ldap proxy user bind

S

sajuptpm

I have developed a LDAP auth system using python-ldap module.
Using that i can validate username and password, fetch user and
groups info from LDAP directory.
Now i want to implement ldap proxy user bind to the ldap server.
I googled and find this http://ldapwiki.willeke.com/wiki/LDAPProxyUser
But i don't have any idea about how implement it usng python-ldap.

My existing LDAP settings at client side
ldap_enabled = True
ldap_host = your_ldap_server
ldap_port = 389
ldap_basedn = o=My_omain
ldap_user_key = cn
ldap_group_key = groupMembership
ldap_email_key = mail
ldap_user_search = ou=Users
ldap_group_search = ou=Groups
ldap_group_objectclass = groupOfNames

I want to add following 2 new flags

ldap_proxy_user = ldap_proxy
ldap_proxy_pwd = secret


I don't know how this ldapproxy system would works.
Could you please point me to an python article/example ??
 
M

Michael Ströder

sajuptpm said:
I have developed a LDAP auth system using python-ldap module.
Using that i can validate username and password, fetch user and
groups info from LDAP directory.
Now i want to implement ldap proxy user bind to the ldap server.

What do you mean exactly?

Are you talking about LDAPv3 proxy authorization
(see http://tools.ietf.org/html/rfc4370)?
If yes, then pass an instance of class ldap.controls.simple.ProxyAuthzControl
to the LDAPObject methods when sending your LDAP requests. This is usable no
matter how your proxy user has bound the directory. Another option is to send
a SASL authz-ID along with the initial SASL bind request of your proxy user.

No matter what you have to get your LDAP server configuration right for this
to work. Which LDAP server is it?

AFAICS this web page talks about the proxy user for eDirectory's LDAP gateway
to NDS. It's unlikely that this is relevant to your needs.
But i don't have any idea about how implement it usng python-ldap.
[..]
I want to add following 2 new flags

ldap_proxy_user = ldap_proxy
ldap_proxy_pwd = secret

Hmm, please don't take it personally but my impression is that you're not
totally clear on what you need. Could you please try to explain what you want
to achieve?

Ciao, Michael.
 
S

sajuptpm

Hi Michael Ströder,
Thanks for replay

Yea i am not totally clear about that

Client's Requirement is
option to have a ldap proxy user bind to the ldap server if it needs
more directory rights than an anonymous bind.
option to use a ldap proxy user when searching.
 
M

Michael Torrie

Hi Michael Ströder,
Thanks for replay

Yea i am not totally clear about that

Client's Requirement is
option to have a ldap proxy user bind to the ldap server if it needs
more directory rights than an anonymous bind.
option to use a ldap proxy user when searching.

I wrote a true LDAP proxy server last year that intercepts and rewrites
requests (bind, search, modify, etc). I used as my basis the LDAP proxy
server that ships with Python-Twisted. Unfortunately I cannot share my
code with you, but if you can get your head wrapped around Twisted (it's
*extremely* hard to understand how it works at first), then this is the
way to go.
 
M

Michael Torrie

I wrote a true LDAP proxy server last year that intercepts and rewrites
requests (bind, search, modify, etc). I used as my basis the LDAP proxy
server that ships with Python-Twisted. Unfortunately I cannot share my
code with you, but if you can get your head wrapped around Twisted (it's
*extremely* hard to understand how it works at first), then this is the
way to go.

Okay so I looked over my code. I can share some of it with you if you
want. The most simple proxy I could find (I have written several for
various purposes) was based on the Twisted LDAP proxy server class
(ldaptor.protocols.ldap.proxy). The reason I wrote it was because I had
some Sharp multi-function printers that could do LDAP authentication,
but instead of binding with a full DN, it would simply bind as
"username" which wouldn't work on my ldap server. So I wrote the LDAP
proxy server to intercept bind requests (Sharp doesn't even support SSL
blah!) and convert it to a proper DN before passing it on to the real
LDAP server. Also the LDAP search queries the sharp server generated
were crappy, so I rewrote some of the searches as well as they pass
through my proxy server. I

sharp ===> Twisted LDAP server/Twisted LDAP client ===> ldapserver
rewrite bind,
rewrite some searches,
pass thru everything

My other LDAP proxy is fancier and it uses the
ldaptor.protocols.ldap.ldapserver.BaseLDAPServer class, and instead of
using twisted's LDAP client code, I just use python-ldap. So it's a
hybrid approach I suppose. I can strip it down to bare proxy
functionality that you could build on.

client ==> twisted ldap server/python-ldap client ===> ldapserver

Anyway let me know if you want to see some code and I'll post what I can.
 
S

sajuptpm

Hi Michael Torrie,
Thanks to reply

Why we need Twisted here, i did not get it.

My understanding is that
if
ldap_proxy_user = ldap_proxy
ldap_proxy_pwd = secret
( set more privileges to this user at ldap server side, for get other
users infos)
are configured at server side, then allow clients to login using
username only, this time use ldap_proxy_user and ldap_proxy_pwd for
login to ldap server, user validation and get user infos.
Is it possible and any drawback ????

I think this is what client need.
 
M

Michael Ströder

sajuptpm said:
Yea i am not totally clear about that

Client's Requirement is
option to have a ldap proxy user bind to the ldap server if it needs
more directory rights than an anonymous bind.
option to use a ldap proxy user when searching.

As said: there's the proxy authorization control (see RFC 4370) for which a
Python class exists in python-ldap. This is used e.g. in web applications if
the user has successfully authenticated to the application and his identity
should be used when processing ACLs in the LDAP server. In this case the
"proxy user" is trusted entity to have done authentication right. The proxy
authz control is sent by the application with each LDAP request. The server
has to be correctly configured to accept that.

Another option is a LDAP proxy server which accepts anon requests and binds as
a certain user. You could OpenLDAP with back-ldap or back-meta for that.

So you should ask your customer what's really needed.

Ciao, Michael.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top