[Twisted-Python] Passport, my ideas about an LDAP backend

Tommi Virtanen tv at twistedmatrix.com
Sun Dec 30 16:13:03 EST 2001


Here's a sketch of how I imagine an LDAP backend to passport will
work:

LDAP is a logically simple (implementation horrible:) TCP protocol
with messages passing in both directions. User authentication is one
possible message type, and the server replies with either success or
an error message.

For just searching and browsing, you can bind anonymously. Most
servers allow read-only access by default.

But for any kind of modification, we need to bind.

So far, this seems pretty much like with databases. However, here's
the big catch: the normal way to use databases is to have one userid
and password per application, and perhaps store actual userids and
passwords within a table in the database. The normal way to use LDAP
is to bind _as the user who is doing the operation_.

Here is a list of requirements I can think, that need to be fulfilled
in order for me to be able to use passport. Some of these may be very
trivial, or taken for granted by now -- I'm just making sure they are
seen.


Requirement #1: Passport needs to be async.

In order to be able to use LDAP as the backend for passport-like user
verification, the backend needs to be able to talk to a possibly slow
server.


Requirement #2: Passport must be able to store data in the
Perspective during authentication.

However, if the application wants to use LDAP for more than just user
authentication, things get a bit worse. We could just store the
password we saw the user enter, and later bind to the LDAP server as
this user. However, I dislike storing plain-text passwords in virtual
memory.


Requirement #3: Passport must be able to ask users to reauthenticate.

A better way is to remember that we already did bind (authenticate) to
the LDAP server as that user. Just reserve that connection for that
user alone. As long as the connection is alive, we can keep on talking
to the LDAP server.

Now, programs can be restarted, TCP connections can die, and servers
can utilize idle timeouts, maximum time limits, or limit maximum
number of operations per connection. The TCP connection can die any
moment. As we didn't store the user password, we need to ask it again
when we see the connection has closed and the user tries an operation
that requires talking to the LDAP server. This requires "invalidating"
the users previous authentication.


-- 
tv@{{hq.yok.utu,havoc,gaeshido}.fi,{debian,wanderer}.org,stonesoft.com}
double a,b=4,c;main(){for(;++a<2e6;c-=(b=-b)/a++);printf("%f\n",c);}




More information about the Twisted-Python mailing list