Of Stack

Python User Authentication Method Using LDAP

  • 2021-06-28 13:32:44
  • OfStack

LDAP (Light Directory Access Portocol) is a lightweight directory access protocol that supports TCP/IP based on the X.500 standard.

The LDAP directory stores data in a tree-like hierarchy.Each directory record has an identification name (Distinguished Name, or DN) that reads a single record.

1 This is generally the case: 


cn=username,ou=people,dc=test,dc=com

Several keywords have the following meanings:

base dn:LDAP The top of the catalog tree, which is the root of the tree, is the dc=test, dc=com section above. 1 Generally, you can write o=test.com as your company's domain name. The former is more flexible. dc::Domain Component, Domain Name Part. ou: Organization Unit, an organizational unit used to separate data. cn: Common Name, 1 generally uses a user name. uid: User id, similar to cn. sn: Surname, last name. rdn: Relative dn, the part of dn that is not related to the structure of the directory tree, usually exists in the attribute cn or uid.

So the dn above represents a record, representing a user username in the people Department of test.com.

python-ldap

python1 generally operates on ldap using the python-ldap library, document: https://www.python-ldap.org/en/latest/index.html.

Download: 


pip install python-ldap

There are also some environments to install, ubuntu: 


apt-get install build-essential python3-dev python2.7-dev \
  libldap2-dev libsasl2-dev slapd ldap-utils python-tox \
  lcov valgrind

CentOS: 


yum groupinstall "Development tools"
yum install openldap-devel python-devel

Once you get the LDAP address, you can establish a connection to LDAP: 


import ldap
ldapconn = ldap.initialize('ldap://192.168.1.111:389')

Bind user, available for user authentication, user name must be dn: 


ldapconn.simple_bind_s('cn=username,ou=people,dc=test,dc=com', pwd)

An tuple is returned upon successful authentication: 


(97, [], 1, [])

Validation failure reports an exception ldap.INVALID_CREDENTIALS: 


{'desc': u'Invalid credentials'}

Note that pass-through null validation is also possible during validation, and note that both dn and pwd should be checked.

To query the LDAP user information, you need to log in to the administrator RootDN account number: 


ldapconn.simple_bind_s('cn=admin,dc=test,dc=com', 'adminpwd')
searchScope = ldap.SCOPE_SUBTREE
searchFilter = 'cn=username'
base_dn = 'ou=people,dc=test,dc=com'
print ldapconn.search_s(base_dn, searchScope, searchFilter, None)

Add User add_s (dn, modlist), dn is the entry to be added dn, modlist is the storage information: 


dn = 'cn=test,ou=people,dc=test,dc=com'
modlist = [
  ('objectclass', ['person', 'organizationalperson'],
  ('cn', ['test']),
  ('uid', [''testuid]),
  ('userpassword', ['pwd']),
]
result = ldapconn.add_s(dn, modlist)

Successful addition returns tuples: 


pip install python-ldap
0

Failure will report an ldap.LDAPError exception

Django uses LDAP authentication

A very simple LDAP validates Backend: 


pip install python-ldap
1

If you don't want to write your own, django and flask have libraries out of the box:

django-ldap flask-ldap
Related articles: