LDAP authentication in clear text

Question

I created a website using django and recently added ldap authentication pointing towards our active directory on LDAP tcp/389. The problem is the django auth-ldap sends this ldap password data in clear text, and the AD i'm trying to authenticate with is not setup for LDAPs tcp/636 (I don't have control of that) so i cant use the command AUTH_LDAP_START_TLS = True

Please see my script below is there any enhancements/script I can add easily, to continue using ldap/389 but with added security (like kerberos or ntlm?) to stop passwords sending in clear text -

from django_auth_ldap.config import LDAPSearch, GroupOfNamesType,LDAPGroupQuery


AUTH_LDAP_GLOBAL_OPTIONS = {
 ldap.OPT_X_TLS_REQUIRE_CERT: False,
 ldap.OPT_REFERRALS: False,
}

AUTH_LDAP_SERVER_URI = "ldap://x.x.x.x"

AUTH_LDAP_BIND_DN = "CN=xxx,OU=xxx,OU=xxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxx,DC=xxx,DC=xxx"
AUTH_LDAP_BIND_PASSWORD = credentials.adlogin['pass']
AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=xxx,DC=xxx,DC=xxx,DC=coxxm",
    ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)")


AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=example,dc=com",
    ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()


AUTH_LDAP_REQUIRE_GROUP = (
    (
        LDAPGroupQuery("CN=xx-xx,OU=xx,OU=xxx,,DC=xx,DC=xxx,DC=xx") |
        LDAPGroupQuery("CN=xx-xx,OU=xx,OU=xxx,,DC=xx,DC=xxx,DC=xx")
    )

)


AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail"
}

SESSION_COOKIE_AGE = 15*60

AUTHENTICATION_BACKENDS = [
    'django_auth_ldap.backend.LDAPBackend',
    'django.contrib.auth.backends.ModelBackend',
]

Unfortunately that changes ldap to use tcp/636 similar to what the command `AUTH_LDAP_START_TLS = True` does - thanks for your response — john_thats_me, May 16 '18 at 20:33
So, how does your LDAP server actually work? What kind of connection is made? — Klaus D., May 16 '18 at 20:35

LDAP authentication in clear text

0 Answers0