Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #20214 > unrolled thread

ldap proxy user bind

Back to article view | Back to comp.lang.python

Contents

  ldap proxy user bind sajuptpm <sajuptpm@gmail.com> - 2012-02-10 23:27 -0800
    Re: ldap proxy user bind Michael Ströder <michael@stroeder.com> - 2012-02-11 21:22 +0100
      Re: ldap proxy user bind sajuptpm <sajuptpm@gmail.com> - 2012-02-11 13:19 -0800
        Re: ldap proxy user bind Michael Torrie <torriem@gmail.com> - 2012-02-11 20:35 -0700
        Re: ldap proxy user bind Michael Torrie <torriem@gmail.com> - 2012-02-11 21:29 -0700
          Re: ldap proxy user bind sajuptpm <sajuptpm@gmail.com> - 2012-02-11 23:16 -0800
        Re: ldap proxy user bind Michael Ströder <michael@stroeder.com> - 2012-02-12 13:57 +0100

#20214 — ldap proxy user bind

I have developed a LDAP auth system using python-ldap module.
Using that i can validate username and password,  fetch user and
groups info from LDAP directory.
Now i want to implement ldap proxy user bind to the ldap server.
I googled and find this http://ldapwiki.willeke.com/wiki/LDAPProxyUser
But i don't have any idea about how implement it usng python-ldap.

My existing LDAP settings at client side
ldap_enabled = True
ldap_host = your_ldap_server
ldap_port = 389
ldap_basedn = o=My_omain
ldap_user_key = cn
ldap_group_key = groupMembership
ldap_email_key = mail
ldap_user_search = ou=Users
ldap_group_search = ou=Groups
ldap_group_objectclass = groupOfNames

I want to add following 2 new flags

ldap_proxy_user = ldap_proxy
ldap_proxy_pwd = secret


I don't know how this ldapproxy system would works.
Could you please point me to an python article/example ??

[toc] | [next] | [standalone]

#20231

sajuptpm wrote:
> I have developed a LDAP auth system using python-ldap module.
> Using that i can validate username and password,  fetch user and
> groups info from LDAP directory.
> Now i want to implement ldap proxy user bind to the ldap server.

What do you mean exactly?

Are you talking about LDAPv3 proxy authorization
(see http://tools.ietf.org/html/rfc4370)?
If yes, then pass an instance of class ldap.controls.simple.ProxyAuthzControl 
to the LDAPObject methods when sending your LDAP requests. This is usable no 
matter how your proxy user has bound the directory. Another option is to send 
a SASL authz-ID along with the initial SASL bind request of your proxy user.

No matter what you have to get your LDAP server configuration right for this 
to work. Which LDAP server is it?

> I googled and find this http://ldapwiki.willeke.com/wiki/LDAPProxyUser

AFAICS this web page talks about the proxy user for eDirectory's LDAP gateway 
to NDS. It's unlikely that this is relevant to your needs.

> But i don't have any idea about how implement it usng python-ldap.
> [..]
> I want to add following 2 new flags
>
> ldap_proxy_user = ldap_proxy
> ldap_proxy_pwd = secret

Hmm, please don't take it personally but my impression is that you're not 
totally clear on what you need. Could you please try to explain what you want 
to achieve?

Ciao, Michael.

[toc] | [prev] | [next] | [standalone]

#20236

Hi Michael Ströder,
Thanks for replay

Yea i am not totally clear about that

Client's Requirement is
option to have a ldap proxy user bind to the ldap server if it needs
more directory rights than an anonymous bind.
option to use a ldap proxy user when searching.

[toc] | [prev] | [next] | [standalone]

#20246

On 02/11/2012 02:19 PM, sajuptpm wrote:
> Hi Michael Ströder,
> Thanks for replay
> 
> Yea i am not totally clear about that
> 
> Client's Requirement is
> option to have a ldap proxy user bind to the ldap server if it needs
> more directory rights than an anonymous bind.
> option to use a ldap proxy user when searching.

