ldap.sasl SASL Authentication Methods

This module implements various authentication methods for SASL bind.

See also

RFC 4422 - Simple Authentication and Security Layer (SASL) RFC 4513 - Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms




class ldap.sasl.sasl(cb_value_dict, mech)

This class handles SASL interactions for authentication. If an instance of this class is passed to ldap’s sasl_bind_s() method, the library will call its callback() method. For specific SASL authentication mechanisms, this method can be overridden

This class is used with ldap.LDAPObject.sasl_interactive_bind_s().

callback(cb_id, challenge, prompt, defresult)

The callback method will be called by the sasl_bind_s() method several times. Each time it will provide the id, which tells us what kind of information is requested (the CB_* constants above). The challenge might be a short (English) text or some binary string, from which the return value is calculated. The prompt argument is always a human-readable description string; The defresult is a default value provided by the sasl library

Currently, we do not use the challenge and prompt information, and return only information which is stored in the self.cb_value_dict cb_value_dictionary. Note that the current callback interface is not very useful for writing generic sasl GUIs, which would need to know all the questions to ask, before the answers are returned to the sasl lib (in contrast to one question at a time).

Unicode strings are always converted to bytes.

class ldap.sasl.cram_md5(authc_id, password, authz_id='')

This class handles SASL CRAM-MD5 authentication.

class ldap.sasl.digest_md5(authc_id, password, authz_id='')

This class handles SASL DIGEST-MD5 authentication.

class ldap.sasl.gssapi(authz_id='')

This class handles SASL GSSAPI (i.e. Kerberos V) authentication.

You might consider using convenience method ldap.LDAPObject.sasl_gssapi_bind_s().

class ldap.sasl.external(authz_id='')

This class handles SASL EXTERNAL authentication (i.e. X.509 client certificate)

You might consider using convenience method ldap.LDAPObject.sasl_external_bind_s().

Examples for ldap.sasl

This example connects to an OpenLDAP server via LDAP over IPC (see draft-chu-ldap-ldapi) and sends a SASL external bind request.

import ldap, ldap.sasl, urllib

ldapi_path = '/tmp/openldap-socket'
ldap_conn = ldap.initialize(
    'ldapi://%s' % (
# Send SASL bind request for mechanism EXTERNAL
# Find out the SASL Authorization Identity
print ldap_conn.whoami_s()