Hi, Michael,
Thanks very much for your response. I think I can work it out now.
>> authenticated = False
> ^^^
> Identiation is wrong here.
Yes, sorry about that - doesn't always work on this email client :(
As an addendum, I discovered one little gotcha, namely that this:
l.bind_s(username, password, ldap.AUTH_SIMPLE)
throws an ldap.INVALID_CREDENTIALS error if the password contains the
wrong text, but works if the password is empty. I guess this is
tantamount to binding as ("", ""), but I wasn't expecting it; I figured
if a username was specified, the password would have to agree. So my
little authentication example also needs to test for empty passwords.
Neither here nor there, really; just thought I'd mention it since I ran
into it.
Now I'm off to check out the Demo/*.py scripts you pointed me to.
Thanks again. Cheers!
j
Michael Ströder wrote:
> Jed Parsons wrote:
>> import ldap
>> l = ldap.open('our.ldap.server')
>> try:
>> l.bind_s(username, password, ldap.AUTH_SIMPLE)
>> authenticated = True
>> except:
>> authenticated = False
> ^^^
> Identiation is wrong here.
>
> Also I'd recommend to catch the ldap.LDAPError exceptions more
> specifically (ldap.INVALID_CREDENTIALS indicates wrong password):
>
> try:
> l.bind_s(username, password, ldap.AUTH_SIMPLE)
> except ldap.INVALID_CREDENTIALS:
> authenticated = False
> else:
> authenticated = True
>
>> But this uses the plaintext of the user's password.
>
> Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.
>
>> Is there a proper
>> way to send a cryptographic hash to the ldap server? Or do I have to
>> negotiate this through an ssl tunnel or something?
>
> SSL (either LDAPS or StartTLS extended operation) is one possibility to
> secure the whole connection including bind requests (see
> Demo/initialize.py).
>
> Another option is to use SASL with DIGEST-MD5 if your server supports it
> (see Demo/sasl_bind.py) and has the cleartext passwords available. Other
> options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
> your IT infrastructure and LDAP server configuration.
>
> Just follow-up here or on the python-ldap-dev mailing list if you have
> further problems.
>
> Ciao, Michael.
--
Jed Parsons Industrial Light + Magic (415) 746-2974
grep(do{for(ord){(!$_&&print"$s\n")||(($O+=(($_-1)%6+1)and
grep(vec($s,$O++,1)=1,1..int(($_-6*6-1)/6))))}},(split(//,
"++,++2-27,280,481=1-7.1++2,800+++2,8310/1+4131+1++2,80\0. What!?")));
--
http://mail.python.org/mailman/listinfo/python-list
