ldap usage

[Michael Ströder]

Jed Parsons wrote:
> 
>     import ldap
>     l = ldap.open('our.ldap.server')
>     try:
>         l.bind_s(username, password, ldap.AUTH_SIMPLE)
>         authenticated = True
>     except:
>     authenticated = False
      ^^^
Identiation is wrong here.

Also I'd recommend to catch the ldap.LDAPError exceptions more
specifically (ldap.INVALID_CREDENTIALS indicates wrong password):

     try:
         l.bind_s(username, password, ldap.AUTH_SIMPLE)
     except ldap.INVALID_CREDENTIALS:
         authenticated = False
     else:
         authenticated = True

> But this uses the plaintext of the user's password.

Yes, since this is a LDAP Simple Bind Request as defined in RFC 2251.

>  Is there a proper
> way to send a cryptographic hash to the ldap server?  Or do I have to
> negotiate this through an ssl tunnel or something?

SSL (either LDAPS or StartTLS extended operation) is one possibility to
secure the whole connection including bind requests (see
Demo/initialize.py).

Another option is to use SASL with DIGEST-MD5 if your server supports it
(see Demo/sasl_bind.py) and has the cleartext passwords available. Other
options with SASL, e.g. GSSAPI (Kerberos), exist but highly depends on
your IT infrastructure and LDAP server configuration.

Just follow-up here or on the python-ldap-dev mailing list if you have
further problems.

Ciao, Michael.