Path: csiph.com!usenet.pasdenom.info!aioe.org!eternal-september.org!feeder.eternal-september.org!mx02.eternal-september.org!.POSTED!not-for-mail From: =?UTF-8?Q?Michael_Str=c3=b6der?= Newsgroups: comp.lang.python Subject: Re: Authenticate users using command line tool against AD in python Date: Tue, 28 Jul 2015 09:56:16 +0200 Organization: A noiseless patient Spider Lines: 26 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Injection-Date: Tue, 28 Jul 2015 07:54:42 +0000 (UTC) Injection-Info: mx02.eternal-september.org; posting-host="b6c6daf486d0281415cc730b73ecdf3a"; logging-data="6149"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19rh5z79RKTkwXvM49Avck36COMCJ9ZKY8=" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 SeaMonkey/2.33.1 In-Reply-To: Cancel-Lock: sha1:0JSycsnAnGj8Ywn1IRt7RsEp4P8= Xref: csiph.com comp.lang.python:94684 Prasad Katti wrote: > I am writing a command line tool in python to generate one time > passwords/tokens. The command line tool will have certain sub-commands like > --generate-token and --list-all-tokens for example. I want to restrict > access to certain sub-commands. In this case, when user tries to generate a > new token, I want him/her to authenticate against AD server first. This does not sound secure: The user can easily use a modified copy of your script. > I have looked at python-ldap and I am even able to bind to the AD server. > In my application I have a function > > def authenticate_user(username, password): pass > > which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials? You probably want to use http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s Check whether password is non-zero before because most LDAP servers consider an empty password as anon simple bind even if the bind-DN is set. Ciao, Michael.