I am looking for a basic ldap script that is checking if an Active Directory for a user/password combination.
I mention that, the authentication to LDAP is done using another account than the ones being verified.
Here is my incomplete script:
#!/usr/bin/env python
import ldap
import sys
Server = "ldap://pdc01.example.com"
DN = "EXAMPLE\username"
Secret = "pass"
un = "john"
un_password = "hispass"
Base = "dc=example,dc=com"
Scope = ldap.SCOPE_SUBTREE
Filter = "(&(objectClass=user)(sAMAccountName="+un+"))"
Attrs = ["displayName"]
l = ldap.initialize(Server)
l.set_option(ldap.OPT_REFERRALS, 0)
l.protocol_version = 3
print l.simple_bind_s(DN, Secret)
r = l.search(Base, Scope, Filter, Attrs)
Type,user = l.result(r,60)
Name,Attrs = user[0]
if hasattr(Attrs, 'has_key') and Attrs.has_key('displayName'):
displayName = Attrs['displayName'][0]
print displayName
# TODO: I get `john`'s Username but how to check his password ?
l.unbind()
If the distinguished name of the entry being checked and its credentials are already known, transmit a simple bind request including the credentials, if successful, the password is correct ad the account is usable (as opposed to being locked or disabled). Alternatively, a SASL mechanism could be used with a bind request.
If the distinguished name is not known, transmit a search request to the directory server using a connection with sufficient authorization to read the distinguished name of the entry. The search request must contain the base object to which the entry is expected to be subordinate, should use the tightest possible scope (if the distinguished name is not known, this will be
one, orsub), should use the most restrictive filter as is possible given known information, and request the attribute1.1since all that is required is the distinguished name of the entry. The search response will contain the distinguished name of the entry, assuming the search was successful. Once the distinguished name is known, transmit a bind request as noted above.see also