Jed Parsons wrote:
>
> import ldap
> l = ldap.open('our.ldap.server')
> try:
> l.bind_s(username, password, ldap.AUTH_SIMPLE)
> authenticated = True
> except:
> authenticated = False
^^^
Identiation is wrong here.
Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):
try:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
except ldap.INVALID_CREDENTIALS:
authenticated = False
else:
authenticated = True
> But this uses the plaintext of the user's password.
Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.
> Is there a proper
> way to send a cryptographic hash to the ldap server? Or do I have to
> negotiate this through an ssl tunnel or something?
SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Demo/initialize.py).
Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.
Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.
Ciao, Michael.
--
http://mail.python.org/mailman/listinfo/python-list