I wrote a true LDAP proxy server last year that intercepts and rewrites
requests (bind, search, modify, etc).  I used as my basis the LDAP proxy
server that ships with Python-Twisted.  Unfortunately I cannot share my
code with you, but if you can get your head wrapped around Twisted (it's
*extremely* hard to understand how it works at first), then this is the
way to go.

[toc] | [prev] | [next] | [standalone]

#20247

On 02/11/2012 08:35 PM, Michael Torrie wrote:
> On 02/11/2012 02:19 PM, sajuptpm wrote:
>> Hi Michael Ströder,
>> Thanks for replay
>>
>> Yea i am not totally clear about that
>>
>> Client's Requirement is
>> option to have a ldap proxy user bind to the ldap server if it needs
>> more directory rights than an anonymous bind.
>> option to use a ldap proxy user when searching.
> 
> I wrote a true LDAP proxy server last year that intercepts and rewrites
> requests (bind, search, modify, etc).  I used as my basis the LDAP proxy
> server that ships with Python-Twisted.  Unfortunately I cannot share my
> code with you, but if you can get your head wrapped around Twisted (it's
> *extremely* hard to understand how it works at first), then this is the
> way to go.

Okay so I looked over my code.  I can share some of it with you if you
want.  The most simple proxy I could find (I have written several for
various purposes) was based on the Twisted LDAP proxy server class
(ldaptor.protocols.ldap.proxy).  The reason I wrote it was because I had
some Sharp multi-function printers that could do LDAP authentication,
but instead of binding with a full DN, it would simply bind as
"username" which wouldn't work on my ldap server.  So I wrote the LDAP
proxy server to intercept bind requests (Sharp doesn't even support SSL
blah!) and convert it to a proper DN before passing it on to the real
LDAP server.  Also the LDAP search queries the sharp server generated
were crappy, so I rewrote some of the searches as well as they pass
through my proxy server.  I

sharp ===> Twisted LDAP server/Twisted LDAP client ===> ldapserver
             rewrite bind,
             rewrite some searches,
             pass thru everything

My other LDAP proxy is fancier and it uses the
ldaptor.protocols.ldap.ldapserver.BaseLDAPServer class, and instead of
using twisted's LDAP client code, I just use python-ldap.  So it's a
hybrid approach I suppose.  I can strip it down to bare proxy
functionality that you could build on.

client ==> twisted ldap server/python-ldap client ===> ldapserver

Anyway let me know if you want to see some code and I'll post what I can.

[toc] | [prev] | [next] | [standalone]

#20255

Hi Michael Torrie,
Thanks to reply

Why we need Twisted here, i did not get it.

My understanding is that
if
ldap_proxy_user = ldap_proxy
ldap_proxy_pwd = secret
( set more privileges to this user at ldap server side, for get other
users infos)
are configured at server side, then allow clients to login using
username only, this time use ldap_proxy_user and ldap_proxy_pwd for
login to ldap server, user validation and get user infos.
Is it possible and any drawback ????

I think this is what client need.

[toc] | [prev] | [next] | [standalone]

#20268

sajuptpm wrote:
> Yea i am not totally clear about that
>
> Client's Requirement is
> option to have a ldap proxy user bind to the ldap server if it needs
> more directory rights than an anonymous bind.
> option to use a ldap proxy user when searching.

As said: there's the proxy authorization control (see RFC 4370) for which a 
Python class exists in python-ldap. This is used e.g. in web applications if 
the user has successfully authenticated to the application and his identity 
should be used when processing ACLs in the LDAP server. In this case the 
"proxy user" is trusted entity to have done authentication right. The proxy 
authz control is sent by the application with each LDAP request. The server 
has to be correctly configured to accept that.

Another option is a LDAP proxy server which accepts anon requests and binds as 
a certain user. You could OpenLDAP with back-ldap or back-meta for that.

So you should ask your customer what's really needed.

Ciao, Michael.

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web