Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #94816

Re: Authenticate users using command line tool against AD in python

Newsgroups comp.lang.python
Date 2015-07-31 11:07 -0700
References <aead3a1f-c1ed-4694-ba9a-f18164f07284@googlegroups.com> <mp7cg2$605$1@dont-email.me>
Message-ID <8de582e2-9dfd-4350-9342-b379059cfff6@googlegroups.com> (permalink)
Subject Re: Authenticate users using command line tool against AD in python
From Prasad Katti <percy.k1234@gmail.com>

Show all headers | View raw

On Tuesday, July 28, 2015 at 12:56:29 AM UTC-7, Michael Ströder wrote:
> Prasad Katti wrote:
> > I am writing a command line tool in python to generate one time
> > passwords/tokens. The command line tool will have certain sub-commands like
> > --generate-token and --list-all-tokens for example. I want to restrict
> > access to certain sub-commands. In this case, when user tries to generate a
> > new token, I want him/her to authenticate against AD server first.
> 
> This does not sound secure:
> The user can easily use a modified copy of your script.
> 
> > I have looked at python-ldap and I am even able to bind to the AD server.
> > In my application I have a function
> > 
> >     def authenticate_user(username, password): pass
> > 
> > which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials?
> 
> You probably want to use
> 
> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s
> 
> Check whether password is non-zero before because most LDAP servers consider
> an empty password as anon simple bind even if the bind-DN is set.
> 
> Ciao, Michael.

Hi Michael,

Thank you for the reply. I ended up using simple_bind_s to authenticate users. But apparently it transmits plain-text password over the wire which can be easily sniffed using a packed sniffer. So I am looking at the start_tls_s method right now.

About your other comment; How could I make it more secure? I looked for ways to obfuscate the file, but I read that it is easy to reverse engineer. How is python code usually distributed? This seems like a fairly common requirement. Am I using the wrong tool (Python)? This is my first attempt at doing such a thing.

Appreciate your help!

-
Prasad

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Authenticate users using command line tool against AD in python Prasad Katti <percy.k1234@gmail.com> - 2015-07-27 16:01 -0700
  Re: Authenticate users using command line tool against AD in python Michael Ströder <michael@stroeder.com> - 2015-07-28 09:56 +0200
    Re: Authenticate users using command line tool against AD in python Prasad Katti <percy.k1234@gmail.com> - 2015-07-31 11:07 -0700
      Re: Authenticate users using command line tool against AD in python Michael Ströder <michael@stroeder.com> - 2015-07-31 22:08 +0200

csiph-web