From jamesa at daa.com.au Mon Oct 22 14:53:48 2007 From: jamesa at daa.com.au (James Andrewartha) Date: Mon, 22 Oct 2007 20:53:48 +0800 Subject: LDAP ORM Message-ID: <1193057628.25384.9.camel@zarvora> Hi all, The current Python LDAP interface is a bit low level for my liking, so I've started work on an LDAP ORM[1]. Currently there's very little RM going on, but I have got a nice Python object representing an LDAP object with attribute access and deletion, no adding or saving to the ldap server just yet. ldap.schema is really quite handy. Which brings me to my next point - could someone update the API docs on the website? They're 3.5 years out of date, and so missing things like ldap.schema and cidict. Here's a patch for cidict to implement __contains__, which makes foo in somecidict work right: --- cidict.py~ 2003-08-25 00:28:12.000000000 +0800 +++ cidict.py 2007-10-22 20:16:54.000000000 +0800 @@ -43,6 +43,9 @@ def has_key(self,key): return UserDict.has_key(self,lower(key)) + def __contains__(self,key): + return UserDict.has_key(self,lower(key)) + def get(self,key,failobj=None): try: return self[key] Anyway, I'd appreciate any comments or suggestions (including for a new name) on LDAP ORM. I have a vague goal of being able to use LDAP as an ORM for Django or whatever other web framework tickles your fancy. [1] http://trs80.ucc.asn.au/ldaporm.py James Andrewartha From michael at stroeder.com Mon Oct 22 15:05:07 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 22 Oct 2007 15:05:07 +0200 Subject: LDAP ORM In-Reply-To: <1193057628.25384.9.camel@zarvora> References: <1193057628.25384.9.camel@zarvora> Message-ID: <471CA003.7020102@stroeder.com> James Andrewartha wrote: > > --- cidict.py~ 2003-08-25 00:28:12.000000000 +0800 > +++ cidict.py 2007-10-22 20:16:54.000000000 +0800 > @@ -43,6 +43,9 @@ > def has_key(self,key): > return UserDict.has_key(self,lower(key)) > > + def __contains__(self,key): > + return UserDict.has_key(self,lower(key)) > + > def get(self,key,failobj=None): > try: > return self[key] I'd prefer if it's ok for you: def __contains__(self,key): return self.has_key(self,key) If you're using ldap.schema you might want to look into using class ldap.schema.models.Entry instead of simply ldap.cidict.cidict because you don't have to care about attribute description aliases and mapping them to OIDs. Ciao, Michael. From jamesa at daa.com.au Mon Oct 22 15:48:01 2007 From: jamesa at daa.com.au (James Andrewartha) Date: Mon, 22 Oct 2007 21:48:01 +0800 Subject: LDAP ORM In-Reply-To: <471CA003.7020102@stroeder.com> References: <1193057628.25384.9.camel@zarvora> <471CA003.7020102@stroeder.com> Message-ID: <1193060881.25384.12.camel@zarvora> On Mon, 2007-10-22 at 15:05 +0200, Michael Str?der wrote: > James Andrewartha wrote: > > > > --- cidict.py~ 2003-08-25 00:28:12.000000000 +0800 > > +++ cidict.py 2007-10-22 20:16:54.000000000 +0800 > > @@ -43,6 +43,9 @@ > > def has_key(self,key): > > return UserDict.has_key(self,lower(key)) > > > > + def __contains__(self,key): > > + return UserDict.has_key(self,lower(key)) > > + > > def get(self,key,failobj=None): > > try: > > return self[key] > > I'd prefer if it's ok for you: > > def __contains__(self,key): > return self.has_key(self,key) Sure, I was just copying has_key(). > If you're using ldap.schema you might want to look into using class > ldap.schema.models.Entry instead of simply ldap.cidict.cidict because > you don't have to care about attribute description aliases and mapping > them to OIDs. I'm happy with the setup I've got now, but if I ever need to deal with attribute OIDs then I'll look into it. James Andrewartha From michael at stroeder.com Mon Oct 22 16:13:08 2007 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Mon, 22 Oct 2007 16:13:08 +0200 Subject: LDAP ORM In-Reply-To: <1193060881.25384.12.camel@zarvora> References: <1193057628.25384.9.camel@zarvora> <471CA003.7020102@stroeder.com> <1193060881.25384.12.camel@zarvora> Message-ID: <471CAFF4.5030002@stroeder.com> James Andrewartha wrote: > On Mon, 2007-10-22 at 15:05 +0200, Michael Str?der wrote: > >> If you're using ldap.schema you might want to look into using class >> ldap.schema.models.Entry instead of simply ldap.cidict.cidict because >> you don't have to care about attribute description aliases and mapping >> them to OIDs. > > I'm happy with the setup I've got now, but if I ever need to deal with > attribute OIDs then I'll look into it. Well, it's not a matter of you personally need to deal with it. There might be the case that an attribute type or object class does not have NAME assigned at all. Also think about language sub-types and transfer type ;binary separated by ; from the name. And dashes (-) are allowed in AttributeTypeDescription. You really should dive into RFC 4512. Ciao, Michael. From jamesa at daa.com.au Mon Oct 22 18:55:26 2007 From: jamesa at daa.com.au (James Andrewartha) Date: Tue, 23 Oct 2007 00:55:26 +0800 Subject: LDAP ORM In-Reply-To: <471CAFF4.5030002@stroeder.com> References: <1193057628.25384.9.camel@zarvora> <471CA003.7020102@stroeder.com> <1193060881.25384.12.camel@zarvora> <471CAFF4.5030002@stroeder.com> Message-ID: <1193072126.25384.28.camel@zarvora> On Mon, 2007-10-22 at 16:13 +0200, Michael Str?der wrote: > James Andrewartha wrote: > > On Mon, 2007-10-22 at 15:05 +0200, Michael Str?der wrote: > >> If you're using ldap.schema you might want to look into using class > >> ldap.schema.models.Entry instead of simply ldap.cidict.cidict because > >> you don't have to care about attribute description aliases and mapping > >> them to OIDs. > > > > I'm happy with the setup I've got now, but if I ever need to deal with > > attribute OIDs then I'll look into it. > > Well, it's not a matter of you personally need to deal with it. There > might be the case that an attribute type or object class does not have > NAME assigned at all. Also think about language sub-types and transfer > type ;binary separated by ; from the name. And dashes (-) are allowed in > AttributeTypeDescription. You really should dive into RFC 4512. Thanks for the pointer. I've updated the code to map _ in attribute names to -. Attributes without a short name are impossible to wrap - I'm not expecting clients of this library to know OIDs. Attributes with options are accessible via obj.['cn;lang-en'] (as are normal attributes). There should probably be some functions to ask for a specific language, RFC 3866 will guide me there. James Andrewartha From michael at stroeder.com Mon Oct 22 19:22:09 2007 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Mon, 22 Oct 2007 19:22:09 +0200 Subject: LDAP ORM In-Reply-To: <1193072126.25384.28.camel@zarvora> References: <1193057628.25384.9.camel@zarvora> <471CA003.7020102@stroeder.com> <1193060881.25384.12.camel@zarvora> <471CAFF4.5030002@stroeder.com> <1193072126.25384.28.camel@zarvora> Message-ID: <471CDC41.6070605@stroeder.com> James Andrewartha wrote: > > Thanks for the pointer. I've updated the code to map _ in attribute > names to -. Attributes without a short name are impossible to wrap - I'm > not expecting clients of this library to know OIDs. If you don't support schema elements without NAME you're not LDAPv3 compliant. I saw schema elements without NAME and my web2ldap choked on this in the beginning. In this case the LDAP server returns the OIDs in search results. Ciao, Michael. From jamesa at daa.com.au Tue Oct 23 03:15:27 2007 From: jamesa at daa.com.au (James Andrewartha) Date: Tue, 23 Oct 2007 09:15:27 +0800 Subject: documentation updates Message-ID: <1193102127.31900.7.camel@zarvora> Hi, The first patch removes an invalid LDAP option. The second updates the LDAPObject documentation, and the third updates LDAPObject docstrings. Hopefully I'll have time to look at updating the rest of the docs soon. James Andrewartha -------------- next part -------------- A non-text attachment was scrubbed... Name: constants.diff Type: text/x-patch Size: 554 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ldap.tex.diff Type: text/x-patch Size: 15763 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ldapobject.diff Type: text/x-patch Size: 3152 bytes Desc: not available URL: From jamesa at daa.com.au Tue Oct 23 11:27:22 2007 From: jamesa at daa.com.au (James Andrewartha) Date: Tue, 23 Oct 2007 17:27:22 +0800 Subject: documentation updates In-Reply-To: <1193102127.31900.7.camel@zarvora> References: <1193102127.31900.7.camel@zarvora> Message-ID: <1193131642.31900.22.camel@zarvora> On Tue, 2007-10-23 at 09:15 +0800, James Andrewartha wrote: > Hi, > > The first patch removes an invalid LDAP option. The second updates the > LDAPObject documentation, and the third updates LDAPObject docstrings. > Hopefully I'll have time to look at updating the rest of the docs soon. Here's one for ldap-controls.tex, and a minor fix to ldap/controls.py to use the constant it defines. I've noted that the controlValue passed to SimplePagedResultsControl's constructor is ignored, but didn't remove it because that would be an API change. James Andrewartha -------------- next part -------------- A non-text attachment was scrubbed... Name: controls.diff Type: text/x-patch Size: 788 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ldap-controls.tex.diff Type: text/x-patch Size: 2967 bytes Desc: not available URL: From jamesa at daa.com.au Tue Oct 23 19:49:53 2007 From: jamesa at daa.com.au (James Andrewartha) Date: Wed, 24 Oct 2007 01:49:53 +0800 Subject: documentation updates In-Reply-To: <1193131642.31900.22.camel@zarvora> References: <1193102127.31900.7.camel@zarvora> <1193131642.31900.22.camel@zarvora> Message-ID: <1193161793.1307.13.camel@zarvora> On Tue, 2007-10-23 at 17:27 +0800, James Andrewartha wrote: > On Tue, 2007-10-23 at 09:15 +0800, James Andrewartha wrote: > > Hi, > > > > The first patch removes an invalid LDAP option. The second updates the > > LDAPObject documentation, and the third updates LDAPObject docstrings. > > Hopefully I'll have time to look at updating the rest of the docs soon. > > Here's one for ldap-controls.tex, and a minor fix to ldap/controls.py > to use the constant it defines. I've noted that the controlValue passed > to SimplePagedResultsControl's constructor is ignored, but didn't remove > it because that would be an API change. ldap-{cidict,resiter,sasl}.tex are all new files covering previously undocumented modules. dn.diff adds the dn2str method and has a few formatting fixes. contents.diff updates python-ldap.tex to include the new sections, and I added a new chapter for ldapurl and ldif called "Standalone modules". ldap.tex.2.diff applies over my previous patch and adds a few references and more cleanups. Remaining undocumented modules include all of ldap.schema and dsml. I had a quick look at porting the docstrings of dsml, but it refers to DSMLv1 when v2 was released in 2002. Under-documented modules (generally only having examples) include ldap.async, ldif and ldapurl. Is there anything else I need to do to get these applied, and the version of the docs on the website updated? James Andrewartha -------------- next part -------------- A non-text attachment was scrubbed... Name: ldap-cidict.tex Type: text/x-tex Size: 1402 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ldap-resiter.tex Type: text/x-tex Size: 939 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ldap-sasl.tex Type: text/x-tex Size: 3005 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dn.diff Type: text/x-patch Size: 2036 bytes Desc: URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: contents.diff Type: text/x-patch Size: 627 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ldap.tex.2.diff Type: text/x-patch Size: 2441 bytes Desc: not available URL: From michael at stroeder.com Tue Oct 23 20:27:43 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 23 Oct 2007 20:27:43 +0200 Subject: documentation updates In-Reply-To: <1193161793.1307.13.camel@zarvora> References: <1193102127.31900.7.camel@zarvora> <1193131642.31900.22.camel@zarvora> <1193161793.1307.13.camel@zarvora> Message-ID: <471E3D1F.7040501@stroeder.com> James, first of all many thanks for your efforts working on this. James Andrewartha wrote: > > Is there anything else I need to do to get these applied, and the > version of the docs on the website updated? I've started reviewing your patches this morning and I have some doubts about some details which need clarification. This will take a little bit. I will follow-up on this when I have some spare time left. Maybe tomorrow... One general note: I didn't document some stuff since I didn't want to endorse it because I don't consider certain APIs to be really stable (say: designed well). Examples are class SmartLDAPObject, the API of ldap.schema etc. So take a break until I follow-up on this. Thanks again. Ciao, Michael. From michael at stroeder.com Tue Oct 23 20:38:02 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 23 Oct 2007 20:38:02 +0200 Subject: Status of module dsml In-Reply-To: <1193161793.1307.13.camel@zarvora> References: <1193102127.31900.7.camel@zarvora> <1193131642.31900.22.camel@zarvora> <1193161793.1307.13.camel@zarvora> Message-ID: <471E3F8A.8000009@stroeder.com> James Andrewartha wrote: > I had a quick look at porting the docstrings of dsml, but it refers > to DSMLv1 when v2 was released in 2002. python-ldap's module implements DSMLv1, not DSMLv2. Gee, looking at the module I don't remember what I've implemented there... You see, DSML is very low on my priority list. Frankly I have some doubts about what it's good for. ;-) Ciao, Michael. From brandon at rhodesmill.org Thu Oct 25 19:35:53 2007 From: brandon at rhodesmill.org (Brandon Craig Rhodes) Date: Thu, 25 Oct 2007 13:35:53 -0400 Subject: building better binary eggs Message-ID: <87r6jjumfa.fsf@ten22.rhodesmill.org> I use Zope and "buildout" and, like those who made some earlier posts this year, I need binary eggs to install. I note that no one has put such eggs on the Cheese Shop, and the binary eggs that do exist