Reputation: 77
python ldap attribute query
I am trying to modify a python based-authenticator for murmur (voip software) to work with my ldap tree.
The LDAP authenticator is available at:
http://www.winex.org/linux/zealot/src/mumble-scripts/Authenticators/LDAP/LDAPauth.py
It works, but not quite with my ldap layout, so I have to modify it a bit. I know an approach that could work, but unfortunately I have no more knowledge about python than what I learned from google (I have some other programming expertise though).
My ldap layout looks like this:
charName=xxx, ou=people, dc=xxx, dc=com
Under this there are attributes stored such as userPassword and login among others.
The python script above is tailored to use a ldap bind to authenticate. In this case I would have to bind as "charName=logindatafromapp, ou=people, dc=xxx, dc=com". Unfortunately people don't log in with "charName" but with "login" which is an attribute, but isn't identical with "charName".
I do not know a way to bind to an attribute, so here is my idea:
- I first bind as ldap admin and perform a search over all entries for
"logindatafromapp"and match that value against"login". If a match is found I grab the matching"charName"and re-bind with thatcharNameas originally intended.
I am currently stuck on querying the "charName" value and at assigning that value to a variable, so i could use it in a second ldap bind (google didn't really help me).
Here is my code:
ldap_conn = ldap.initialize(ldap_uri, 0)
ldap_conn.bind_s("cn=admin,dc=xxxxxxxx,dc=com","pass")
res = ldap_conn.search_s('ou=people,dc=xxxxxx,dc=com', ldap.SCOPE_ONELEVEL,'login=trony',['charName'])
print(res)
It then prints "[('charName=Trony,ou=people,dc=xxxxxxx,dc=com', {'charName': ['Trony']})]".
(the "login=trony") is a temporary filter that I would have to replace with the applogin var. My problem is now how can I assign "Trony" (in this case) to a variable? The output seems to be a special struct?
Upvotes: 2
Views: 6700
Answers (2)
Reputation: 64563
'Trony' is in
res[0][1]['charName'][0]
You take the first element of the list — it's a tuple; then the first element of the tuple; it's a dictionary; then value of the dictionary for the key 'charName'; it's a list once again; and then the first element of the list.
Upvotes: 3
Reputation: 11134
There are at least two alternatives:
- Use the method you describe to search for the entry using the information you have, in this case the value of the
loginattribute as entered by the user and then using the DN that was found in a simple or SASL bind or - Use SASL with identity mapping to map the authId (the value of the
loginattribute) in such a way that a SASL bind will succeed where only the value of theloginattribute is known
The first method requires a search and then a bind, the second might require that user entries have reversible passwords (AES is a good encryption scheme for that purpose) depending on the SASL mechanism that is chosen. Using SASL with the DIGEST-MD5 mechanism would provide a way to map identities as described (all professional-quality LDAP servers support such a mapping mechanism) and would obviate the need to send a password in the clear over a network, but has the disadvantage of not being as secure as using simple bind where the password is stored as a salted SHA-2 digest. Although DIGEST-MD5 should not be used because it requires reversible passwords and thus is not as secure as using the strong SHA-2 (with salt) it is available for applications that require it.
Upvotes: 0
Related Questions
- Filtering returned LDAP attributes by value
- How to retrieve all the attributes of LDAP database
- LDAP query in python
- Query LDAP for a userCertificate attribute using python-ldap
- Python LDAP Search
- Retrieve a list of all attributes in ldap3 (python3-ldap)
- Get custom attribute from python ldap query
- LDAP search attributes
- Python3-ldap KeyError: 'attributes'
- LDAP query to check attributes and group membership