7

For a django project, I designed a different login page. The users here will log in via openldap.

I can access users' full information with their uid id, but I could not find how to verify the password.

Do I need to hash the user's password and compare it with the password on ldap? Isn't there any other method? Thank you

from ldap3 import Server, Connection, ALL, SUBTREE
from ldap3.core.exceptions import LDAPException, LDAPBindError, LDAPSocketOpenError
from ldap3.utils.conv import escape_filter_chars

ldap_server_uri=f"ldap://xxx:389"
ldap_base = 'dc=xx,dc=xx,dc=xx'

def ldap(uid,password):
    try:     
        ldap_server = Server(ldap_server_uri, get_info=ALL)
        ldap_connection = Connection(ldap_server, user = 'uid=admin,ou=xx,dc=xx,dc=xx',password='adminpassword')
        if ldap_connection.bind() == True:
            if ldap_connection.search(search_base=ldap_base, search_filter=f'(uid={uid})',search_scope = SUBTREE, attributes=['uid']) == True:
                ent = ldap_connection.entries[0]
                entry = {'uid': ent['uid']}
                ldap_connection.unbind()
                return entry
            else:
                return None
    except LDAPSocketOpenError:
        print('Unabled to connect to the LDAP server!')
        return None
Birol Emekli
  • 155
  • 3
  • 11

3 Answers3

6

Just to check the username and password I use:

import ldap3
from ldap3.core.exceptions import LDAPException


def _ldap_login(username, password):
    try:
        with ldap3.Connection('enter_server', user=username, password=password) as conn:
            print(conn.result["description"]) # "success" if bind is ok
            return True
    except LDAPException:
        print('Unable to connect to LDAP server')
        return False

_ldap_login("enter_username", "enter_password")

The following are 30 code examples for showing how to use ldap3 and Tutorial: Introduction to ldap3.

Milovan Tomašević
  • 6,823
  • 1
  • 50
  • 42
  • 1
    To summarize, in your opinion it is enough to check if the given user can login itself into ldap directly, correct? So there can't be a user listed in ldap that can't login to it? – AzureIP Nov 12 '21 at 14:08
  • That's right, you got it right. The DBA or someone else administering LDAP will explain this to you in detail. In my examples, in LDAP there were only users with the domain of that company, even others can't even access the login page. Now, you may have a situation where that check is not enough, that is when the app itself has multiple roles. For example, it is necessary that it is from the domain of the company, but also that it is in a group that can administer an app, otherwise it can only read data. Just like with a standard database - it's all down to the purpose of the app. – Milovan Tomašević Nov 12 '21 at 21:48
0

You have to authenticate the user with the complete path uid={username},dc=xx,dc=xx,dc=xx.

from ldap3 import ALL, Connection, Server
from ldap3.core.exceptions import LDAPException

username = "bob"
password = "secret"
ldap_base = "dc=xx,dc=xx,dc=xx"

server = Server(
    host="ldaps://xxx",
    port=636,
    use_ssl=True,
    get_info=ALL,
)

try:
    with Connection(
        server=server,
        authentication="SIMPLE",
        user=f"uid={username},{ldap_base}",
        password=password,
        read_only=True,
        ) as connection:
            print(connection.result)  # "success" if bind is ok

except LDAPException as e:
    print(server.info)
ikreb
  • 2,133
  • 1
  • 16
  • 35
0

Both of the answers are inaccurate.
You have to bind the connection to catch the exception or read the result.

>>> conn = ldap3.Connection(server, 'real_username', 'real_password', auto_bind=ldap3.AUTO_BIND_TLS_BEFORE_BIND)
>>> conn.result
{'result': 0, 'description': 'success', 'dn': '', 'message': '', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}

instead of

>>> conn = ldap3.Connection(server, 'real_username', 'real_password')
>>> conn.result
>>>

Fixed version of the Milovan Tomašević answer:

import ldap3
from ldap3.core.exceptions import LDAPBindError


def _ldap_login(username, password):
    try:
        with ldap3.Connection('enter_server', user=username, password=password, auto_bind=ldap3.AUTO_BIND_TLS_BEFORE_BIND) as conn:
            print(conn.result["description"]) # "success" if bind is ok
            return True
    except LDAPBindError:
        print('Unable to connect to LDAP server')
        return False

_ldap_login("enter_username", "enter_password")
Filip Poplewski
  • 66
  • 6