and to which people have offered URLs seem to depend on one's OS having paritcular versions of particular libraries installed. I want to suggest another approach: there needs to be an .egg for python-ldap that simply includes in the .so file, statically linked, all of the libraries it needs - so that the OpenLDAP and OpenSSL libraries just come "built in" and working, and don't rely on your even having those libraries available on your OS, much less having them working. Are there license problems that prevent this? I had followed this approach with my "PyEphem" library. I can't imagine that many people would use it if they had to download and install an obscure astronomy package first from a third party! So my package's _libastro.so file simply has the astronomy libraries statically linked in, so nothing except Python and my module are required for users to get started. -- Brandon Craig Rhodes brandon at rhodesmill.org http://rhodesmill.org/brandon From noah.gift at gmail.com Fri Oct 26 05:21:32 2007 From: noah.gift at gmail.com (Noah Gift) Date: Thu, 25 Oct 2007 23:21:32 -0400 Subject: Need information for Python Systems Administration Book Message-ID: Hi, I would love to talk to somebody on or offline about documenting python-ldap in an upcoming O'Reilly book on "Python for Systems Administration". Thanks, Noah Gift -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Oct 26 11:38:48 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 26 Oct 2007 11:38:48 +0200 Subject: Need information for Python Systems Administration Book In-Reply-To: References: Message-ID: <4721B5A8.4020507@stroeder.com> Noah Gift wrote: > > I would love to talk to somebody on or offline about documenting > python-ldap in an upcoming O'Reilly book on "Python for Systems > Administration". You're welcome to ask specific questions on this list. Ciao, Michael. From jamesa at daa.com.au Sun Oct 28 11:14:37 2007 From: jamesa at daa.com.au (James Andrewartha) Date: Sun, 28 Oct 2007 19:14:37 +0900 Subject: LDAP ORM In-Reply-To: <471CDC41.6070605@stroeder.com> References: <1193057628.25384.9.camel@zarvora> <471CA003.7020102@stroeder.com> <1193060881.25384.12.camel@zarvora> <471CAFF4.5030002@stroeder.com> <1193072126.25384.28.camel@zarvora> <471CDC41.6070605@stroeder.com> Message-ID: <1193566477.27058.7.camel@zarvora> On Mon, 2007-10-22 at 19:22 +0200, Michael Str?der wrote: > James Andrewartha wrote: > > > > Thanks for the pointer. I've updated the code to map _ in attribute > > names to -. Attributes without a short name are impossible to wrap - I'm > > not expecting clients of this library to know OIDs. > > If you don't support schema elements without NAME you're not LDAPv3 > compliant. I saw schema elements without NAME and my web2ldap choked on > this in the beginning. In this case the LDAP server returns the OIDs in > search results. Ok, I've added handling for them - they should end up being accessible by obj['9.9.9'], assuming the OID is returned as a string key in the results dictionary. Source is now available at http://forgetldap.svn.sourceforge.net/viewvc/forgetldap/trunk/ thanks to Gagatan on #luma. It now supports modification of an entry, although it doesn't change the rdn as yet. I'll probably look at that after I add support for saving changes back to the LDAP server. Anil - I've added some notes at the bottom of the source on the API the Django ORM expects, what does Pylons expect? James Andrewartha From mmatz at wyoarea.org Tue Nov 6 20:45:47 2007 From: mmatz at wyoarea.org (Mike Matz) Date: Tue, 6 Nov 2007 14:45:47 -0500 Subject: Creating Active Directory Objects Message-ID: Hi all, Apologies in advanced if this is a duplicate post, but every time I tried searching the archives it would time out. I am wondering if it is possible to create Active Directory objects (users) with the python- ldap module. I am currently developing on Mac OS X. I realize there are AD modules out there, but I am not aware of any that will compile and run on Mac OS X. If there are I would appreciate any suggestions. Any information you can provide would be much appreciated! Regards, Mike From geert at boskant.nl Tue Nov 6 21:17:03 2007 From: geert at boskant.nl (Geert Jansen) Date: Tue, 06 Nov 2007 21:17:03 +0100 Subject: Creating Active Directory Objects In-Reply-To: References: Message-ID: <4730CBBF.8060506@boskant.nl> Hello Mike > Apologies in advanced if this is a duplicate post, but every time I > tried searching the archives it would time out. I am wondering if it > is possible to create Active Directory objects (users) with the python- > ldap module. I am currently developing on Mac OS X. I realize there > are AD modules out there, but I am not aware of any that will compile > and run on Mac OS X. If there are I would appreciate any > suggestions. Any information you can provide would be much appreciated! > It is definately possibly to create active directory users with python-ldap. You just need to take care that you set the minimum amount of attributes required, otherwise the addition will fail. I don't have any code ready at the moment, but just create a user object with ADUC and see what attributes that sets. Then take these as a base. Note that you don't need to create the SID and the GUID -- these are created automatically by AD. Regards, Geert From michael at stroeder.com Wed Nov 7 10:44:14 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 07 Nov 2007 10:44:14 +0100 Subject: Creating Active Directory Objects In-Reply-To: <4730CBBF.8060506@boskant.nl> References: <4730CBBF.8060506@boskant.nl> Message-ID: <473188EE.1030403@stroeder.com> Geert Jansen wrote: > > It is definately possibly to create active directory users with > python-ldap. You just need to take care that you set the minimum amount > of attributes required, otherwise the addition will fail. I don't have > any code ready at the moment, but just create a user object with ADUC > and see what attributes that sets. Then take these as a base. Note that > you don't need to create the SID and the GUID -- these are created > automatically by AD. I vaguely remember that there are some issues with really activating a user entry as a Windows user. But this is not a problem of accessing AD via python-ldap. Ciao, Michael. From geert at boskant.nl Wed Nov 7 19:50:44 2007 From: geert at boskant.nl (Geert Jansen) Date: Wed, 07 Nov 2007 19:50:44 +0100 Subject: Creating Active Directory Objects In-Reply-To: <473188EE.1030403@stroeder.com> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> Message-ID: <47320904.70500@boskant.nl> Michael Str?der wrote: > I vaguely remember that there are some issues with really activating a > user entry as a Windows user. But this is not a problem of accessing AD > via python-ldap. > This indeed rings a bell. You need to create the user as disabled (look for userAccountControl on MSDN), set a compliant password, and then enable him. Regards, Geert From mmatz at wyoarea.org Thu Nov 8 04:15:27 2007 From: mmatz at wyoarea.org (Mike Matz) Date: Wed, 7 Nov 2007 22:15:27 -0500 Subject: Creating Active Directory Objects References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> Message-ID: <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> Thanks for the help guys. It got me off to a great start. I have successfully created a user in my AD. As you already eluded to, I am struggling with the password attribute. Can the password attribute be set when creating a user. From what I gathered, the password attribute is 'unicodePwd'. This attribute cannot be created, it can only be modified. Is this attribute created by default when a user is created? Would I be able to do an add and then a modify to set the password? I am aware of the fact that there are certain restrictions in place in order to modify the password. I have setup my AD to include SSL and I am able to bind as Administrator over port 636. With that said one of the examples I ran across for adding a user refers to another attribute 'userPassword'. I am unable to tell what this attribute is. In the link below, it appears that the password is being set when the entry is added. I have tried this unsuccessfully. I appreicate all the help thus far. Regards, Mike Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html -----Original Message----- From: Geert Jansen [mailto:geert at boskant.nl] Sent: Wed 11/7/2007 1:50 PM To: Michael Str?der Cc: Mike Matz; python-ldap-dev at lists.sourceforge.net Subject: Re: Creating Active Directory Objects Michael Str?der wrote: > I vaguely remember that there are some issues with really activating a > user entry as a Windows user. But this is not a problem of accessing AD > via python-ldap. > This indeed rings a bell. You need to create the user as disabled (look for userAccountControl on MSDN), set a compliant password, and then enable him. Regards, Geert -------------- next part -------------- An HTML attachment was scrubbed... URL: From d at adaptive-enterprises.com.au Thu Nov 8 13:48:20 2007 From: d at adaptive-enterprises.com.au (David Leonard) Date: Thu, 08 Nov 2007 22:48:20 +1000 Subject: Creating Active Directory Objects In-Reply-To: <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> Message-ID: <47330594.7050003@adaptive-enterprises.com.au> Hi, Mike I think AD uses an extension to the Kerberos protocol to change the password of a user. See http://msdn2.microsoft.com/en-us/library/ms808911.aspx As far as I understand it, the unicodePwd attribute is the NT hash of the user's password. (See http://msdn2.microsoft.com/en-us/library/ms680513.aspx). Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's LDAP. It should be a lot easier to manage than SSL certs. David Mike Matz wrote: > > Thanks for the help guys. It got me off to a great start. I have > successfully created a user in my AD. As you already eluded to, I am > struggling with the password attribute. Can the password attribute be > set when creating a user. From what I gathered, the password > attribute is 'unicodePwd'. This attribute cannot be created, it can > only be modified. Is this attribute created by default when a user is > created? Would I be able to do an add and then a modify to set the > password? I am aware of the fact that there are certain restrictions > in place in order to modify the password. I have setup my AD to > include SSL and I am able to bind as Administrator over port 636. > With that said one of the examples I ran across for adding a user > refers to another attribute 'userPassword'. I am unable to tell what > this attribute is. In the link below, it appears that the password is > being set when the entry is added. I have tried this unsuccessfully. > I appreicate all the help thus far. > Regards, > Mike > > Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html > > > -----Original Message----- > From: Geert Jansen [mailto:geert at boskant.nl] > Sent: Wed 11/7/2007 1:50 PM > To: Michael Str?der > Cc: Mike Matz; python-ldap-dev at lists.sourceforge.net > Subject: Re: Creating Active Directory Objects > > Michael Str?der wrote: > > > I vaguely remember that there are some issues with really activating a > > user entry as a Windows user. But this is not a problem of accessing AD > > via python-ldap. > > > > This indeed rings a bell. You need to create the user as disabled (look > for userAccountControl on MSDN), set a compliant password, and then > enable him. > > Regards, > Geert > -- David Leonard d at adaptive-enterprises.com.au Ph:+61 404 844 850 -------------- next part -------------- An HTML attachment was scrubbed... URL: From python-ldap at tk-webart.de Thu Nov 8 14:13:23 2007 From: python-ldap at tk-webart.de (Torsten Kurbad) Date: Thu, 8 Nov 2007 14:13:23 +0100 Subject: building better binary eggs In-Reply-To: <87r6jjumfa.fsf@ten22.rhodesmill.org> References: <87r6jjumfa.fsf@ten22.rhodesmill.org> Message-ID: <20071108141323.5efe2336@asteria.iwm-kmrc.de> Hi, > I want to suggest another approach: there needs to be an .egg for > python-ldap that simply includes in the .so file, statically linked, > all of the libraries it needs - so that the OpenLDAP and OpenSSL > libraries just come "built in" and working, and don't rely on your > even having those libraries available on your OS, much less having > them working. I don't see any problems with this approach, except: - someone has to build and maintain those eggs - such static libraries are much overhead on systems having the appropriate dependencies available. Thinking of Linux one had (at least) to link in: * glibc (with all dependencies) * libssl + libcrypto * libsasl * libldap * liblber For my purposes the dynamically linked eggs work just great, and everyone who tried the windows egg, after installing the obvious depency OpenLDAP reported success so far. So, if you need static eggs, go ahead - I don't see much use... Regards, Torsten -- I'll give you a definite maybe. -Samuel Goldwyn From mmatz at wyoarea.org Thu Nov 8 14:41:49 2007 From: mmatz at wyoarea.org (Mike Matz) Date: Thu, 8 Nov 2007 08:41:49 -0500 Subject: Creating Active Directory Objects In-Reply-To: <47330594.7050003@adaptive-enterprises.com.au> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au> Message-ID: Thanks for your input David. I will read through the MSDN articles to see if they provide me with any inside. I am not familiar with using SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly provide me with a few steps to accomplish this? Thanks, Mike On Nov 8, 2007, at 7:48 AM, David Leonard wrote: > Hi, Mike > > I think AD uses an extension to the Kerberos protocol to change the > password of a user. See http://msdn2.microsoft.com/en-us/library/ms808911.aspx > As far as I understand it, the unicodePwd attribute is the NT hash > of the user's password. (See http://msdn2.microsoft.com/en-us/library/ms680513.aspx) > . > Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to > AD's LDAP. It should be a lot easier to manage than SSL certs. > > David > > Mike Matz wrote: >> >> Thanks for the help guys. It got me off to a great start. I have >> successfully created a user in my AD. As you already eluded to, I >> am struggling with the password attribute. Can the password >> attribute be set when creating a user. From what I gathered, the >> password attribute is 'unicodePwd'. This attribute cannot be >> created, it can only be modified. Is this attribute created by >> default when a user is created? Would I be able to do an add and >> then a modify to set the password? I am aware of the fact that >> there are certain restrictions in place in order to modify the >> password. I have setup my AD to include SSL and I am able to bind >> as Administrator over port 636. With that said one of the examples >> I ran across for adding a user refers to another attribute >> 'userPassword'. I am unable to tell what this attribute is. In >> the link below, it appears that the password is being set when the >> entry is added. I have tried this unsuccessfully. I appreicate >> all the help thus far. >> Regards, >> Mike >> >> Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html >> >> >> -----Original Message----- >> From: Geert Jansen [mailto:geert at boskant.nl] >> Sent: Wed 11/7/2007 1:50 PM >> To: Michael Str?der >> Cc: Mike Matz; python-ldap-dev at lists.sourceforge.net >> Subject: Re: Creating Active Directory Objects >> >> Michael Str?der wrote: >> >> > I vaguely remember that there are some issues with really >> activating a >> > user entry as a Windows user. But this is not a problem of >> accessing AD >> > via python-ldap. >> > >> >> This indeed rings a bell. You need to create the user as disabled >> (look >> for userAccountControl on MSDN), set a compliant password, and then >> enable him. >> >> Regards, >> Geert >> >> > > -- > David Leonard d at adaptive-enterprises.com.au > Ph:+61 404 844 850 -------------- next part -------------- An HTML attachment was scrubbed... URL: From d at adaptive-enterprises.com.au Thu Nov 8 15:25:28 2007 From: d at adaptive-enterprises.com.au (David Leonard) Date: Fri, 09 Nov 2007 00:25:28 +1000 Subject: Creating Active Directory Objects In-Reply-To: References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au> Message-ID: <47331C58.1090306@adaptive-enterprises.com.au> First step is configuring your platform's kerberos library so you can kinit against your AD server. You will need to read about krb5.conf and kinit, I suspect. Next step is getting a SASL-GSSAPI module installed so that SASL can access your Kerberos library (through its GSSAPI interface). This is a matter of package hunting usually. I'm assuming your OpenLDAP library has SASL support. Finally, you call ldap_sasl_bind to connect. I hope someone else can chime in here with an example of sasl binds with python-ldap. d Mike Matz wrote: > Thanks for your input David. I will read through the MSDN articles to > see if they provide me with any inside. I am not familiar with > using SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly > provide me with a few steps to accomplish this? > Thanks, > Mike > > > On Nov 8, 2007, at 7:48 AM, David Leonard wrote: > >> Hi, Mike >> >> I think AD uses an extension to the Kerberos protocol to change the >> password of a user. See >> http://msdn2.microsoft.com/en-us/library/ms808911.aspx >> As far as I understand it, the unicodePwd attribute is the NT hash of >> the user's password. (See >> http://msdn2.microsoft.com/en-us/library/ms680513.aspx). >> Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to >> AD's LDAP. It should be a lot easier to manage than SSL certs. >> >> David >> >> Mike Matz wrote: >>> >>> Thanks for the help guys. It got me off to a great start. I have >>> successfully created a user in my AD. As you already eluded to, I >>> am struggling with the password attribute. Can the password >>> attribute be set when creating a user. From what I gathered, the >>> password attribute is 'unicodePwd'. This attribute cannot be >>> created, it can only be modified. Is this attribute created by >>> default when a user is created? Would I be able to do an add and >>> then a modify to set the password? I am aware of the fact that >>> there are certain restrictions in place in order to modify the >>> password. I have setup my AD to include SSL and I am able to bind >>> as Administrator over port 636. With that said one of the examples >>> I ran across for adding a user refers to another attribute >>> 'userPassword'. I am unable to tell what this attribute is. In the >>> link below, it appears that the password is being set when the entry >>> is added. I have tried this unsuccessfully. I appreicate all the >>> help thus far. >>> Regards, >>> Mike >>> >>> Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html >>> >>> >>> -----Original Message----- >>> From: Geert Jansen [mailto:geert at boskant.nl] >>> Sent: Wed 11/7/2007 1:50 PM >>> To: Michael Str?der >>> Cc: Mike Matz; python-ldap-dev at lists.sourceforge.net >>> Subject: Re: Creating Active Directory Objects >>> >>> Michael Str?der wrote: >>> >>> > I vaguely remember that there are some issues with really activating a >>> > user entry as a Windows user. But this is not a problem of >>> accessing AD >>> > via python-ldap. >>> > >>> >>> This indeed rings a bell. You need to create the user as disabled (look >>> for userAccountControl on MSDN), set a compliant password, and then >>> enable him. >>> >>> Regards, >>> Geert >>> >> >> -- >> David Leonard d at adaptive-enterprises.com.au >> Ph:+61 404 844 850 >> > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > ------------------------------------------------------------------------ > > _______________________________________________ > Python-LDAP-dev mailing list > Python-LDAP-dev at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev > -- David Leonard d at adaptive-enterprises.com.au Ph:+61 404 844 850 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Nov 8 18:53:21 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 08 Nov 2007 18:53:21 +0100 Subject: Creating Active Directory Objects In-Reply-To: <47331C58.1090306@adaptive-enterprises.com.au> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au> <47331C58.1090306@adaptive-enterprises.com.au> Message-ID: <47334D11.3020105@stroeder.com> David Leonard wrote: > I hope someone else can > chime in here with an example of sasl binds with python-ldap. See: Demo/sasl_bind.py Ciao, Michael. From michael at stroeder.com Thu Nov 8 19:02:11 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 08 Nov 2007 19:02:11 +0100 Subject: Creating Active Directory Objects In-Reply-To: <47330594.7050003@adaptive-enterprises.com.au> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au> Message-ID: <47334F23.5020401@stroeder.com> David Leonard wrote: > > As far as I understand it, the unicodePwd attribute is the NT hash of > the user's password. I don't think so when setting it. Maybe it contains the NT hash afterwards, but conversion is probably done internally. http://support.microsoft.com/kb/269190 It seems you need to combine ldap.MOD_DELETE with old password and ldap.MOD_ADD with new password when setting unicodePwd yourself and ldap.MOD_REPLACE when setting it for another account. Additionally you have to use quotes around it. And furthermore it has to be UTF-16-encoded (low endian). MS docs are usually poorly written. > Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's > LDAP. It should be a lot easier to manage than SSL certs. The SSL certs are not used to bind to AD in this case. Rather they are just used to connect over SSL (ldaps://). Ciao, Michael. From joe at open-it.org Thu Nov 8 19:12:12 2007 From: joe at open-it.org (Joe Little) Date: Thu, 8 Nov 2007 10:12:12 -0800 Subject: Creating Active Directory Objects In-Reply-To: <47320904.70500@boskant.nl> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> Message-ID: <12B22B11-393F-4B6E-97D8-16C5A950EEE3@open-it.org> Here's something that may be useful in this conversation about AD Objects. I wrote with some reference help a script to pack a SID as I was creating the necessary objects to create AD accounts from python using python-ldap: """ packsid """ import base64,struct def packsid(textsid): if textsid[0] != 'S': return; data = (textsid[2:]).split('-') rev = int(data[0]) idauth = int(data[1]) subauthcount = len(data) - 2 packedsid = struct.pack("8B", rev, subauthcount, 0, 0, 0, 0, 0, idauth) for i in range(0,subauthcount): addpack = struct.pack(" Michael Str?der wrote: > >> I vaguely remember that there are some issues with really >> activating a >> user entry as a Windows user. But this is not a problem of >> accessing AD >> via python-ldap. >> > > This indeed rings a bell. You need to create the user as disabled > (look > for userAccountControl on MSDN), set a compliant password, and then > enable him. > > Regards, > Geert > > From jlittle at open-it.org Thu Nov 8 19:16:08 2007 From: jlittle at open-it.org (Joe Little) Date: Thu, 8 Nov 2007 10:16:08 -0800 Subject: Creating Active Directory Objects In-Reply-To: <47320904.70500@boskant.nl> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> Message-ID: <660B1CDD-99A8-4A3B-A2EF-76637D0C0A7F@open-it.org> (repost from another address_ Here's something that may be useful in this conversation about AD Objects. I wrote with some reference help a script to pack a SID as I was creating the necessary objects to create AD accounts from python using python-ldap: """ packsid """ import base64,struct def packsid(textsid): if textsid[0] != 'S': return; data = (textsid[2:]).split('-') rev = int(data[0]) idauth = int(data[1]) subauthcount = len(data) - 2 packedsid = struct.pack("8B", rev, subauthcount, 0, 0, 0, 0, 0, idauth) for i in range(0,subauthcount): addpack = struct.pack(" Michael Str?der wrote: > >> I vaguely remember that there are some issues with really >> activating a >> user entry as a Windows user. But this is not a problem of >> accessing AD >> via python-ldap. >> > > This indeed rings a bell. You need to create the user as disabled > (look > for userAccountControl on MSDN), set a compliant password, and then > enable him. > > Regards, > Geert > > From jlittle at open-it.org Thu Nov 8 19:16:08 2007 From: jlittle at open-it.org (Joe Little) Date: Thu, 8 Nov 2007 10:16:08 -0800 Subject: Creating Active Directory Objects In-Reply-To: <47320904.70500@boskant.nl> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> Message-ID: <660B1CDD-99A8-4A3B-A2EF-76637D0C0A7F@open-it.org> (repost from another address_ Here's something that may be useful in this conversation about AD Objects. I wrote with some reference help a script to pack a SID as I was creating the necessary objects to create AD accounts from python using python-ldap: """ packsid """ import base64,struct def packsid(textsid): if textsid[0] != 'S': return; data = (textsid[2:]).split('-') rev = int(data[0]) idauth = int(data[1]) subauthcount = len(data) - 2 packedsid = struct.pack("8B", rev, subauthcount, 0, 0, 0, 0, 0, idauth) for i in range(0,subauthcount): addpack = struct.pack(" Michael Str?der wrote: > >> I vaguely remember that there are some issues with really >> activating a >> user entry as a Windows user. But this is not a problem of >> accessing AD >> via python-ldap. >> > > This indeed rings a bell. You need to create the user as disabled > (look > for userAccountControl on MSDN), set a compliant password, and then > enable him. > > Regards, > Geert > > From geert at boskant.nl Thu Nov 8 19:41:51 2007 From: geert at boskant.nl (Geert Jansen) Date: Thu, 08 Nov 2007 19:41:51 +0100 Subject: Creating Active Directory Objects In-Reply-To: <47330594.7050003@adaptive-enterprises.com.au> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au> Message-ID: <4733586F.60801@boskant.nl> > > Mike Matz wrote: >> >> Thanks for the help guys. It got me off to a great start. I have >> successfully created a user in my AD. As you already eluded to, I am >> struggling with the password attribute. Can the password attribute >> be set when creating a user. From what I gathered, the password >> attribute is 'unicodePwd'. >> Forget about using LDAP to change a user's password. It can be done but it requires 128-bit SSL and so you need to set up certificate services and distribute the CA certificate to your client. An easier way is to use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 and later support this protocol. Unfortunately there is no command-line interface to this call so you need to create a Python extension module for wrapping this call. My (in progress) project FreeADI contains a wrapper for the Set Password call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at freeadi.org. The code is available under the liberal MIT license. The "userPassword" attribute is the Unix shadow hash, and is not used for Kerberos. Regards, Geert From d at adaptive-enterprises.com.au Fri Nov 9 01:03:56 2007 From: d at adaptive-enterprises.com.au (David Leonard) Date: Fri, 09 Nov 2007 10:03:56 +1000 Subject: Creating Active Directory Objects In-Reply-To: <47334D11.3020105@stroeder.com> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au> <47331C58.1090306@adaptive-enterprises.com.au> <47334D11.3020105@stroeder.com> Message-ID: <4733A3EC.4000404@adaptive-enterprises.com.au> Michael Str?der wrote: > David Leonard wrote: > >> I hope someone else can >> chime in here with an example of sasl binds with python-ldap. >> > > See: Demo/sasl_bind.py > > oops, of course! thanks michael :) -- David Leonard d at adaptive-enterprises.com.au Ph:+61 404 844 850 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Nov 9 10:35:16 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 09 Nov 2007 10:35:16 +0100 Subject: Creating Active Directory Objects In-Reply-To: <4733586F.60801@boskant.nl> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au> <4733586F.60801@boskant.nl> Message-ID: <473429D4.3040705@stroeder.com> Geert Jansen wrote: > > Forget about using LDAP to change a user's password. It