How do do strong authentication on LDAP connection?

Discussion:

Jacek Konieczny

2002-03-30 11:50:34 UTC

How to do the strong authentication?

There are two ways:

1. SSL/TLS
==========

Use thing like this (instead of your ldap_open or ldap_initialize):

l=ldap_initialize("ldaps://....");

This will work if your server listens on ldaps port.

If your server listens on ldap port only, but supports TLS, you use it:

l=ldap_initialize("ldap://....")
l.protocol_version=ldap.VERSION3
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
l.start_tls_s()

2. SASL
========

This is not yet supported by python-ldap, but is being worked on.
SASL is a way of doing strong authentication even without encrypting the
whole sessions.

Greets,
Jacek

Dirksen Lau

2002-03-30 04:10:09 UTC

Permalink

Hi,

When I try the bind operation against our department LDAP server, I got this error:
ldap.STRONG_AUTH_REQUIRED: {'desc': 'Strong authentication required', 'info': 'This LDAP server does not accept cleartext passwords'}

How to do the strong authentication? Do I need to encrypt the password befire calling bind_s? What encryption sheme? Does python have the relevant
module? Please advice!

Cheers
Dirksen

=?HZ-GB-2312?B?TWljaGFlbCBTdHJ+e359ZGVy?=

2002-03-31 12:36:03 UTC

Permalink

Post by Dirksen Lau
When I try the bind operation against our department LDAP server,
I got this
error: ldap.STRONG_AUTH_REQUIRED: {'desc': 'Strong authentication
required',
'info': 'This LDAP server does not accept cleartext passwords'}

This means you have to authenticate by presenting a client certificate which
is done during establishing the SSL connection.

Post by Dirksen Lau
How to do the strong authentication?

1. Make yourself familiar with concepts of SSL and client certificates.
2. Ask your LDAP server admin whether you have to use LDAP over SSL to
separate port or using StartTLS extended operation.
3. Look at Demo/initialize.py to get a idea of how to connect with
python-ldap using either one of the methods.
4. Have a client certificate and matching private key at
hand as "PEM files". You have to get a client certificate which validates
against a trusted root CA cert at the LDAP server. Ask your admin.
5. Use
ldap.set_option(ldap.OPT_X_TLS_CERTFILE,client_cert_file)
ldap.set_option(ldap.OPT_X_TLS_KEYFILE,client_key_file)
to point the python-ldap and OpenLDAP libs to the files to use for strong
authentication during opening the SSL connection.

Ciao, Michael.