Authenticate users using command line tool against AD in python

Michael Ströder michael at stroeder.com
Fri Jul 31 22:08:24 CEST 2015


Prasad Katti wrote:
> On Tuesday, July 28, 2015 at 12:56:29 AM UTC-7, Michael Ströder wrote:
>> Prasad Katti wrote:
>>> I am writing a command line tool in python to generate one time
>>> passwords/tokens. The command line tool will have certain sub-commands like
>>> --generate-token and --list-all-tokens for example. I want to restrict
>>> access to certain sub-commands. In this case, when user tries to generate a
>>> new token, I want him/her to authenticate against AD server first.
>>
>> This does not sound secure:
>> The user can easily use a modified copy of your script.
>>
>>> I have looked at python-ldap and I am even able to bind to the AD server.
>>> In my application I have a function
>>>
>>>     def authenticate_user(username, password): pass
>>>
>>> which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials?
>>
>> You probably want to use
>>
>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s
>>
>> Check whether password is non-zero before because most LDAP servers consider
>> an empty password as anon simple bind even if the bind-DN is set.
> 
> Thank you for the reply. I ended up using simple_bind_s to authenticate
> users. But apparently it transmits plain-text password over the wire which
> can be easily sniffed using a packed sniffer. So I am looking at the
> start_tls_s method right now.

Yes, use TLS if the server supports it. Make sure to the option for CA
certificate. See Demo/initialize.py in the source distribution tar.gz.

> About your other comment; How could I make it more secure?

If you want something to be inaccessible for a user you have to spread the
functionality across separate components which communicate with each other. In
this communication you can implement authorization based on sufficiently
secure authentication.

Ciao, Michael.




More information about the Python-list mailing list