can be done but > it requires 128-bit SSL and so you need to set up certificate services > and distribute the CA certificate to your client. An easier way is to > use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 and > later support this protocol. Unfortunately there is no command-line > interface to this call so you need to create a Python extension module > for wrapping this call. > > My (in progress) project FreeADI contains a wrapper for the Set Password > call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at > freeadi.org. The code is available under the liberal MIT license. If you're already on that route you might be interested in the heimdal-wrapper module by Univention. Its license is GPL. Not sure whether they support the Set Password protocol though. Ciao, Michael. From mmatz at wyoarea.org Fri Nov 9 14:36:34 2007 From: mmatz at wyoarea.org (Mike Matz) Date: Fri, 9 Nov 2007 08:36:34 -0500 Subject: Creating Active Directory Objects In-Reply-To: <473429D4.3040705@stroeder.com> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au><4733586F.60801@boskant.nl> <473429D4.3040705@stroeder.com> Message-ID: <02839B20-E31F-40AC-BCAD-B03CBEDBFFE8@wyoarea.org> Thank you to all who responded to my queries. I have been able to successfully create an account and set the password for an AD user on my test server. For those who are interested here is the breakdown of what I did. As I continue to debug and test I will post updates to this topic. Connected via SSL to the server. There is no need to manage certificates on the client since I am not binding, only establishing an LDAP connection. Certificate Services do need to be installed on the server. In the future I plan to try to implement the sasl_bind code that Michael mentioned. To create the account I performed an ldap add and to set the password I performed a modify on the unicodePwd attribute. This has appeared to work successfully. I am able to authenticate as the newly created user, map a home directory, etc. I will need to do further testing to ensure that this is a valid method for creating an account. Once again, thanks to all who provided input! Regards, Mike On Nov 9, 2007, at 4:35 AM, Michael Str?der wrote: > Geert Jansen wrote: >> >> Forget about using LDAP to change a user's password. It can be done >> but >> it requires 128-bit SSL and so you need to set up certificate >> services >> and distribute the CA certificate to your client. An easier way is to >> use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 >> and >> later support this protocol. Unfortunately there is no command-line >> interface to this call so you need to create a Python extension >> module >> for wrapping this call. >> >> My (in progress) project FreeADI contains a wrapper for the Set >> Password >> call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at >> freeadi.org. The code is available under the liberal MIT license. > > If you're already on that route you might be interested in the > heimdal-wrapper module by Univention. Its license is GPL. Not sure > whether they support the Set Password protocol though. > > Ciao, Michael. > > From michael at stroeder.com Fri Nov 9 16:16:33 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 09 Nov 2007 16:16:33 +0100 Subject: Creating Active Directory Objects In-Reply-To: <02839B20-E31F-40AC-BCAD-B03CBEDBFFE8@wyoarea.org> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> <2208A0CA90BDD842AC38CBC84B6ABEF50176A0CA@mercury.wyoarea.org> <47330594.7050003@adaptive-enterprises.com.au><4733586F.60801@boskant.nl> <473429D4.3040705@stroeder.com> <02839B20-E31F-40AC-BCAD-B03CBEDBFFE8@wyoarea.org> Message-ID: <473479D1.6070206@stroeder.com> Mike Matz wrote: > In the future I plan to try to implement the sasl_bind > code that Michael mentioned. In the past after invoking kinit command-line tool for getting a TGT I was successful sending a SASL bind with mech GSSAPI with python-ldap, OpenLDAP libs and heimdal. But not sure about whether this all works together with a recent version of heimdal... Ciao, Michael. From joe at open-it.org Thu Nov 8 19:12:12 2007 From: joe at open-it.org (Joe Little) Date: Thu, 8 Nov 2007 10:12:12 -0800 Subject: Creating Active Directory Objects In-Reply-To: <47320904.70500@boskant.nl> References: <4730CBBF.8060506@boskant.nl> <473188EE.1030403@stroeder.com> <47320904.70500@boskant.nl> Message-ID: <12B22B11-393F-4B6E-97D8-16C5A950EEE3@open-it.org> Here's something that may be useful in this conversation about AD Objects. I wrote with some reference help a script to pack a SID as I was creating the necessary objects to create AD accounts from python using python-ldap: """ packsid """ import base64,struct def packsid(textsid): if textsid[0] != 'S': return; data = (textsid[2:]).split('-') rev = int(data[0]) idauth = int(data[1]) subauthcount = len(data) - 2 packedsid = struct.pack("8B", rev, subauthcount, 0, 0, 0, 0, 0, idauth) for i in range(0,subauthcount): addpack = struct.pack(" Michael Str?der wrote: > >> I vaguely remember that there are some issues with really >> activating a >> user entry as a Windows user. But this is not a problem of >> accessing AD >> via python-ldap. >> > > This indeed rings a bell. You need to create the user as disabled > (look > for userAccountControl on MSDN), set a compliant password, and then > enable him. > > Regards, > Geert > > From thomas.crawley at beacon-cs.com Tue Nov 20 18:24:50 2007 From: thomas.crawley at beacon-cs.com (Thomas Crawley) Date: Tue, 20 Nov 2007 12:24:50 -0500 Subject: Python LDAP version availability Message-ID: Hi, I need to get my hands on an version 2.2.1 of Python-LDAP. I am trying to install Python LDAP and have run into the same problem which this guy had. http://sourceforge.net/mailarchive/forum.php?thread_name=7fc4c9060709131 427y4e536238g3fac0db80538945f%40mail.gmail.com&forum_name=python-ldap-de v I do not want to upgrade to OpenLDAP 2.3. I just need a version of Python-LDAP compatible with OpenLDAP 2.2. Where can I get such a version of Python-LDAP ? The only version on SourceForge is 2.3.1 and easy_install does not work. Thanks Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From vela at debian.org Tue Nov 20 18:45:42 2007 From: vela at debian.org (Matej Vela) Date: Tue, 20 Nov 2007 18:45:42 +0100 Subject: Python LDAP version availability In-Reply-To: (Thomas Crawley's message of "Tue\, 20 Nov 2007 12\:24\:50 -0500") References: Message-ID: <87abp8dd4p.fsf@slavuj.carpriv.carnet.hr> "Thomas Crawley" writes: > I need to get my hands on an version 2.2.1 of Python-LDAP. > > I am trying to install Python LDAP and have run into the same problem > which this guy had. > > [1]http://sourceforge.net/mailarchive/forum.php?thread_name=7fc4c9060709131427y4e536238g3fac0db80538945f%40mail.gmail.com&forum_name=python-ldap-dev > > I do not want to upgrade to OpenLDAP 2.3. I just need a version of > Python-LDAP compatible with OpenLDAP 2.2. > > Where can I get such a version of Python-LDAP ? If you're using Debian or one of its derivatives (e.g. Ubuntu), "apt-get -b source python-ldap" should do the trick. If not, . Cheers, Matej From michael at stroeder.com Wed Nov 21 09:51:32 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 21 Nov 2007 09:51:32 +0100 Subject: Python LDAP version availability In-Reply-To: References: Message-ID: <4743F194.7070408@stroeder.com> Thomas Crawley wrote: > > I need to get my hands on an version 2.2.1 of Python-LDAP. Really 2.2.1? Note that this won't run with Python 2.5 on 64 bit platforms. Make sure that you fully understand all the issues fixed since then by examining file CHANGES thoroughly. CHANGES of CVS HEAD can be found here: http://python-ldap.cvs.sourceforge.net/python-ldap/python-ldap/CHANGES?view=markup > I am trying to install Python LDAP and have run into the same problem > which this guy had. > > http://sourceforge.net/mailarchive/forum.php?thread_name=7fc4c9060709131427y4e536238g3fac0db80538945f%40mail.gmail.com&forum_name=python-ldap-dev IIRC in this case headers in local installation were messed up. The original poster tried to build with OpenLDAP 2.3 libs but used the wrong header file. > I do not want to upgrade to OpenLDAP 2.3. I just need a version of > Python-LDAP compatible with OpenLDAP 2.2. Why? OpenLDAP 2.2 is historic today. There's no support anymore for either OpenLDAP 2.2- (OpenLDAP project team) and python-ldap 2.2- (me). > Where can I get such a version of Python-LDAP ? I disable downloads of older versions for very good reasons. I could provide this old version on case-by-case basis if there's a really good reason. But there's absolutely no support/warranty for it. And I will refuse to answer any questions regarding this old version. (This also applies to Debian packages of python-ldap which claims to be python-ldap 2.3.1 but with a rather large patch set applied for backward compability to OpenLDAP 2.1.) Ciao, Michael. From anilj at entic.net Fri Nov 30 20:40:30 2007 From: anilj at entic.net (Anil Jangity) Date: Fri, 30 Nov 2007 11:40:30 -0800 Subject: modifying problem Message-ID: I am not sure if this is a problem in my code, python ldap code, or the (beta) LDAP server I am using: A piece of the entry is as follows: dn: cn=Ahmad Qazi+mail=something at uasdf.ca, mail=testl at hello.com, ou =People, o=entic.net mail: something at uasdf.ca cn: Ahmad Qazi ... First of all, how was this entry added? Is having a RDN with the + and the mail, allowed? I thought since the RDN is 'cn', it needs to match exactly the 'cn' attribute, how can the mail be concatenated? Then, I see the following in the LDAP server logs: [30/Nov/2007:11:28:43 -0800] MODIFY conn=1943 op=1 msgID=2 result="Not Allowed on RDN" message="Entry cn=Ahmad Qazi+mail=something at uasdf.ca,mail=testl at hello.com,ou=People,o=entic.net cannot be modified because the change to attribute mail would have removed a value used in the RDN" etime=1 How should I correctly handle data entered by the users in python-ldap? Thanks, Anil From anilj at entic.net Fri Nov 30 21:26:34 2007 From: anilj at entic.net (Anil Jangity) Date: Fri, 30 Nov 2007 12:26:34 -0800 Subject: modifying problem In-Reply-To: References: Message-ID: Okay, I was just introduced to "multi-valued RDN", didn't know about that. So, here's a quick question. Is there a easy way/code to modify these kinds of RDN? Its a little bit of extra work to have to go figure out that a RDN is being changed and then go use modrdn. Thanks, Anil On 11/30/07, Anil Jangity wrote: > I am not sure if this is a problem in my code, python ldap code, or > the (beta) LDAP server I am using: > > A piece of the entry is as follows: > > dn: cn=Ahmad Qazi+mail=something at uasdf.ca, mail=testl at hello.com, ou > =People, o=entic.net > mail: something at uasdf.ca > cn: Ahmad Qazi > ... > > First of all, how was this entry added? Is having a RDN with the + and > the mail, allowed? I thought since the RDN is 'cn', it needs to match > exactly the 'cn' attribute, how can the mail be concatenated? > > Then, I see the following in the LDAP server logs: > > [30/Nov/2007:11:28:43 -0800] MODIFY conn=1943 op=1 msgID=2 result="Not > Allowed on RDN" message="Entry cn=Ahmad > Qazi+mail=something at uasdf.ca,mail=testl at hello.com,ou=People,o=entic.net > cannot be modified because the change to attribute mail would have > removed a value used in the RDN" etime=1 > > How should I correctly handle data entered by the users in python-ldap? > > Thanks, > Anil > -- Solaris v.Dedicated Server http://entic.net/servers +1 408 689 0044 support at entic.net From ahasenack at terra.com.br Sat Dec 1 11:18:17 2007 From: ahasenack at terra.com.br (Andreas) Date: Sat, 1 Dec 2007 08:18:17 -0200 Subject: modifying problem In-Reply-To: References: Message-ID: <20071201101817.GA24399@terra.com.br> On Fri, Nov 30, 2007 at 12:26:34PM -0800, Anil Jangity wrote: > Okay, I was just introduced to "multi-valued RDN", didn't know about that. > > So, here's a quick question. Is there a easy way/code to modify these > kinds of RDN? Its a little bit of extra work to have to go figure out > that a RDN is being changed and then go use modrdn. I would try a modrdn_s() call. Never used it with a multi-valued RDN before, though. From michael at stroeder.com Sat Dec 1 14:26:24 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 01 Dec 2007 14:26:24 +0100 Subject: modifying problem In-Reply-To: References: Message-ID: <47516100.9000901@stroeder.com> Anil Jangity wrote: > Okay, I was just introduced to "multi-valued RDN", didn't know about that. Because of this + is also a special char in DNs. Always use ldap.dn.escape_dn_chars() to escape special chars in attribute values before forming a DN string. > So, here's a quick question. Is there a easy way/code to modify these > kinds of RDN? Its a little bit of extra work to have to go figure out > that a RDN is being changed and then go use modrdn. Well, you have to check yourself whether an attribute is part of the RDN and then use method rename/rename_s() to do the necessary changes. Note that delold=1 makes it remove the old attribute values. BTW: Today modrdn/modrdn_s() is just a wrapper method around rename(). ldap.dn.explode_rdn() or even better ldap.dn.str2dn() might be handy to decompose (R)DN strings. Ciao, Michael. From roland.hedberg at adm.umu.se Wed Dec 5 17:36:15 2007 From: roland.hedberg at adm.umu.se (Roland Hedberg) Date: Wed, 05 Dec 2007 17:36:15 +0100 Subject: sAMAccountName Message-ID: <4756D37F.5030609@adm.umu.se> Hi! A short while ago there was a discussion about how to add users to an AD using python-ldap. I benefited a lot from that discussion, so you have my thanks too. On the topic python-ldap <-> AD: My problem is that I can add an entry using the User object class and attributes contained in that class without any problems. But when I try to add the samAccountName attribute and thereby the object class SecurityPrincipal the server complains. The error message I get is 'Server is unwilling to