2

I am trying to modify a python based-authenticator for murmur (voip software) to work with my ldap tree.

The LDAP authenticator is available at:

http://www.winex.org/linux/zealot/src/mumble-scripts/Authenticators/LDAP/LDAPauth.py

It works, but not quite with my ldap layout, so I have to modify it a bit. I know an approach that could work, but unfortunately I have no more knowledge about python than what I learned from google (I have some other programming expertise though).

My ldap layout looks like this:

charName=xxx, ou=people, dc=xxx, dc=com

Under this there are attributes stored such as userPassword and login among others.

The python script above is tailored to use a ldap bind to authenticate. In this case I would have to bind as "charName=logindatafromapp, ou=people, dc=xxx, dc=com". Unfortunately people don't log in with "charName" but with "login" which is an attribute, but isn't identical with "charName".

I do not know a way to bind to an attribute, so here is my idea:

  • I first bind as ldap admin and perform a search over all entries for "logindatafromapp" and match that value against "login". If a match is found I grab the matching "charName" and re-bind with that charName as originally intended.

I am currently stuck on querying the "charName" value and at assigning that value to a variable, so i could use it in a second ldap bind (google didn't really help me).

Here is my code:

ldap_conn = ldap.initialize(ldap_uri, 0)
ldap_conn.bind_s("cn=admin,dc=xxxxxxxx,dc=com","pass")
res = ldap_conn.search_s('ou=people,dc=xxxxxx,dc=com', ldap.SCOPE_ONELEVEL,'login=trony',['charName'])
print(res)

It then prints "[('charName=Trony,ou=people,dc=xxxxxxx,dc=com', {'charName': ['Trony']})]".

(the "login=trony") is a temporary filter that I would have to replace with the applogin var. My problem is now how can I assign "Trony" (in this case) to a variable? The output seems to be a special struct?

Improve this question

2 Answers 2

Reset to default
3

'Trony' is in 

res[0][1]['charName'][0]

You take the first element of the list — it's a tuple; then the first element of the tuple; it's a dictionary; then value of the dictionary for the key 'charName'; it's a list once again; and then the first element of the list.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

thanks a lot :), "name = res[0][0]{'charName'}[0]" doesnt' work though, says syntax error.
more specifically: File "./LDAPauth.py", line 205 test = res[0][0]{'charName'}[0] ^ SyntaxError: invalid syntax
was res[0][1]['charName'][0] :)
0

There are at least two alternatives:

  • Use the method you describe to search for the entry using the information you have, in this case the value of the login attribute as entered by the user and then using the DN that was found in a simple or SASL bind or
  • Use SASL with identity mapping to map the authId (the value of the login attribute) in such a way that a SASL bind will succeed where only the value of the login attribute is known

The first method requires a search and then a bind, the second might require that user entries have reversible passwords (AES is a good encryption scheme for that purpose) depending on the SASL mechanism that is chosen. Using SASL with the DIGEST-MD5 mechanism would provide a way to map identities as described (all professional-quality LDAP servers support such a mapping mechanism) and would obviate the need to send a password in the clear over a network, but has the disadvantage of not being as secure as using simple bind where the password is stored as a salted SHA-2 digest. Although DIGEST-MD5 should not be used because it requires reversible passwords and thus is not as secure as using the strong SHA-2 (with salt) it is available for applications that require it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.