@@ -22,6 +22,13 @@ uv run --with=ldap3 --python 3.12 python
| Institut für Computerlinguistik | `ldaps://ldap2.cl.uni-heidelberg.de` | CL account |
| Universität Heidelberg | `ldaps://ad.uni-heidelberg.de` | Uni ID |
## Fundamental reading
If you have not worked with LDAP before, I strongly recommend reading the following Stack Overflow question:
[**How to safely authenticate a user using LDAP?**](https://stackoverflow.com/questions/73681632/how-to-safely-authenticate-a-user-using-ldap/)
It explains how authentication via LDAP is generally done (which is a bit weird compared to many modern computer systems), how it can be done safely, and also discusses a few quirks and special cases of different LDAP servers.
Binding to the Uni LDAP server currently does not require the TLS certificate to be valid. This is a security issue, because any attacker could just Man-in-the-Middle the connection and eavesdrop on all sent usernames and passwords.
I currently discourage using the Uni LDAP server, until I have figured out a better way to do this.
>>>
>>> [!note]
The URL scheme (`ldap://` or `ldaps://`) has precedence over the parameter `use_ssl` (see https://ldap3.readthedocs.io/en/latest/server.html). This means that the parameter is superfluous if you specify a URL scheme.
This only works if the student is part of the `ou=fnphi` organization, i.e., a member of the Neuphilologische Fakultät. This does not generalize. Until I've figured out a better way, I discourage using the Uni LDAP server.