perform' which doesn't really tell me a lot :-) Anyone got a clue ? The AD isn't 'mine', but if there is something you need to know about it in order to answer my question I can ask the person in charge. -- Roland From michael at stroeder.com Wed Dec 5 19:17:43 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 05 Dec 2007 19:17:43 +0100 Subject: sAMAccountName In-Reply-To: <4756D37F.5030609@adm.umu.se> References: <4756D37F.5030609@adm.umu.se> Message-ID: <4756EB47.8090200@stroeder.com> Roland, Roland Hedberg wrote: > > But when I try to add the samAccountName attribute and thereby the > object class SecurityPrincipal the server complains. Could you please post a small test script? Are you sure the value of the samAccountName does not collide with any other user entry? > The error message I get is 'Server is unwilling to perform' which > doesn't really tell me a lot :-) Most times it also returns a numeric error code with that message. You could try to search for that. Also the guys in the AD newsgroups on MS' NNTP server are quite helpful. Don't forget to let us know... ;-) Ciao, Michael. From roland.hedberg at adm.umu.se Thu Dec 6 11:20:03 2007 From: roland.hedberg at adm.umu.se (Roland Hedberg) Date: Thu, 06 Dec 2007 11:20:03 +0100 Subject: sAMAccountName In-Reply-To: <4756EB47.8090200@stroeder.com> References: <4756D37F.5030609@adm.umu.se> <4756EB47.8090200@stroeder.com> Message-ID: <4757CCD3.5060407@adm.umu.se> Michael Str?der wrote: > > Roland Hedberg wrote: >> But when I try to add the samAccountName attribute and thereby the >> object class SecurityPrincipal the server complains. > > Could you please post a small test script? > > Are you sure the value of the samAccountName does not collide with any > other user entry? Oh, absolutely! I'm now convinced that this all comes down to LDAP schema problems. The schema file I have describing the AD schema has samAccountName as an attribute in the 'securityPrincipal' aux class. But, it turns out that the AD I working against has no problem using the attribute without adding the 'securityPrincipal' object class. In fact, in that server the attribute seems to be part of the object class 'User' !? I've search the net for up-to-date versions of the AD schema but they seem hard to get by. Anyone got a recent version ? I found one fairly recent but that caused other problems since some attributes previously part of the standard schema now has move over to the Microsoft exchange schema. So anyone got one of those too ? Sigh ! -- Roland From michael at stroeder.com Thu Dec 6 11:39:03 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 06 Dec 2007 11:39:03 +0100 Subject: sAMAccountName In-Reply-To: <4757CCD3.5060407@adm.umu.se> References: <4756D37F.5030609@adm.umu.se> <4756EB47.8090200@stroeder.com> <4757CCD3.5060407@adm.umu.se> Message-ID: <4757D147.4060506@stroeder.com> Roland, Roland Hedberg wrote: > > I'm now convinced that this all comes down to LDAP schema problems. Somewhat...I recommend not to care too much. > The schema file I have describing the AD schema has samAccountName as an > attribute in the 'securityPrincipal' aux class. > > But, it turns out that the AD I working against has no problem using the > attribute without adding the 'securityPrincipal' object class. > In fact, in that server the attribute seems to be part of the object > class 'User' !? Welcome to the wonderful world of LDAP access to Active Directory. Don't take the schema literally especially when accessing W2K/AD. Some things improved with W2K3. Also some W2K/AD installations have the W2K3R2 schema installed. And also some behaviour might depend on the domain functional level. > I've search the net for up-to-date versions of the AD schema but they > seem hard to get by. > Anyone got a recent version ? It would not help: 1. The schema is not really cleanly enforced. 2. It depends on Windows version and local configuration. Not sure about the domain functional level though. > I found one fairly recent but that caused other problems since some > attributes previously part of the standard schema now has move over to > the Microsoft exchange schema. Also a reason why one should not bother with retrieving a recent AD schema at all. I vaguely remember even more mess with e.g. inetOrgPerson class when installing Exchange before W2K3R2 schema etc. Conclusion: Make your AD-specific scripts simply work even if it looks not LDAPv3 compliant and leave the schema mess to your AD admins. :-) Ciao, Michael. -- Michael Str?der E-Mail: michael at stroeder.com http://www.stroeder.com From michael at stroeder.com Thu Dec 6 11:44:51 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 06 Dec 2007 11:44:51 +0100 Subject: sAMAccountName In-Reply-To: <4756EB47.8090200@stroeder.com> References: <4756D37F.5030609@adm.umu.se> <4756EB47.8090200@stroeder.com> Message-ID: <4757D2A3.6060807@stroeder.com> Roland, Michael Str?der wrote: > Roland Hedberg wrote: >> The error message I get is 'Server is unwilling to perform' which >> doesn't really tell me a lot :-) > > Most times it also returns a numeric error code with that message. You > could try to search for that. Also the guys in the AD newsgroups on MS' > NNTP server are quite helpful. Don't forget to let us know... ;-) FWIW: news://msnews.microsoft.com/microsoft.public.windows.server.active_directory Ciao, Michael. From roland.hedberg at adm.umu.se Thu Dec 6 13:40:40 2007 From: roland.hedberg at adm.umu.se (Roland Hedberg) Date: Thu, 06 Dec 2007 13:40:40 +0100 Subject: sAMAccountName In-Reply-To: <4757D147.4060506@stroeder.com> References: <4756D37F.5030609@adm.umu.se> <4756EB47.8090200@stroeder.com> <4757CCD3.5060407@adm.umu.se> <4757D147.4060506@stroeder.com> Message-ID: <4757EDC8.4060906@adm.umu.se> Michael Str?der wrote: > Also a reason why one should not bother with retrieving a recent AD > schema at all. I vaguely remember even more mess with e.g. inetOrgPerson > class when installing Exchange before W2K3R2 schema etc. > > Conclusion: Make your AD-specific scripts simply work even if it looks > not LDAPv3 compliant and leave the schema mess to your AD admins. :-) I'm extremely sorry to hear this. And wished I was able to leave it to the AD admins, but alas I can't. Anyway, thanks Michael for the information. -- Roland From geert at boskant.nl Thu Dec 6 20:04:01 2007 From: geert at boskant.nl (Geert Jansen) Date: Thu, 06 Dec 2007 20:04:01 +0100 Subject: sAMAccountName In-Reply-To: <4756D37F.5030609@adm.umu.se> References: <4756D37F.5030609@adm.umu.se> Message-ID: <475847A1.5060700@boskant.nl> Roland Hedberg wrote: > On the topic python-ldap <-> AD: > > My problem is that I can add an entry using the User object class and > attributes contained in that class without any problems. > > But when I try to add the samAccountName attribute and thereby the > object class SecurityPrincipal the server complains. > I am not 100% sure wether this is the same issue, but I have noticed that you cannot create a security principal in AD without a valid password. But because you can only set the password once the principal is created, this is a cyclical dependency. You can get out of this by creating the account in the disabled state (by setting the appropriate flag in userAccountControl), then setting the password, and then enabling it. On a related note, you may be interested in my current project Python-AD: http://www.boskant.nl/trac/python-ad/ The code is ready for use and I will make the first release in a couple of days. At the moment the code is available though Mercurial. I have an working example script of create a user with Python-AD here: http://www.boskant.nl/trac/python-ad/wiki/TutorialFive The example sets sAMAccountName and it works flawlessly. Regards, Geert From chaoseternal at gmail.com Fri Dec 7 02:49:29 2007 From: chaoseternal at gmail.com (Chaos Eternal) Date: Fri, 7 Dec 2007 09:49:29 +0800 Subject: sAMAccountName In-Reply-To: <4756D37F.5030609@adm.umu.se> References: <4756D37F.5030609@adm.umu.se> Message-ID: <6456782e0712061749v402b2171t4b61a715a86c883d@mail.gmail.com> i think, the may be some problem if you set sAMAccountName inconsistent with userPrincipalName. BTW, If one Directory Server tells you that it UNWILLING TO PERFORM some operations then you can not complete the same operations using ANY ldap client! On Dec 6, 2007 12:36 AM, Roland Hedberg wrote: > Hi! > > A short while ago there was a discussion about how to add users to an AD > using python-ldap. > > I benefited a lot from that discussion, so you have my thanks too. > > On the topic python-ldap <-> AD: > > My problem is that I can add an entry using the User object class and > attributes contained in that class without any problems. > > But when I try to add the samAccountName attribute and thereby the > object class SecurityPrincipal the server complains. > > The error message I get is 'Server is unwilling to perform' which > doesn't really tell me a lot :-) > > Anyone got a clue ? > > The AD isn't 'mine', but if there is something you need to know about it > in order to answer my question I can ask the person in charge. > > -- Roland > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: The Future of Linux Business White Paper > from Novell. From the desktop to the data center, Linux is going > mainstream. Let it simplify your IT future. > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 > _______________________________________________ > Python-LDAP-dev mailing list > Python-LDAP-dev at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev > -- Best Regards Chaos Eternal -------------- next part -------------- An HTML attachment was scrubbed... URL: From geert at boskant.nl Fri Dec 7 09:07:27 2007 From: geert at boskant.nl (Geert Jansen) Date: Fri, 07 Dec 2007 09:07:27 +0100 Subject: sAMAccountName In-Reply-To: <4758782B.4090003@stroeder.com> References: <4756D37F.5030609@adm.umu.se> <475847A1.5060700@boskant.nl> <4758782B.4090003@stroeder.com> Message-ID: <4758FF3F.20506@boskant.nl> Michael Str?der wrote: > Geert Jansen wrote: > >> On a related note, you may be interested in my current project >> Python-AD: http://www.boskant.nl/trac/python-ad/ >> > > How are you using Kerberos? Do you expect the user to run MIT's kinit > before sending a SASL/GSSAPI bind request? Does it also work with > heimdal? Do you make use of a Windows logon when running on Windows? > The user doesn't need to run kinit (but he can do so and in that case those credentials can be picked up). I provide a class called "Creds" that the user can use to acquire credentials: from ad import Creds, activate creds = Creds(domain) Creds.acquire(username, password) activate(creds) Behind the scenes a new private ccache and Kerberos configuration are installed using the $KRB5CCNAME and $KRB5_CONFIG environment variables. I have not tested this with Heimdal so far. If it supports the environment variables above it should work. Also I haven't tested windows but I think that the Creds interface should be portable to that platform as well. Regards, Geert From michael at stroeder.com Thu Dec 6 23:31:07 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 06 Dec 2007 23:31:07 +0100 Subject: sAMAccountName In-Reply-To: <475847A1.5060700@boskant.nl> References: <4756D37F.5030609@adm.umu.se> <475847A1.5060700@boskant.nl> Message-ID: <4758782B.4090003@stroeder.com> Geert Jansen wrote: > > On a related note, you may be interested in my current project > Python-AD: http://www.boskant.nl/trac/python-ad/ How are you using Kerberos? Do you expect the user to run MIT's kinit before sending a SASL/GSSAPI bind request? Does it also work with heimdal? Do you make use of a Windows logon when running on Windows? Ciao, Michael. From michael at stroeder.com Fri Dec 7 09:48:17 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 07 Dec 2007 09:48:17 +0100 Subject: sAMAccountName In-Reply-To: <6456782e0712061749v402b2171t4b61a715a86c883d@mail.gmail.com> References: <4756D37F.5030609@adm.umu.se> <6456782e0712061749v402b2171t4b61a715a86c883d@mail.gmail.com> Message-ID: <475908D1.8070109@stroeder.com> Chaos Eternal wrote: > i think, the may be some problem if you set sAMAccountName inconsistent > with userPrincipalName. AFAIK sAMAccountName and userPrincipalName are independent can be set according to completely different naming conventions. You should try out what is possible using the MMC User and Groups snapin. Ciao, Michael. From geert at boskant.nl Sat Dec 8 17:17:34 2007 From: geert at boskant.nl (Geert Jansen) Date: Sat, 08 Dec 2007 17:17:34 +0100 Subject: [ANNOUNCE] python-ad Message-ID: <475AC39E.9050905@boskant.nl> All, with this email I am announcing the first public release of python-ad. Python-AD is a Python client for MS Active Directory built on top of python-ldap. Amongst others it has the following features: * Automatic domain controller discovery (taking into account locality and timing) * Transparent multi-domain functionality. * Credential management. Credentials can be acquired using a username/password, username/keytab or can be loaded from the OS. Python-AD is ideal for situations where you need to manage data in AD from UNIX or Linux, such as adding users or querying printers. The software, including full documentation, can be found at: http://www.boskant.nl/trac/python-ad/ Regards, Geert Jansen From mmatz at wyoarea.org Mon Dec 10 13:24:24 2007 From: mmatz at wyoarea.org (Mike Matz) Date: Mon, 10 Dec 2007 07:24:24 -0500 Subject: [ANNOUNCE] python-ad In-Reply-To: <475AC39E.9050905@boskant.nl> References: <475AC39E.9050905@boskant.nl> Message-ID: Will this initial release work on Mac OS X? If not, are there any plans in the future for Mac OS X? Thanks, Mike On Dec 8, 2007, at 11:17 AM, Geert Jansen wrote: > All, > > with this email I am announcing the first public release of python-ad. > Python-AD is a Python client for MS Active Directory built on top of > python-ldap. Amongst others it has the following features: > > * Automatic domain controller