Web Authentication to AD
Stephan Diehl
stephan.diehlNOSPAM at gmx.net
Tue Nov 25 08:22:02 EST 2003
Jason Tesser wrote:
> Has nobody tried to do this kind of thing?
>
> -----Original Message-----
> From: python-list-bounces+jtesser=nbbc.edu at python.org
> [mailto:python-list-bounces+jtesser=nbbc.edu at python.org]On Behalf Of
> Jason Tesser
> Sent: Monday, November 24, 2003 7:00 AM
> To: Python List (E-mail)
> Subject: Web Authentication to AD
>
>
> I would like to write a python web service that would take a username and
> password entered on a
> web form and authenticate to Active directory. A few questions about
> this.
>
> 1. How can I do it :-)
> 2. I would like the script to be in the same server as the websites which
> is a linux box. So I need it to call active
> directory on a M$ box. If this is too hard could someone at least explain
> the process if I make this a service on the M$ box. Which I guess I can do
> if keeping it on the Linux box is too much.
> 3. I would like to expand the service so that I could check the computer
> the user is on and not make them enter a
> username and password if they are already logged in to the domain. I
> huess I would have to use Java Script for
> this. Any ideas here?
>
> Thank you in advance.
>
> Jason Tesser
> Web/Multimedia Programmer
> Northland Ministries Inc.
> (715)324-6900 x3050
>
>
You mean probably something like the following script.
This could be used to get info about other users, so basicly, there must be
a already a fixed known user on AD to bind to.
At the heart of it: if you can bind successfully with specific user
credentials, the user is authenticated.
With my script, the predefined user is needed, because users want to
authenticate against their sAMAccountName and not their LDAP USER DN (which
nobody knows anyway).
By the way, I wouldn't consider this script as secure since everything is
transported over the network in cleartext.
---------------------------------------------------------------------
import ldap
from pprint import pprint
HOST = "IP OF AD SERVER"
USER = "SEARCH USER DN"
PASSWD = "SEARCH USER PASSWORD"
SEARCHDN = "SEARCHDN"
class LDAPAuth:
def __init__(self,host=HOST,user=USER,passwd=PASSWD):
self.host = host
self.conn = conn = ldap.open(host)
conn.protocol_version = ldap.VERSION3
conn.simple_bind_s(user,passwd)
def authenticate(self,user='',passwd=''):
userdata = self.conn.search_s(SEARCHDN,
ldap.SCOPE_SUBTREE,
'sAMAccountName=%s' % user)
if len(userdata) == 1:
dn = userdata[0][0]
try:
l = ldap.open(self.host)
l.protocol_version = ldap.VERSION3
l.simple_bind_s(dn,passwd)
l.search_s(SEARCHDN,ldap.SCOPE_SUBTREE,'objectType=bla')
l.unbind_s()
return True
except ldap.LDAPError:
return False
else:
return False
def getInfoAbout(self,user):
return self.conn.search_s(SEARCHDN,
ldap.SCOPE_SUBTREE,
'sAMAccountName=%s' % user)
if __name__ == '__main__':
import getopt
import sys
helpmsg = """USAGE: ldapauth -h : print this message
ldapauth -u <name> -p <passwd> : check user credentials
ldapauth -i <name> : info about user"""
opts,args = getopt.getopt(sys.argv[1:],'u:p:i:h')
od = {}
for o,v in opts:
od[o[1:]] = v
if od.has_key('h'):
print helpmsg
else:
l = LDAPAuth()
if od.has_key('i'):
pprint(l.getInfoAbout('%s' % od['i']))
elif od.has_key('u') and od.has_key('p'):
res = l.authenticate(od['u'],od['p'])
if res:
print "Right credentials"
else:
print "Wrong credentials"
else: print helpmsg
More information about the Python-list
mailing list