[Twisted-Python] PB auth with LDAP

Marvin McNett mmcnett at cs.ucsd.edu
Mon Sep 4 12:02:57 MDT 2006


Hi,

Just noticed that PB's _PortalAuthChallenger implements 
IUsernameHashedPassword, IUsernameMD5Passwordauth, but not 
IUsernamePassword.  This requires that I store my passwords in plain 
text or MD5 hash, then fetch the password to do a comparison at login. 
However, this is inconvenient when storing passwords in LDAP.  First, 
LDAP doesn't like returning passwords (Unless you're requesting it as 
the database administrator).  Second, storing passwords in plain text or 
even as MD5 hashes is less than ideal.  Finally, LDAP already has a 
comparison operation (which I can do with minimal privileges), so I 
should never need to actually fetch the password.

All this means that it would be very convenient for 
_PortalAuthChallenger to also implement IUsernamePassword (what's wrong 
with sending clear text passwords over SSL anyway?).  However, it's not 
clear to me how I'd go about overriding the current behavior.  I've 
tried the naive thing which is, in a separate file:

from twisted.cred import credentials
from twisted.spread.pb import *"

then overriding the _PortalRoot, _PortalWrapper, and 
_PortalAuthChallenger classes, and registering the alternate adapter. 
However, the "registerAdapter(_PortalRoot, Portal, IPBRoot)" comes back 
to bite me with:

   exceptions.ValueError: an adapter (twisted.spread.pb._PortalRoot) was 
already registered.

unless I comment it out in the actual twisted.spread.pb.py file.  Is 
there a way to unregister an adapter?  I'm sure there's a better way of 
doing this since I've seen mention of writing alternate login sequences, 
but I haven't been smart enough to figure it out.  Any help would be 
appreciated.

Thanks,
Marvin




More information about the Twisted-Python mailing list