discovery (taking into account locality > and timing) > * Transparent multi-domain functionality. > * Credential management. Credentials can be acquired using a > username/password, username/keytab or can be loaded from the OS. > > Python-AD is ideal for situations where you need to manage data in AD > from UNIX or Linux, such as adding users or querying printers. > > The software, including full documentation, can be found at: > http://www.boskant.nl/trac/python-ad/ > > Regards, > Geert Jansen > > > From craig at cs.uct.ac.za Mon Dec 10 13:32:21 2007 From: craig at cs.uct.ac.za (Craig Balfour) Date: Mon, 10 Dec 2007 14:32:21 +0200 Subject: ldap.modlist.modifyModlist() bug? Message-ID: <20071210123221.GE37877@casper2.cs.uct.ac.za> I've been using ldap.compare_s(), ldap.modlist.modifyModlist() and ldap_modify_s() to keep an OpenLDAP database up to date from an external datasource. I've just noticed, however, that when the old and new entry consist of the same characters but in a different order (as occurs when initials are swapped around, for example) ldap_compare_s() returns COMPARE_FALSE but modifyModlist() returns an empty list - the result being that nothing gets updated. Here's some examples: modlist = ldap.modlist.modifyModlist({"givenName": "Fred"}, {"givenName": "Bob"}) print str(modlist) [(1, 'givenName', None), (0, 'givenName', 'Bob')] modlist = ldap.modlist.modifyModlist({"givenName": "Fred"}, {"givenName": "derF"}) print str(modlist) [] Is this a bug in modifyModlist() or a feature? Craig -- Craig Balfour - Unix Systems Administrator Computer Science, University of Cape Town, Private Bag, Rondebosch, 7701 From geert at boskant.nl Mon Dec 10 18:52:32 2007 From: geert at boskant.nl (Geert Jansen) Date: Mon, 10 Dec 2007 18:52:32 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: References: <475AC39E.9050905@boskant.nl> Message-ID: <475D7CE0.4090605@boskant.nl> Mike Matz wrote: > Will this initial release work on Mac OS X? If not, are there any > plans in the future for Mac OS X? At the moment I have not tested Python-AD on OSX, but I would be happy to support it in a future version. This requires though that someone sends me patches, or that I find a way of getting access to OSX myself (I do not own a Mac). Regards Geert From michael at stroeder.com Mon Dec 10 20:50:11 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 10 Dec 2007 20:50:11 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475D7CE0.4090605@boskant.nl> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> Message-ID: <475D9873.6070301@stroeder.com> Geert Jansen wrote: > Mike Matz wrote: >> Will this initial release work on Mac OS X? If not, are there any >> plans in the future for Mac OS X? > > At the moment I have not tested Python-AD on OSX, but I would be happy > to support it in a future version. This requires though that someone > sends me patches, or that I find a way of getting access to OSX myself > (I do not own a Mac). I saw that kinit is started as a shell sub-process. Another approach might be to use a Python wrapper module for heimdal by Univention (GPL-ed). Discussion starts here: http://www.stacken.kth.se/lists/heimdal-discuss/2007-06/msg00073.html I have a working installation (import works) but did no futher tests. Ciao, Michael. From geert at boskant.nl Mon Dec 10 22:29:31 2007 From: geert at boskant.nl (Geert Jansen) Date: Mon, 10 Dec 2007 22:29:31 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475D9873.6070301@stroeder.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> Message-ID: <475DAFBB.5050406@boskant.nl> Michael Str?der wrote: > I saw that kinit is started as a shell sub-process. Actually Python-AD comes with a C module that wraps the required Kerberos functions (see lib/ad/protocol/krb5.c). What you probably saw is the use of kinit in the test suite, where I use it to verify the credentials acquired by the C module. Regards, Geert From michael at stroeder.com Tue Dec 11 12:25:33 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 11 Dec 2007 12:25:33 +0100 Subject: ldap.modlist.modifyModlist() bug? In-Reply-To: <20071210123221.GE37877@casper2.cs.uct.ac.za> References: <20071210123221.GE37877@casper2.cs.uct.ac.za> Message-ID: <475E73AD.2020509@stroeder.com> Craig Balfour wrote: > I've just noticed, however, that when the old and new entry consist of > the same characters but in a different order (as occurs when initials > are swapped around, for example) ldap_compare_s() returns > COMPARE_FALSE but modifyModlist() returns an empty list - the result > being that nothing gets updated. > > Here's some examples: > > modlist = ldap.modlist.modifyModlist({"givenName": "Fred"}, {"givenName": "Bob"}) > print str(modlist) > [(1, 'givenName', None), (0, 'givenName', 'Bob')] > > modlist = ldap.modlist.modifyModlist({"givenName": "Fred"}, {"givenName": "derF"}) > print str(modlist) > [] > > Is this a bug in modifyModlist() or a feature? This is a bug in *your* code. ;-) But I also had to look at it twice before recognizing it. Note that an attribute in the entry's dict is made of an attribute type and a *list* of attribute values (strings). You're passing in strings as attribute value lists and the function modifyModlist() iterates over the single chars in the string instead of iterating over the list items (attribute values). So your examples should be (and modifyModlist() works expected): Python 2.5.1 (r251:54863, Aug 3 2007, 00:52:06) [GCC 4.1.2 20061115 (prerelease) (SUSE Linux)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from ldap.modlist import modifyModlist >>> modifyModlist({"givenName": ["Fred"]}, {"givenName": ["Bob"]}) [(1, 'givenName', None), (0, 'givenName', ['Bob'])] >>> modifyModlist({"givenName": ["Fred"]}, {"givenName": ["derF"]}) [(1, 'givenName', None), (0, 'givenName', ['derF'])] >>> Ciao, Michael. From michael at stroeder.com Tue Dec 11 14:45:01 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 11 Dec 2007 14:45:01 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475DAFBB.5050406@boskant.nl> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> Message-ID: <475E945D.7040407@stroeder.com> Geert Jansen wrote: > Michael Str?der wrote: > >> I saw that kinit is started as a shell sub-process. > > Actually Python-AD comes with a C module that wraps the required > Kerberos functions (see lib/ad/protocol/krb5.c). What you probably saw > is the use of kinit in the test suite, where I use it to verify the > credentials acquired by the C module. Ah, ok. Interesting. Why don't you separate the krb5 module into another project. I guess some people might be interested in that. Especially my dream would be to support HTTP-Authentication based on SPNEGO/GSSAPI in web2ldap. But not only authenticating the user at the web server. I would rather like forward the service ticket requested for a particular LDAP service to the LDAP server in a SASL/GSSAPI BindRequest. Do you think that's feasible? Ciao, Michael. From d at adaptive-enterprises.com.au Tue Dec 11 15:08:13 2007 From: d at adaptive-enterprises.com.au (David Leonard) Date: Wed, 12 Dec 2007 00:08:13 +1000 Subject: [ANNOUNCE] python-ad In-Reply-To: <475E945D.7040407@stroeder.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> Message-ID: <475E99CD.1060708@adaptive-enterprises.com.au> Michael Str?der wrote: > Geert Jansen wrote: > >> Michael Str?der wrote: >> >> >>> I saw that kinit is started as a shell sub-process. >>> >> Actually Python-AD comes with a C module that wraps the required >> Kerberos functions (see lib/ad/protocol/krb5.c). What you probably saw >> is the use of kinit in the test suite, where I use it to verify the >> credentials acquired by the C module. >> > > Ah, ok. Interesting. Why don't you separate the krb5 module into another > project. I guess some people might be interested in that. > > Especially my dream would be to support HTTP-Authentication based on > SPNEGO/GSSAPI in web2ldap. But not only authenticating the user at the > web server. I would rather like forward the service ticket requested for > a particular LDAP service to the LDAP server in a SASL/GSSAPI > BindRequest. Do you think that's feasible? > there is pykerberos from http://trac.calendarserver.org/projects/calendarserver/browser/PyKerberos/ I am interested in a better GSSAPI binding for Python.. and have some incomplete code locally if anyone else is interested. To do credential forwarding, the gss is currently kind of crappy about how to extract creds portably, but if you know it's kerberos and you can set KRB5CCNAME to a temporary file you can stash a delegated TGT into a temp ccache so that SASL/GSS can find it when you talk ldap. -- David Leonard d at adaptive-enterprises.com.au Ph:+61 404 844 850 -------------- next part -------------- An HTML attachment was scrubbed... URL: From python-ldap at tk-webart.de Tue Dec 11 15:19:28 2007 From: python-ldap at tk-webart.de (Torsten Kurbad) Date: Tue, 11 Dec 2007 15:19:28 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475E945D.7040407@stroeder.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> Message-ID: <20071211151928.028267da@atalante.iwm-kmrc.de> At Tue, 11 Dec 2007 14:45:01 +0100 Michael Str?der wrote: > Ah, ok. Interesting. Why don't you separate the krb5 module into > another project. I guess some people might be interested in that. ME, ME, ME!!! :o) I tried several krb5 modules lying around in the net so far - and none really worked! In fact, most of the implementations require an external kinit call, which is NOT what I intend to let my users do... So, I'd very much appreciate, if you think about Michael's idea, Geert! Regards, Torsten -- "Triumph without Victory, The Unreported History of the Persian Gulf War", -Headline published in the U.S. News & World Report, 1992. From rich.megginson at gmail.com Tue Dec 11 16:02:34 2007 From: rich.megginson at gmail.com (Rich Megginson) Date: Tue, 11 Dec 2007 08:02:34 -0700 Subject: [ANNOUNCE] python-ad In-Reply-To: <20071211151928.028267da@atalante.iwm-kmrc.de> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> Message-ID: <475EA68A.7070003@gmail.com> Torsten Kurbad wrote: > At Tue, 11 Dec 2007 14:45:01 +0100 > Michael Str?der wrote: > > >> Ah, ok. Interesting. Why don't you separate the krb5 module into >> another project. I guess some people might be interested in that. >> > > ME, ME, ME!!! :o) > > I tried several krb5 modules lying around in the net so far - and none > really worked! In fact, most of the implementations require an external > kinit call, which is NOT what I intend to let my users do... > > So, I'd very much appreciate, if you think about Michael's idea, > Geert! > > Regards, > Torsten > You might be interested in the freeipa.org project which uses python, python-ldap, turbogears, PyKerberos, and supports http authentication with forwardable tickets. I don't think they support SPNEGO yet but patches are welcome :-) From noah.gift at gmail.com Tue Dec 11 16:25:00 2007 From: noah.gift at gmail.com (Noah Gift) Date: Tue, 11 Dec 2007 10:25:00 -0500 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EA68A.7070003@gmail.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> Message-ID: <94BF564B-1A55-415A-8257-5DA88C430213@gmail.com> On Dec 11, 2007, at 10:02 AM, Rich Megginson wrote: > Torsten Kurbad wrote: >> At Tue, 11 Dec 2007 14:45:01 +0100 >> Michael Str?der wrote: >> >> >>> Ah, ok. Interesting. Why don't you separate the krb5 module into >>> another project. I guess some people might be interested in that. >>> >> >> ME, ME, ME!!! :o) >> >> I tried several krb5 modules lying around in the net so far - and >> none >> really worked! In fact, most of the implementations require an >> external >> kinit call, which is NOT what I intend to let my users do... >> >> So, I'd very much appreciate, if you think about Michael's idea, >> Geert! >> >> Regards, >> Torsten >> > You might be interested in the freeipa.org project which uses python, > python-ldap, turbogears, PyKerberos, and supports http authentication > with forwardable tickets. I don't think they support SPNEGO yet but > patches are welcome :-) Rich, Have you used freeipa? I would be interested in covering this in the book I am writing about Python for Systems Administration. Noah Gift > > > From rich.megginson at gmail.com Tue Dec 11 16:31:40 2007 From: rich.megginson at gmail.com (Rich Megginson) Date: Tue, 11 Dec 2007 08:31:40 -0700 Subject: [ANNOUNCE] python-ad In-Reply-To: <94BF564B-1A55-415A-8257-5DA88C430213@gmail.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> <94BF564B-1A55-415A-8257-5DA88C430213@gmail.com> Message-ID: <475EAD5C.3030301@gmail.com> Noah Gift wrote: > On Dec 11, 2007, at 10:02 AM, Rich Megginson wrote: > > >> Torsten Kurbad wrote: >> >>> At Tue, 11 Dec 2007 14:45:01 +0100 >>> Michael Str?der wrote: >>> >>> >>> >>>> Ah, ok. Interesting. Why don't you separate the krb5 module into >>>> another project. I guess some people might be interested in that. >>>> >>>> >>> ME, ME, ME!!! :o) >>> >>> I tried several krb5 modules lying around in the net so far - and >>> none >>> really worked! In fact, most of the implementations require an >>> external >>> kinit call, which is NOT what I intend to let my users do... >>> >>> So, I'd very much appreciate, if you think about Michael's idea, >>> Geert! >>> >>> Regards, >>> Torsten >>> >>> >> You might be interested in the freeipa.org project which uses python, >> python-ldap, turbogears, PyKerberos, and supports http authentication >> with forwardable tickets. I don't think they support SPNEGO yet but >> patches are welcome :-) >> > > Rich, > > Have you used freeipa? I would be interested in covering this in the > book I am writing about Python for Systems Administration. > No, I haven't used it, but I have worked on some of the directory server features it uses. > > Noah Gift > > >> From noah.gift at gmail.com Tue Dec 11 16:36:13 2007 From: noah.gift at gmail.com (Noah Gift) Date: Tue, 11 Dec 2007 10:36:13 -0500 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EAD5C.3030301@gmail.