Python-list