Active Directory Authentication

[Michael Ströder]

Stephan Diehl wrote:
> On Fri, 05 May 2006 05:39:08 -0700, D wrote:
> 
>>Is it possible to have Python authenticate with Active Directory?
>>Specifically what I'd like to do is have a user enter a
>>username/password, then have Python check the credentials with AD - if
>>what they entered is valid, for example, it returns a 1, otherwise a
>>0..  Thanks!
> 
> It's possible and you need the python-ldap package for it.
> The actual authentication will look like (simplified):
> 
> def authenticate(user='',passwd=''):
>     dn = find_user_dn(user)
>     try:
>         l = ldap.open(AD_HOST_URL)
>         l.protocol_version = ldap.VERSION3
>         l.simple_bind_s(dn,passwd)
>         l.search_s(SEARCHDN,ldap.SCOPE_SUBTREE,'objectType=bla')
>         l.unbind_s()
>         return True
>     except ldap.LDAPError:
>         return False
>     
> obviously, you need to supply some function 'find_user_dn' that maps
> the user to its DN.

Since MS AD does not allow anonymous search in its default configuration
find_user_dn() would have to bind as an application user with search
rights to search the user entry by UPN.

Hack not LDAPv3 compliant:
When sending a simple bind request to MS AD over LDAP you can also
directly use the UPN for 'dn' when invoking l.simple_bind_s(). Note that
this is a special semantic of LDAP bind request for MS AD. It is not a
LDAPv3 compliant! But if you're sure you won't use this code for binding
to another LDAP server you could use this hack.

The nice thing about python-ldap is that it also works on other
platforms than Win32. The caveat is that you might need to build the
OpenLDAP libs. If you're solely on Win32 using ADSI through Win32
extensions for Python as stated by others in this thread might be the
better approach.

Ciao, Michael.