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> <94BF564B-1A55-415A-8257-5DA88C430213@gmail.com> <475EAD5C.3030301@gmail.com> Message-ID: <999E18F4-0084-4789-9C37-5129CD358C3A@gmail.com> On Dec 11, 2007, at 10:31 AM, Rich Megginson wrote: > Noah Gift wrote: >> On Dec 11, 2007, at 10:02 AM, Rich Megginson wrote: >> >> >>> Torsten Kurbad wrote: >>> >>>> At Tue, 11 Dec 2007 14:45:01 +0100 >>>> Michael Str?der wrote: >>>> >>>> >>>> >>>>> Ah, ok. Interesting. Why don't you separate the krb5 module into >>>>> another project. I guess some people might be interested in that. >>>>> >>>>> >>>> ME, ME, ME!!! :o) >>>> >>>> I tried several krb5 modules lying around in the net so far - >>>> and none >>>> really worked! In fact, most of the implementations require an >>>> external >>>> kinit call, which is NOT what I intend to let my users do... >>>> >>>> So, I'd very much appreciate, if you think about Michael's idea, >>>> Geert! >>>> >>>> Regards, >>>> Torsten >>>> >>>> >>> You might be interested in the freeipa.org project which uses >>> python, >>> python-ldap, turbogears, PyKerberos, and supports http >>> authentication >>> with forwardable tickets. I don't think they support SPNEGO yet but >>> patches are welcome :-) >>> >> >> Rich, >> >> Have you used freeipa? I would be interested in covering this in >> the book I am writing about Python for Systems Administration. >> > No, I haven't used it, but I have worked on some of the directory > server features it uses. Red Hat is really picking up steam on creating Python Sys Admin Tools. I will have to check out freeipa when I get a chance. Thanks for the info. > >> >> Noah Gift >> >> >>> From michael at stroeder.com Tue Dec 11 16:56:08 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 11 Dec 2007 16:56:08 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475E99CD.1060708@adaptive-enterprises.com.au> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <475E99CD.1060708@adaptive-enterprises.com.au> Message-ID: <475EB318.8090902@stroeder.com> David Leonard wrote: > > I am interested in a better GSSAPI binding for Python.. and have some > incomplete code locally if anyone else is interested. Well, how about contributing your code to another project? Or how about creating a new project? > To do credential forwarding, the gss is currently kind of crappy about > how to extract creds portably, but if you know it's kerberos and you can > set KRB5CCNAME to a temporary file you can stash a delegated TGT into a > temp ccache so that SASL/GSS can find it when you talk ldap. Well, setting an env var is not really a good choice when running within a multi-threaded web application... :-/ Ciao, Michael. From michael at stroeder.com Tue Dec 11 19:51:03 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 11 Dec 2007 19:51:03 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EA68A.7070003@gmail.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> Message-ID: <475EDC17.9010009@stroeder.com> Rich Megginson wrote: > You might be interested in the freeipa.org project which uses python, > python-ldap, turbogears, PyKerberos, and supports http authentication > with forwardable tickets. I don't think they support SPNEGO yet but > patches are welcome :-) Well, glancing over the code I wonder why you didn't try to contribute back some of the utility functions into python-ldap. E.g. some things like constructing a Proxy Authz Control or normalizing DNs. Note that python-ldap has a Python style license (not GPL) though. Ciao, Michael. From rich.megginson at gmail.com Tue Dec 11 20:01:45 2007 From: rich.megginson at gmail.com (Rich Megginson) Date: Tue, 11 Dec 2007 12:01:45 -0700 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EDC17.9010009@stroeder.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> <475EDC17.9010009@stroeder.com> Message-ID: <475EDE99.1060707@gmail.com> Michael Str?der wrote: > Rich Megginson wrote: > >> You might be interested in the freeipa.org project which uses python, >> python-ldap, turbogears, PyKerberos, and supports http authentication >> with forwardable tickets. I don't think they support SPNEGO yet but >> patches are welcome :-) >> > > Well, glancing over the code I wonder why you didn't try to contribute > back some of the utility functions into python-ldap. E.g. some things > like constructing a Proxy Authz Control or normalizing DNs. > I don't know. I haven't been working on that part. I'll let those guys know. > Note that python-ldap has a Python style license (not GPL) though. > Ok, good to know. > Ciao, Michael. > > From michael at stroeder.com Tue Dec 11 20:13:53 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 11 Dec 2007 20:13:53 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EA68A.7070003@gmail.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> Message-ID: <475EE171.7050205@stroeder.com> Rich Megginson wrote: > You might be interested in the freeipa.org project which uses python, > python-ldap, turbogears, PyKerberos, and supports http authentication > with forwardable tickets. > I don't think they support SPNEGO yet but patches are welcome :-) How does the browser send the ticket to the web application then? Ciao, Michael. From fernando.ribeiro at gmail.com Tue Dec 11 20:15:52 2007 From: fernando.ribeiro at gmail.com (Fernando Ribeiro) Date: Tue, 11 Dec 2007 17:15:52 -0200 Subject: STRONG_AUTH_REQUIRED Message-ID: Hi, How to fix STRONG_AUTH_REQUIRED error? (My ldapserver is master) I'm receiving this error while using modify(dn, modlist) I have a bind with rootdn and rootpw right. My modlist [(0, 'employeeType', ['1']), (0, 'l', ['GETEC']), (0, 'stateOrProvinceName', ['DF'])] The error: Dec 11 16:52:00 localhost integracao:ERROR {'info': 'modifications require authentication', 'desc': 'Strong(er) authentication required'} The code: def _modify(self, dn): self.log.debug("%s: %s"%(dn, self.modlist)) try: ldap_result_id = self.conn.modify(dn, self.modlist) result_type, result_data = self.conn.result(ldap_result_id, 0) except ldap.LDAPError, e: self.log.error(e) -- ----------------------------------------------------- - Fernando Ribeiro - +55-61-8438-5806 ----------------------------------------------------- Firthunands: firthu means peace, nands means daring. "Those who do anything to maintain the peace!" -------------- next part -------------- An HTML attachment was scrubbed... URL: From rich.megginson at gmail.com Tue Dec 11 20:33:57 2007 From: rich.megginson at gmail.com (Rich Megginson) Date: Tue, 11 Dec 2007 12:33:57 -0700 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EE171.7050205@stroeder.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> <475EE171.7050205@stroeder.com> Message-ID: <475EE625.3070406@gmail.com> Michael Str?der wrote: > Rich Megginson wrote: > >> You might be interested in the freeipa.org project which uses python, >> python-ldap, turbogears, PyKerberos, and supports http authentication >> with forwardable tickets. >> I don't think they support SPNEGO yet but patches are welcome :-) >> > > How does the browser send the ticket to the web application then? > In Firefox, go to about:config In the Filter: text box, type "nego" You just have to set network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris to match your [domain_realm] setting in your /etc/krb5.conf. For example: network.negotiate-auth.delegation-uris: .example.com network.negotiate-auth.trusted-uris: .example.com I'm not sure but this should be documented on the freeipa.org web site, if it is not already. You also have to use Apache mod_auth_kerb, which should also be covered by freeipa.org > Ciao, Michael. > > From michael at stroeder.com Tue Dec 11 20:51:16 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 11 Dec 2007 20:51:16 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EE625.3070406@gmail.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> <475EE171.7050205@stroeder.com> <475EE625.3070406@gmail.com> Message-ID: <475EEA34.8020007@stroeder.com> Rich Megginson wrote: > Michael Str?der wrote: >> Rich Megginson wrote: >> >>> You might be interested in the freeipa.org project which uses python, >>> python-ldap, turbogears, PyKerberos, and supports http authentication >>> with forwardable tickets. >>> I don't think they support SPNEGO yet but patches are welcome :-) >> >> How does the browser send the ticket to the web application then? >> > In Firefox, go to about:config Yes, that's what's written on the freeipa.org web site. I was more interested what's transmitted over the wire if it's not SPNEGO. Ciao, Michael. From rich.megginson at gmail.com Tue Dec 11 21:20:54 2007 From: rich.megginson at gmail.com (Rich Megginson) Date: Tue, 11 Dec 2007 13:20:54 -0700 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EEA34.8020007@stroeder.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> <475EA68A.7070003@gmail.com> <475EE171.7050205@stroeder.com> <475EE625.3070406@gmail.com> <475EEA34.8020007@stroeder.com> Message-ID: <475EF126.1030106@gmail.com> Michael Str?der wrote: > Rich Megginson wrote: > >> Michael Str?der wrote: >> >>> Rich Megginson wrote: >>> >>> >>>> You might be interested in the freeipa.org project which uses python, >>>> python-ldap, turbogears, PyKerberos, and supports http authentication >>>> with forwardable tickets. >>>> I don't think they support SPNEGO yet but patches are welcome :-) >>>> >>> How does the browser send the ticket to the web application then? >>> >>> >> In Firefox, go to about:config >> > > Yes, that's what's written on the freeipa.org web site. I was more > interested what's transmitted over the wire if it's not SPNEGO. > I'm not really sure. One of the guys on freeipa-devel at redhat.com would know for sure. > Ciao, Michael. > > From geert at boskant.nl Tue Dec 11 22:10:48 2007 From: geert at boskant.nl (Geert Jansen) Date: Tue, 11 Dec 2007 22:10:48 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475E945D.7040407@stroeder.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> Message-ID: <475EFCD8.4040805@boskant.nl> Michael Str?der wrote: > Ah, ok. Interesting. Why don't you separate the krb5 module into another > project. I guess some people might be interested in that. > > Especially my dream would be to support HTTP-Authentication based on > SPNEGO/GSSAPI in web2ldap. But not only authenticating the user at the > web server. I would rather like forward the service ticket requested for > a particular LDAP service to the LDAP server in a SASL/GSSAPI > BindRequest. Do you think that's feasible? > Well... at the moment the module is really bare bones and only exposes the few functions of the vast Kerberos API that Python-AD needs. Also I don't want to digress too much at this point. I created Python-AD as part of something bigger which does not exist yet: FreeADI. FreeADI would provide Active Directory integration for Linux systems, meaning you can use AD as the directory and authentication service on Linux. (Given the fact that Likewise Open was released last week, I am not sure though it would still be useful). >From what I understand from you though, you'd like the GSSAPI to be wrapped and not the Kerberos API. This is easier as the GSSAPI seems significantly smaller than the Kerberos API. By the way I had a look at web2ldap. You mention that you use an ASN.1 parser from Pisces and that you feel that people may have issues with its license. Python-AD comes with its own (very simple) ASN.1 parser/generator as well. It can parse arbitrary BER, emits DER and comes with a full test suite. The code is licensed under the MIT license so it may be less concerning. Also if you really want I could re-license it under the GPL. Regards, Geert From geert at boskant.nl Tue Dec 11 22:16:09 2007 From: geert at boskant.nl (Geert Jansen) Date: Tue, 11 Dec 2007 22:16:09 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <20071211151928.028267da@atalante.iwm-kmrc.de> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <20071211151928.028267da@atalante.iwm-kmrc.de> Message-ID: <475EFE19.9020906@boskant.nl> Torsten Kurbad wrote: > ME, ME, ME!!! :o) > > I tried several krb5 modules lying around in the net so far - and none > really worked! In fact, most of the implementations require an external > kinit call, which is NOT what I intend to let my users do... > > So, I'd very much appreciate, if you think about Michael's idea, > Geert! > What is the use case you are thinking about? As mentioned in my other email the Kerberos API is vast and while wrapping it in Python can be done (it is actually not difficult) but it is a lot of work. And after that people will want support for Heimdal, and then Windows, Mac... :-) Regards, Geert From geert at boskant.nl Tue Dec 11 22:28:02 2007 From: geert at boskant.nl (Geert Jansen) Date: Tue, 11 Dec 2007 22:28:02 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475EB318.8090902@stroeder.com> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <475E99CD.1060708@adaptive-enterprises.com.au> <475EB318.8090902@stroeder.com> Message-ID: <475F00E2.4000601@boskant.nl> Michael Str?der wrote: > > Well, setting an env var is not really a good choice when running within > a multi-threaded web application... :-/ > I was thinking how one could solve the problem of per-thread credentials in python-ldap (or python-ad).. I think it can be done with the keyring credential cache code that is in recent MIT Kerberos distributions. Per-thread keyrings exist so if you set $KRB5CCNAME to "KEYRING:thread:default" then you should be able to use per-thread credentials. Regards, Geert From jamesa at daa.com.au Wed Dec 12 05:14:22 2007 From: jamesa at daa.com.au (James Andrewartha) Date: Wed, 12 Dec 2007 13:14:22 +0900 Subject: STRONG_AUTH_REQUIRED In-Reply-To: References: Message-ID: <1197432862.23902.30.camel@zarvora> On Tue, 2007-12-11 at 17:15 -0200, Fernando Ribeiro wrote: > How to fix STRONG_AUTH_REQUIRED error? (My ldapserver is master) > I'm