I am trying to connect to LDAP server for authentication. Our LDAP server use SSL but we don't use any SSL certificate.
Following is my code:
I have two url provided by system admin. There are as follows:
url1 = "ldap://100.x.x.x:389"
url2 = "ldaps://10.x.x.x:636"
My first questionis which url I should use ? what is difference between ldap:// and ldaps://
LDAP authentication code is as follows, I have tried to use both(url1 and url2):
conn = ldap.initialize(url)
ldap.TLS_AVAIL
1
conn.simple_bind_s(
'CN={0},ou=users,DC=compnay,DC=com'.format(myemail),
mypassword
)
conn.simple_bind(
'CN={0},ou=users,DC=compnay,DC=com'.format(myemail),
mypassword
)
if i used first url (url1) with simple_bind_s, then following is error:
INVALID_CREDENTIALS: {'info': u'80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': u'Invalid credentials'}
but when I use with simple_bind, it gives me int even though password or username is wrong.
What is difference between simple_bind_s and simple_bind. How can I use simple_bind for authentication?
The difference between simple_bind() and simple_bind_s() is that simple_bind() is asynchronous and simple_bind_s() is synchronous.
The synchronous version makes your program wait until it is finished and then returns the results, where the asynchronous version returns an id code immediately and continues working in the background, and then later you call result() with the id code to get the results.
So your call to simple_bind() likely did fail; you just don't know it because you haven't fetched the result yet.
Most ldap functions have asynchronous and synchronous versions, such as add() and add_s(), delete() and delete_s(), search() and search_s(), etc. Some ldap operations (especially searching) can take a long time to complete, so you'd use the asynchronous versions if you don't want to your program to have long pauses.
Related
I simply want to receive notifications from dropbox that a change has been made. I am currently following this tutorial:
https://www.dropbox.com/developers/reference/webhooks#tutorial
The GET method is done, verification is good.
However, when trying to mimic their implementation of POST, I am struggling because of a few things:
I have no idea what redis_url means in the def_process function of the tutorial.
I can't actually verify if anything is really being sent from dropbox.
Also any advice on how I can debug? I can't print anything from my program since it has to be ran on a site rather than an IDE.
Redis is a key-value store; it's just a way to cache your data throughout your application.
For example, access token that is received after oauth callback is stored:
redis_client.hset('tokens', uid, access_token)
only to be used later in process_user:
token = redis_client.hget('tokens', uid)
(code from https://github.com/dropbox/mdwebhook/blob/master/app.py as suggested by their documentation: https://www.dropbox.com/developers/reference/webhooks#webhooks)
The same goes for per-user delta cursors that are also stored.
However there are plenty of resources how to install Redis, for example:
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-redis
In this case your redis_url would be something like:
"redis://localhost:6379/"
There are also hosted solutions, e.g. http://redistogo.com/
Possible workaround would be to use database for such purpose.
As for debugging, you could use logging facility for Python, it's thread safe and capable of writing output to file stream, it should provide you with plenty information if properly used.
More info here:
https://docs.python.org/2/howto/logging.html
I got an exception: "TransportError: TransportError(0): ('Connection aborted.', error(110, 'Connection timed out'))" when I called the api: Virtual_Guest::getBandwidthTotal.
It happened in this situation:
one same softlayer-api username and key
I called the functions concurrently thousands times at one moment.
So I do not know the exception happened due to "huge concurrent api callings" or just a network problem, or some other reasons.
If it causes since "huge concurrent api callings", here is an additional question:
As I says before that I called with one same username and key, if I calls concurrently with different username and key, will this exception happen as well?
The timeout errors are usually generated when the client is waiting a response of the API, this situation is documented here, in your case you can try to increase the timeout of your client, if you are using the Softlayer Python client please see the documentation to increase the timeout here, and aslo please review that you network connection is fine.
Regards
There is a limit on the number of API calls that can be made by an account per second. I believe this limit is per username, however I would not recommend using a bunch of different users to get around this limit.
My suggestion would be to use an objectMask to get as much data as possible in one API call, instead of making numerous api calls.
Instead of calling Virtual_Guest::getBandwidthTotal on every virtual guest on your account, you could call
SoftLayer_Account::getVirtualGuests(mask="mask[inboundPrivateBandwidthUsage,inboundPublicBandwidthUsage,outboundPrivateBandwidthUsage,outboundPublicBandwidthUsage]")
You might also need to use result Limits so that one big call doesn't time out as well.
I am trying to add authentication to a xmlrpc server (which will be running on nodes of a P2P network) without using user:password#host as this will reveal the password to all attackers. The authentication is so to basically create a private network, preventing unauthorised users from accessing it.
