Prasad Katti wrote: > On Tuesday, July 28, 2015 at 12:56:29 AM UTC-7, Michael Ströder wrote: >> Prasad Katti wrote: >>> I am writing a command line tool in python to generate one time >>> passwords/tokens. The command line tool will have certain sub-commands like >>> --generate-token and --list-all-tokens for example. I want to restrict >>> access to certain sub-commands. In this case, when user tries to generate a >>> new token, I want him/her to authenticate against AD server first. >> >> This does not sound secure: >> The user can easily use a modified copy of your script. >> >>> I have looked at python-ldap and I am even able to bind to the AD server. >>> In my application I have a function >>> >>> def authenticate_user(username, password): pass >>> >>> which gets username and plain-text password. How do I use the LDAPObject >>> instance to validate these credentials? >> >> You probably want to use >> >> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s >> >> Check whether password is non-zero before because most LDAP servers consider >> an empty password as anon simple bind even if the bind-DN is set. > > Thank you for the reply. I ended up using simple_bind_s to authenticate > users. But apparently it transmits plain-text password over the wire which > can be easily sniffed using a packed sniffer. So I am looking at the > start_tls_s method right now.
Yes, use TLS if the server supports it. Make sure to the option for CA certificate. See Demo/initialize.py in the source distribution tar.gz. > About your other comment; How could I make it more secure? If you want something to be inaccessible for a user you have to spread the functionality across separate components which communicate with each other. In this communication you can implement authorization based on sufficiently secure authentication. Ciao, Michael. -- https://mail.python.org/mailman/listinfo/python-list
