On Wednesday 02 May à 09:13, Garland, Ken R wrote:
> On 5/2/07, Sylvain Thénault <syl...@lo...> wrote:
> >forwarding this message since I'm now subscribed.
> >
> >----- Forwarded message from Sylvain Thénault
> ><syl...@lo...> -----
> >
> >> From: Sylvain Thénault <syl...@lo...>
> >> To: pyt...@li...
> >> Date: Wed, 2 May 2007 13:10:39 +0200
> >> Subject: Active directory signature
> >>
> >> Hi there !
> >>
> >> I've some customer code which has been recently broken, since they
> >> upgraded to AD3. It's some basic authentication code using python-ldap
> >> (I'm not sure which version is installed on their servers). Their
> >> microsoft expert told them it was because they changed the "Domain
> >> controller: LDAP server signing requirements" option to "Require
> >signing",
>
>
> basically saying they now require authentication. you just need to
> determine what credentials have been setup to allow whatev er task it
> is you want to accomplish, then specify them inside your python-ldap
> program. something similar to:
>
> l=ldap.initialize("ldap://your.server.com")
> l.bind('cn=the_cn_you_use,dc=server,dc=com', 'password')
>
> change 'cn' to 'uid' or whatever it is that your bind requires. set
> that to a user which has permissions to do whatever it is you are
> trying to do, simple searches, modifying entries, etc.
This is already what is done. Basically the code is only doing
authentification, no more, and works that way, given a login/password
to authenticate:
1. search in AD the DN corresponding to the login, using an
authenticated connection (using an admin dn/password)
2. try to connect using the found DN and the given password (using
simple_bind_s) to validate the password
Maybe this is not the right way to do AD/LDAP authentication though ?
--
Sylvain Thénault LOGILAB, Paris (France)
Formations Python, Zope, Plone, Debian: http://www.logilab.fr/formations
Développement logiciel sur mesure: http://www.logilab.fr/services
Python et calcul scientifique: http://www.logilab.fr/science
|
