Authenticate users using command line tool against AD in python

[Michael Ströder]

Prasad Katti wrote:
> On Tuesday, July 28, 2015 at 12:56:29 AM UTC-7, Michael Ströder wrote:
>> Prasad Katti wrote:
>>> I am writing a command line tool in python to generate one time
>>> passwords/tokens. The command line tool will have certain sub-commands like
>>> --generate-token and --list-all-tokens for example. I want to restrict
>>> access to certain sub-commands. In this case, when user tries to generate a
>>> new token, I want him/her to authenticate against AD server first.
>>
>> This does not sound secure:
>> The user can easily use a modified copy of your script.
>>
>>> I have looked at python-ldap and I am even able to bind to the AD server.
>>> In my application I have a function
>>>
>>>     def authenticate_user(username, password): pass
>>>
>>> which gets username and plain-text password. How do I use the LDAPObject instance to validate these credentials?
>>
>> You probably want to use
>>
>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s
>>
>> Check whether password is non-zero before because most LDAP servers consider
>> an empty password as anon simple bind even if the bind-DN is set.
> 
> Thank you for the reply. I ended up using simple_bind_s to authenticate
> users. But apparently it transmits plain-text password over the wire which
> can be easily sniffed using a packed sniffer. So I am looking at the
> start_tls_s method right now.

Yes, use TLS if the server supports it. Make sure to the option for CA
certificate. See Demo/initialize.py in the source distribution tar.gz.

> About your other comment; How could I make it more secure?

If you want something to be inaccessible for a user you have to spread the
functionality across separate components which communicate with each other. In
this communication you can implement authorization based on sufficiently
secure authentication.

Ciao, Michael.