Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #94677 > unrolled thread
| Started by | Prasad Katti <percy.k1234@gmail.com> |
|---|---|
| First post | 2015-07-27 16:01 -0700 |
| Last post | 2015-07-31 22:08 +0200 |
| Articles | 4 — 2 participants |
Back to article view | Back to comp.lang.python
Authenticate users using command line tool against AD in python Prasad Katti <percy.k1234@gmail.com> - 2015-07-27 16:01 -0700
Re: Authenticate users using command line tool against AD in python Michael Ströder <michael@stroeder.com> - 2015-07-28 09:56 +0200
Re: Authenticate users using command line tool against AD in python Prasad Katti <percy.k1234@gmail.com> - 2015-07-31 11:07 -0700
Re: Authenticate users using command line tool against AD in python Michael Ströder <michael@stroeder.com> - 2015-07-31 22:08 +0200
| From | Prasad Katti <percy.k1234@gmail.com> |
|---|---|
| Date | 2015-07-27 16:01 -0700 |
| Subject | Authenticate users using command line tool against AD in python |
| Message-ID | <aead3a1f-c1ed-4694-ba9a-f18164f07284@googlegroups.com> |
I am writing a command line tool in python to generate one time passwords/tokens. The command line tool will have certain sub-commands like --generate-token and --list-all-tokens for example. I want to restrict access to certain sub-commands. In this case, when user tries to generate a new token, I want him/her to authenticate against AD server first.
I have looked at python-ldap and I am even able to bind to the AD server. In my application I have a function
def authenticate_user(username, password): pass
which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials?
[toc] | [next] | [standalone]
| From | Michael Ströder <michael@stroeder.com> |
|---|---|
| Date | 2015-07-28 09:56 +0200 |
| Message-ID | <mp7cg2$605$1@dont-email.me> |
| In reply to | #94677 |
Prasad Katti wrote: > I am writing a command line tool in python to generate one time > passwords/tokens. The command line tool will have certain sub-commands like > --generate-token and --list-all-tokens for example. I want to restrict > access to certain sub-commands. In this case, when user tries to generate a > new token, I want him/her to authenticate against AD server first. This does not sound secure: The user can easily use a modified copy of your script. > I have looked at python-ldap and I am even able to bind to the AD server. > In my application I have a function > > def authenticate_user(username, password): pass > > which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials? You probably want to use http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s Check whether password is non-zero before because most LDAP servers consider an empty password as anon simple bind even if the bind-DN is set. Ciao, Michael.
[toc] | [prev] | [next] | [standalone]
| From | Prasad Katti <percy.k1234@gmail.com> |
|---|---|
| Date | 2015-07-31 11:07 -0700 |
| Message-ID | <8de582e2-9dfd-4350-9342-b379059cfff6@googlegroups.com> |
| In reply to | #94684 |
On Tuesday, July 28, 2015 at 12:56:29 AM UTC-7, Michael Ströder wrote: > Prasad Katti wrote: > > I am writing a command line tool in python to generate one time > > passwords/tokens. The command line tool will have certain sub-commands like > > --generate-token and --list-all-tokens for example. I want to restrict > > access to certain sub-commands. In this case, when user tries to generate a > > new token, I want him/her to authenticate against AD server first. > > This does not sound secure: > The user can easily use a modified copy of your script. > > > I have looked at python-ldap and I am even able to bind to the AD server. > > In my application I have a function > > > > def authenticate_user(username, password): pass > > > > which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials? > > You probably want to use > > http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s > > Check whether password is non-zero before because most LDAP servers consider > an empty password as anon simple bind even if the bind-DN is set. > > Ciao, Michael. Hi Michael, Thank you for the reply. I ended up using simple_bind_s to authenticate users. But apparently it transmits plain-text password over the wire which can be easily sniffed using a packed sniffer. So I am looking at the start_tls_s method right now. About your other comment; How could I make it more secure? I looked for ways to obfuscate the file, but I read that it is easy to reverse engineer. How is python code usually distributed? This seems like a fairly common requirement. Am I using the wrong tool (Python)? This is my first attempt at doing such a thing. Appreciate your help! - Prasad
[toc] | [prev] | [next] | [standalone]
| From | Michael Ströder <michael@stroeder.com> |
|---|---|
| Date | 2015-07-31 22:08 +0200 |
| Message-ID | <mpgkgr$q7s$1@dont-email.me> |
| In reply to | #94816 |
Prasad Katti wrote: > On Tuesday, July 28, 2015 at 12:56:29 AM UTC-7, Michael Ströder wrote: >> Prasad Katti wrote: >>> I am writing a command line tool in python to generate one time >>> passwords/tokens. The command line tool will have certain sub-commands like >>> --generate-token and --list-all-tokens for example. I want to restrict >>> access to certain sub-commands. In this case, when user tries to generate a >>> new token, I want him/her to authenticate against AD server first. >> >> This does not sound secure: >> The user can easily use a modified copy of your script. >> >>> I have looked at python-ldap and I am even able to bind to the AD server. >>> In my application I have a function >>> >>> def authenticate_user(username, password): pass >>> >>> which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials? >> >> You probably want to use >> >> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s >> >> Check whether password is non-zero before because most LDAP servers consider >> an empty password as anon simple bind even if the bind-DN is set. > > Thank you for the reply. I ended up using simple_bind_s to authenticate > users. But apparently it transmits plain-text password over the wire which > can be easily sniffed using a packed sniffer. So I am looking at the > start_tls_s method right now. Yes, use TLS if the server supports it. Make sure to the option for CA certificate. See Demo/initialize.py in the source distribution tar.gz. > About your other comment; How could I make it more secure? If you want something to be inaccessible for a user you have to spread the functionality across separate components which communicate with each other. In this communication you can implement authorization based on sufficiently secure authentication. Ciao, Michael.
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web