[Twisted-Python] PB auth with LDAP
Marvin McNett
mmcnett at cs.ucsd.edu
Mon Sep 4 14:02:57 EDT 2006
Hi,
Just noticed that PB's _PortalAuthChallenger implements
IUsernameHashedPassword, IUsernameMD5Passwordauth, but not
IUsernamePassword. This requires that I store my passwords in plain
text or MD5 hash, then fetch the password to do a comparison at login.
However, this is inconvenient when storing passwords in LDAP. First,
LDAP doesn't like returning passwords (Unless you're requesting it as
the database administrator). Second, storing passwords in plain text or
even as MD5 hashes is less than ideal. Finally, LDAP already has a
comparison operation (which I can do with minimal privileges), so I
should never need to actually fetch the password.
All this means that it would be very convenient for
_PortalAuthChallenger to also implement IUsernamePassword (what's wrong
with sending clear text passwords over SSL anyway?). However, it's not
clear to me how I'd go about overriding the current behavior. I've
tried the naive thing which is, in a separate file:
from twisted.cred import credentials
from twisted.spread.pb import *"
then overriding the _PortalRoot, _PortalWrapper, and
_PortalAuthChallenger classes, and registering the alternate adapter.
However, the "registerAdapter(_PortalRoot, Portal, IPBRoot)" comes back
to bite me with:
exceptions.ValueError: an adapter (twisted.spread.pb._PortalRoot) was
already registered.
unless I comment it out in the actual twisted.spread.pb.py file. Is
there a way to unregister an adapter? I'm sure there's a better way of
doing this since I've seen mention of writing alternate login sequences,
but I haven't been smart enough to figure it out. Any help would be
appreciated.
Thanks,
Marvin
More information about the Twisted-Python
mailing list