My solution to this was to create a challenge response system very similar to this but I have no clue how to add this to the xmlrpc server code.
I found a similar question (Where custom authentication was needed) here.
So I tried creating a module that would be called whenever a client connected to the server. This would connect to a challenge-response server running on the client and if the client responded correctly would return True. The only problem was that I could only call the module once and then I got a reactor cannot be restarted error. So is there some way of having a class that whenever the "check()" function is called it will connect and do this?
Would the simplest thing to do be to connect using SSL? Would that protect the password? Although this solution would not be optimal as I am trying to avoid having to generate SSL certificates for all the nodes.
Don't invent your own authentication scheme. There are plenty of great schemes already, and you don't want to become responsible for doing the security research into what vulnerabilities exist in your invention.
There are two very widely supported authentication mechanisms for HTTP (over which XML-RPC runs, therefore they apply to XML-RPC). One is "Basic" and the other is "Digest". "Basic" is fine if you decide to run over SSL. Digest is more appropriate if you really can't use SSL.
Both are supported by Twisted Web via twisted.web.guard.HTTPAuthSessionWrapper, with copious documentation.
Based on your problem description, it sounds like the Secure Remote Password Protocol might be what you're looking for. It's a password-based mechanism that provides strong, mutual authentication without the complexity of SSL certificate management. It may not be quite as flexible as SSL certificates but it's easy to use and understand (the full protocol description fits on a single page). I've often found it a useful tool for situations where a trusted third party (aka Kerberos/CA authorities) isn't appropriate.
For anyone that was looking for a full example below is mine (thanks to Rakis for pointing me in the right direction). In this the user and password is stored in a file called 'passwd' (see the first useful link for more details and how to change it).
Server:
#!/usr/bin/env python
import bjsonrpc
from SRPSocket import SRPSocket
import SocketServer
from bjsonrpc.handlers import BaseHandler
import time
class handler(BaseHandler):
def time(self):
return time.time()
class SecureServer(SRPSocket.SRPHost):
def auth_socket(self, socket):
server = bjsonrpc.server.Server(socket, handler_factory=handler)
server.serve()
s = SocketServer.ForkingTCPServer(('', 1337), SecureServer)
s.serve_forever()
Client:
#! /usr/bin/env python
import bjsonrpc
from bjsonrpc.handlers import BaseHandler
from SRPSocket import SRPSocket
import time
class handler(BaseHandler):
def time(self):
return time.time()
socket, key = SRPSocket.SRPSocket('localhost', 1337, 'dht', 'testpass')
connection = bjsonrpc.connection.Connection(socket, handler_factory=handler)
test = connection.call.time()
print test
time.sleep(1)
Some useful links:
http://members.tripod.com/professor_tom/archives/srpsocket.html
http://packages.python.org/bjsonrpc/tutorial1/index.html
I am attempting to connect and authenticate to a remote database host (dotcloud, mongolabs, etc) using MongoKit within Flask. Connecting to the server seems to work fine. However I am unable to authenticate to the database. Presumably this should work:
from mongokit import Connection
connection = Connection(my_remote_host, my_remote_port)
connection.my_database.authenticate(my_admin_user, my_admin_password)
the call to authenticate() returns True, yet subsequent calls to fetch data throw:
OperationFailure: database error: unauthorized db
Anyone know what might be happening here?
This is likely due to the current behavior of authenticate() in pymongo. Pymongo doesn't cache authentication credentials between threads, so each thread must authenticate individually. See the note in the pymongo documentation about using authenticate() in a multi-threaded environment.
I'm in a situation where I need to pass some texts to a prompt generate by a API (seems for API it's a pretty weird behavior, this is the first time I ran into this), like below:
kvm_cli = libvirt.open("qemu+ssh://han#10.0.10.8/system")
then a prompt shows up asking for the ssh password (password for 10.0.10.8 is:), I have to manually type it there in order to move on and yield the kvm_cli object I needed.
I tried to use the pexpect module to deal with this however it's for OS command line instead of API.
It's also possible to work around this by using ssh certification files but it's not a favorable authentication approach in our scenario.
Since our wrapper to the 'open' method is not interactive, we cannot ask the user to input the password, do you guys have any thought how could I address it?
I am not a libvirt user, but I believe that the problem is not in the library, but in the connection method. You seem to be connecting via ssh, so you need to authenticate yourself.
I've been reading the libvirt page on ArchWiki, and I think that you could try:
setting up the simple (TCP/IP socket) connection method, or
setting up key-based, password-less SSH login for your virtual host.