Django LDAP3 安全与 TLS:我安全吗?
[英]Django LDAP3 security with TLS: am I secure?
问题描述
I'm concerned the login with LDAP in my Django app is not secure.
我担心在我的 Django 应用程序中使用 LDAP 登录不安全。 After trying several methods, I was able to get a working custom backend using ldap3 .在尝试了几种方法之后,我能够使用ldap3获得一个有效的自定义后端。 I was advised by other programmers (unfortunately non-Django programmers) in my organization to use TLS, but when I make a connection with ldap3, it looks like it's not using TLS.我的组织中的其他程序员(不幸的是非 Django 程序员)建议我使用 TLS,但是当我与 ldap3 建立连接时,它看起来好像没有使用 TLS。 I'm new to LDAP and security, but I've tried to do as much reading as possible, so hopefully I'm not missing something obvious.我是 LDAP 和安全性的新手,但我已经尝试尽可能多地阅读,所以希望我不会遗漏一些明显的东西。
Based on the ldap3 documentation, and trial-and-error, it seems that the connection has to be bound ( conn.bind() ) before TLS can be started ( conn.start_tls() ).根据 ldap3 文档和反复试验,似乎必须先绑定连接( conn.bind() ),然后才能启动 TLS ( conn.start_tls() )。 Is this true?这是真的? If the connection is bound without TLS, is this exposing a vulnerability?如果连接在没有 TLS 的情况下绑定,这是否暴露了漏洞? If so, what's the point of start TLS after the connection?如果是这样,连接后启动 TLS 的意义何在?
Am I using ldap3 and TLS correctly?我是否正确使用了 ldap3 和 TLS? Is this login method insecure, exposing passwords?这种登录方法不安全,会暴露密码吗?
#backends.py
import ldap3
import ssl
class LDAPBackend(ModelBackend):
def authenticate(self, request, username=None, password=None):
server = ldap3.Server('ldap://<url>', use_ssl=True)
conn = ldap3.Connection(server, user=request.POST.get('username'), password=request.POST.get('password'))
try:
conn.bind()
conn.start_tls()
search_filter = '(&(objectClass=user)(userPrincipalName='+request.POST.get('username')+'))'
conn.search(search_base='<search terms>', search_filter=search_filter, search_scope='SUBTREE', attributes='*')
attrs = conn.response[0]['attributes']
username = attrs['userPrincipalName']
except:
return None
If I switch the conn.bind() and conn.start_tls() order (so TLS starts first), the login fails (the form says "Enter a correct username...").如果我切换conn.bind()和conn.start_tls()顺序(因此 TLS 首先启动),登录失败(表单显示“输入正确的用户名...”)。
Is it secure to have a login this way in a Django app?在 Django 应用程序中以这种方式登录是否安全?
1 个解决方案
解决方案1
1 2019-11-20 01:47:20
We use LDAP for authentication with our flagship Django website in our organization, using TLS certificates.我们使用 LDAP 与我们组织中的旗舰 Django 网站进行身份验证,使用 TLS 证书。 It is unclear whether or not you are, as your destination URL seems to be ldap:// instead of ldaps:// .目前尚不清楚您是否是,因为您的目的地 URL 似乎是ldap://而不是ldaps:// 。 Typically, non-secure LDAP runs on port 389 while secure LDAPS runs on port 636 .通常,非安全 LDAP 在端口389上运行,而安全 LDAPS 在端口636上运行。
With that background out of the way, I would highly recommend using the django-python3-ldap package, which we have been using for several years, with over 200,000 users in LDAP using the objectClasses top, account, and posixAccount.有了这个背景,我强烈建议使用django-python3-ldap package,我们已经使用了几年,在 LDAP 中有超过 200,000 名用户使用 objectClasses top、account 和 posixAccount。 You can find it here: https://github.com/etianen/django-python3-ldap你可以在这里找到它: https://github.com/etianen/django-python3-ldap
LDAP is a complex protocol, and there are a lot of places where one can go wrong writing a backend (trust me, I tried the path you are going down). LDAP 是一个复杂的协议,并且有很多地方可以 go 错误地编写后端(相信我,我尝试了你要走的路径)。 The django-python3-ldap package is battle tested and will avoid these pitfalls. django-python3-ldap package 经过实战考验,将避免这些陷阱。 Your colleagues can probably assist you with the proper settings to get it working.您的同事可能会帮助您进行适当的设置以使其正常工作。 Good luck!祝你好运!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.