On Tuesday, July 28, 2015 at 12:56:29 AM UTC-7, Michael Ströder wrote: > Prasad Katti wrote: > > I am writing a command line tool in python to generate one time > > passwords/tokens. The command line tool will have certain sub-commands like > > --generate-token and --list-all-tokens for example. I want to restrict > > access to certain sub-commands. In this case, when user tries to generate a > > new token, I want him/her to authenticate against AD server first. > > This does not sound secure: > The user can easily use a modified copy of your script. > > > I have looked at python-ldap and I am even able to bind to the AD server. > > In my application I have a function > > > > def authenticate_user(username, password): pass > > > > which gets username and plain-text password. How do I use the LDAPObject > > instance to validate these credentials? > > You probably want to use > > http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s > > Check whether password is non-zero before because most LDAP servers consider > an empty password as anon simple bind even if the bind-DN is set. > > Ciao, Michael.
Hi Michael, Thank you for the reply. I ended up using simple_bind_s to authenticate users. But apparently it transmits plain-text password over the wire which can be easily sniffed using a packed sniffer. So I am looking at the start_tls_s method right now. About your other comment; How could I make it more secure? I looked for ways to obfuscate the file, but I read that it is easy to reverse engineer. How is python code usually distributed? This seems like a fairly common requirement. Am I using the wrong tool (Python)? This is my first attempt at doing such a thing. Appreciate your help! - Prasad -- https://mail.python.org/mailman/listinfo/python-list
