Authentication

LDAP supports multiple authentication mechanisms, each suited to different security requirements and deployment scenarios. This section provides working examples for common bind operations and related authentication features.

The following examples demonstrate:

  • SIMPLE bind — direct authentication using a plaintext username and password.

  • SASL noninteractive authentication — e.g., using GSSAPI for Kerberos tickets.

  • OAUTHBEARER authentication — providing an OAuth 2.0 access token for bind.

  • Who am I? — querying the directory to determine the currently authenticated identity.

  • Changing password — performing a password modification operation.

  • EXTERNAL bind — authenticating via an external security layer such as a UNIX domain socket with peer credentials or a TLS client certificate.

Each example is self-contained and can be adapted for your environment. They assume a connection to the LDAP server has already been established and that appropriate credentials or tokens are available.

SIMPLE bind operation

SIMPLE bind via plaintext credentials
# perform a simple bind
import sys

try:
    await conn.bind('cn=admin,dc=freeiam,dc=org', 'iamfree')
except errors.InvalidCredentials as exc:
    # don't forge to handle errors on wrong password!
    sys.exit(str(exc))
    ...

SASL noninteractive authentication

GSSAPI (e.g. Kerberos)
# perform a GSSAPI SASL if you have a valid ticket
try:
    await conn.bind_gssapi()
except errors.LocalError:
    print(
        'SASL(-1): generic failure: GSSAPI Error:'
        'Miscellaneous failure (see text)'
        '(unable to reach any KDC in realm FREEIAM.ORG)'
    )
    ...

OAUTHBEARER authentication

OAuth 2.0 Access Token via OAUTHBEARER
# perform SASL OAUTHBEARER authentication using OAuth 2.0 access token (JWT)
authzid = None
token = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'  # noqa: S105,E501
await conn.bind_oauthbearer(authzid, token)

Who am I? operation

Who am I?
dn = await conn.whoami()  # check who you are

Changing password

Changing password
# if your server supports it you can also change your password
await conn.change_password(dn, 'iamfree', 'no-i-am-unfree')

EXTERNAL bind

EXTERNAL (e.g. UNIX socket or client certificate)
# perform SASL EXTERNAL authentication using local UNIX socket
async with ldap.Connection('ldapi:///path/to/unix/socket') as conn:
    # you might want to set certain options
    from freeiam.ldap.constants import Option

    conn.set_option(Option.Referrals, 0)

    # perform SASL EXTERNAL auth
    await conn.bind_external()

    await conn.whoami()  # check who you are