receiving this error while using modify(dn, modlist) > I have a bind with rootdn and rootpw right. How are you connecting and binding to the server? Simple bind or SASL? Unencrypted or SSL/TLS? Also, which LDAP server is it? OpenLDAP can be configured to require stronger authentication for modifications - search for ssf (Security Strength Factor) in the slapd.access(5) and slap.conf(5) man pages. James Andrewartha From fernando.ribeiro at gmail.com Wed Dec 12 12:32:58 2007 From: fernando.ribeiro at gmail.com (Fernando Ribeiro) Date: Wed, 12 Dec 2007 09:32:58 -0200 Subject: STRONG_AUTH_REQUIRED In-Reply-To: <1197432862.23902.30.camel@zarvora> References: <1197432862.23902.30.camel@zarvora> Message-ID: Hi James, The problem was fixed using ldap.VERSION with ldap.VERSION3: self.conn.set_option(ldap.VERSION, ldap.VERSION3) Thanks Att, -- ----------------------------------------------------- - Fernando Ribeiro - +55-61-8438-5806 ----------------------------------------------------- Firthunands: firthu means peace, nands means daring. "Those who do anything to maintain the peace!" -------------- next part -------------- An HTML attachment was scrubbed... URL: From d at adaptive-enterprises.com.au Wed Dec 12 14:25:29 2007 From: d at adaptive-enterprises.com.au (David Leonard) Date: Wed, 12 Dec 2007 23:25:29 +1000 Subject: [ANNOUNCE] python-ad In-Reply-To: <475F00E2.4000601@boskant.nl> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <475E99CD.1060708@adaptive-enterprises.com.au> <475EB318.8090902@stroeder.com> <475F00E2.4000601@boskant.nl> Message-ID: <475FE149.5030301@adaptive-enterprises.com.au> Geert Jansen wrote: > Michael Str?der wrote: > > >> Well, setting an env var is not really a good choice when running within >> a multi-threaded web application... :-/ >> >> yet another reason to avoid threads? :) > > I was thinking how one could solve the problem of per-thread credentials > in python-ldap (or python-ad).. I think it can be done with the keyring > credential cache code that is in recent MIT Kerberos distributions. > Per-thread keyrings exist so if you set $KRB5CCNAME to > "KEYRING:thread:default" then you should be able to use per-thread > credentials. > [A per-thread getenv() would be similarly interesting. I'm thinking like how errno was bodged as a macro.] Recapping the (interesting) problem: Michael wanted to pick out the delegated creds from an SPNEGO auth'd request, convey them down to the SASL GSSAPI auth underneath an LDAP bind. And have it all work inside a threaded web server. If the request handler is a python script, then you would get a separate python process for each request, and setenving KRB5CCNAME to a temporary cred cache file for the delegated ticket is straightforward. I know, because I've done this. But let's say you want to be interesting and use mod_python and have python-ldap code and sasl-gssapi running inside the web server's thread. In this case, you might arrange for the spnego auth to export the krb5 in-memory cred cache via an apache request note. However, when it comes time to prepare the SASL GSSAPI environment, you get stuck because there seems to be no way to communicate to the krb5 mechanism under sasl which cred cache to use for auth.. This is because GSSAPI functions don't take context handles: it assumes global state for mechanisms. Even doing the "KEYRING" trick above seems dubious to me because the gss mechanisms might be squirreling away credential context in global storage. If I recall correctly, some krb5 implementations of gss are thread-clever, and might see different defaults per thread, so they might work. I think it would just be easier to avoid threads when using GSSAPI. (Perhaps gss-v3 may be thread friendly?) -- David Leonard d at adaptive-enterprises.com.au Ph:+61 404 844 850 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Dec 12 15:00:45 2007 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 12 Dec 2007 15:00:45 +0100 Subject: STRONG_AUTH_REQUIRED In-Reply-To: References: <1197432862.23902.30.camel@zarvora> Message-ID: <475FE98D.2070606@stroeder.com> Fernando Ribeiro wrote: > > The problem was fixed using ldap.VERSION with ldap.VERSION3: > > self.conn.set_option(ldap.VERSION, ldap.VERSION3) Strange, since ldap.VERSION3 is the default explicitly set when creating a LDAPObject instance. Unless you formerly set this to ldap.VERSION2 before in your code it's unlikely that this was the solution. Ciao, Michael. From michael at stroeder.com Wed Dec 12 15:12:14 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 12 Dec 2007 15:12:14 +0100 Subject: [ANNOUNCE] python-ad In-Reply-To: <475FE149.5030301@adaptive-enterprises.com.au> References: <475AC39E.9050905@boskant.nl> <475D7CE0.4090605@boskant.nl> <475D9873.6070301@stroeder.com> <475DAFBB.5050406@boskant.nl> <475E945D.7040407@stroeder.com> <475E99CD.1060708@adaptive-enterprises.com.au> <475EB318.8090902@stroeder.com> <475F00E2.4000601@boskant.nl> <475FE149.5030301@adaptive-enterprises.com.au> Message-ID: <475FEC3E.8080909@stroeder.com> David Leonard wrote: > Geert Jansen wrote: >> Michael Str?der wrote: >>> Well, setting an env var is not really a good choice when running within >>> a multi-threaded web application... :-/ > > yet another reason to avoid threads? :) The multi-threaded approach gives me the possibility to use persistent LDAP connections. This is much faster. > Recapping the (interesting) problem: Michael wanted to pick out the > delegated creds from an SPNEGO auth'd request, convey them down to the > SASL GSSAPI auth underneath an LDAP bind. And have it all work inside a > threaded web server. Exactly. ;-) > If the request handler is a python script, then you would get a separate > python process for each request, and setenving KRB5CCNAME to a temporary > cred cache file for the delegated ticket is straightforward. This would be easy, but that's not how web2ldap works. > I know, > because I've done this. But let's say you want to be interesting and use > mod_python and have python-ldap code and sasl-gssapi running inside the > web server's thread. In this case, you might arrange for the spnego auth > to export the krb5 in-memory cred cache via an apache request note. I'd rather prefer to even extract the SPNEGO from the HTTP header within my web app since I don't need a Kerberos module for Apache then. And web2ldap runs also as a stand-alone server which is pretty handy in many situations. > However, when it comes time to prepare the SASL GSSAPI environment, you > get stuck because there seems to be no way to communicate to the krb5 > mechanism under sasl which cred cache to use for auth. Yupp. I already talked to Howard Chu about whether it's possible to change the OpenLDAP API (sasl_interactive_bind()) in this regard. > I think it would just be easier to avoid threads when using GSSAPI. :-( Ciao, Michael. From fernando.ribeiro at gmail.com Wed Dec 12 15:15:10 2007 From: fernando.ribeiro at gmail.com (Fernando Ribeiro) Date: Wed, 12 Dec 2007 12:15:10 -0200 Subject: STRONG_AUTH_REQUIRED In-Reply-To: <475FE98D.2070606@stroeder.com> References: <1197432862.23902.30.camel@zarvora> <475FE98D.2070606@stroeder.com> Message-ID: Hi Michael, On Dec 12, 2007 12:00 PM, Michael Str?der wrote: > > Strange, since ldap.VERSION3 is the default explicitly set when creating > a LDAPObject instance. Unless you formerly set this to ldap.VERSION2 > before in your code it's unlikely that this was the solution. > Really strange. Don't was set ldap.VERSION2 in my code. I'm using python-ldap 2.3 Att, Fernando Ribeiro -- ----------------------------------------------------- - Fernando Ribeiro - SysAdmin - +55-61-8438-5806 ----------------------------------------------------- Firthunands: firthu means peace, nands means daring. "Those who do anything to maintain the peace!" -------------- next part -------------- An HTML attachment was scrubbed... URL: From rescorcio at google.com Wed Dec 12 22:33:21 2007 From: rescorcio at google.com (Robert Escorcio) Date: Wed, 12 Dec 2007 13:33:21 -0800 Subject: undefined symbol: ber_pvt_opt_on Message-ID: After installing python-ldap 2.3 on Ubuntu (with openldap 2-3.39), I am getting the following error when importing ldap from a python program ImportError: /usr/lib/python2.4/site-packages/_ldap.so: undefined symbol: ber_pvt_opt_on I have seen reports on the web that this is because I did not link _ldap.so with -llber, but that cannot be so because I see the following when I run python setup.py install gcc -pthread -shared build/temp.linux-x86_64- 2.4/Modules/LDAPObject.o build/temp.linux-x86_64-2.4/Modules/ldapcontrol.o build/temp.linux-x86_64- 2.4/Modules/common.o build/temp.linux-x86_64-2.4/Modules/constants.o build/temp.linux-x86_64-2.4/Modules/errors.o build/temp.linux-x86_64- 2.4/Modules/functions.o build/temp.linux-x86_64-2.4/Modules/schema.o build/temp.linux-x86_64-2.4/Modules/ldapmodule.o build/temp.linux-x86_64-2.4/Modules/message.o build/temp.linux-x86_64-2.4/Modules/version.o build/temp.linux-x86_64- 2.4/Modules/options.o -L/usr/local/openldap-2.3/lib -Wl,-R/usr/local/openldap-2.3/lib -lldap -llber -lresolv -o build/lib.linux-x86_64-2.4/_ldap.so Can anyone advise me on what is the problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Dec 13 00:45:00 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 13 Dec 2007 00:45:00 +0100 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: References: Message-ID: <4760727C.7090807@stroeder.com> Robert Escorcio wrote: > After installing python-ldap 2.3 on Ubuntu (with openldap 2-3.39), I am > getting the following error when importing ldap from a python program > > ImportError: /usr/lib/python2.4/site > -packages/_ldap.so: undefined symbol: ber_pvt_opt_on > > I have seen reports on the web that this is because I did not link > _ldap.so with -llber, Maybe something's wrong with run-time linking? > but that cannot be so because I see the following > when I run > > python setup.py install > > -Wl,-R/usr/local/openldap-2.3/lib -lldap -llber -lresolv -o > build/lib.linux-x86_64-2.4/_ldap.so Seems to be ok at first glance. But how about asking the Ubuntu maintainer first? Or could you please try to build yourself from a 2.3.1 source distribution and provide setup.cfg if it fails? Generally I don't trust package maintainers of Linux distribution anymore. Some of them (e.g. Debian) has a very large patch set. Also I note that you're on a 64-bit platform. Maybe there's something wrong with the tool chain on that platform? Ciao, Michael. From rescorcio at google.com Thu Dec 13 01:14:34 2007 From: rescorcio at google.com (Robert Escorcio) Date: Wed, 12 Dec 2007 16:14:34 -0800 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: <4760727C.7090807@stroeder.com> References: <4760727C.7090807@stroeder.com> Message-ID: Where can I get 2.3.1? Looked for it on ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release but the closest I could find was ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.3.10.tgz Googled for it and only found http://www.google.com/search?source=ig&hl=en&rlz=&q=openldap-2.3.1&btnG=Google+Search I'll check 2.3.4 because its the earliest version I can find and 2.3.10 on the off chance that this is what you meant. 2007/12/12 Michael Str?der : > Robert Escorcio wrote: > > After installing python-ldap 2.3 on Ubuntu (with openldap 2-3.39), I am > > getting the following error when importing ldap from a python program > > > > ImportError: /usr/lib/python2.4/site > > -packages/_ldap.so: undefined symbol: ber_pvt_opt_on > > > > I have seen reports on the web that this is because I did not link > > _ldap.so with -llber, > > Maybe something's wrong with run-time linking? > > > but that cannot be so because I see the following > > when I run > > > > python setup.py install > > > > -Wl,-R/usr/local/openldap-2.3/lib -lldap -llber -lresolv -o > > build/lib.linux-x86_64-2.4/_ldap.so > > Seems to be ok at first glance. But how about asking the Ubuntu > maintainer first? > > Or could you please try to build yourself from a 2.3.1 source > distribution and provide setup.cfg if it fails? Generally I don't trust > package maintainers of Linux distribution anymore. Some of them (e.g. > Debian) has a very large patch set. > > Also I note that you're on a 64-bit platform. Maybe there's something > wrong with the tool chain on that platform? > > Ciao, Michael. > > -- Robert Escorcio Google Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Dec 13 01:56:31 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 13 Dec 2007 01:56:31 +0100 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: References: <4760727C.7090807@stroeder.com> Message-ID: <4760833F.9080904@stroeder.com> Robert Escorcio wrote: > Where can I get 2.3.1? I meant the source distribution of python-ldap 2.3.1: http://sourceforge.net/project/showfiles.php?group_id=2072 > I'll check 2.3.4 because its the earliest version I can find and 2.3.10 > on the off chance that this is what you meant. I'm not talking about OpenLDAP libs. You need at least 2.3.something for building python-ldap 2.3.1. Ciao, Michael. From rescorcio at google.com Thu Dec 13 02:34:10 2007 From: rescorcio at google.com (Robert Escorcio) Date: Wed, 12 Dec 2007 17:34:10 -0800 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: <4760833F.9080904@stroeder.com> References: <4760727C.7090807@stroeder.com> <4760833F.9080904@stroeder.com> Message-ID: 2007/12/12 Michael Str?der : > Robert Escorcio wrote: > > Where can I get 2.3.1? > > I meant the source distribution of python-ldap 2.3.1: > > http://sourceforge.net/project/showfiles.php?group_id=2072 > Oh. Sorry. Right. I was using 2.3.1 of python ldap. When I try to import ldap I get File "/usr/lib/python2.4/site-packages/ldap/__init__.py", line 23, in ? from _ldap import * ImportError: /usr/lib/python2.4/site-packages/_ldap.so: undefined symbol: ber_pvt_opt_on The build and install seem to work fine (see below for details) I'll try building on a clean install of fedora. Maybe its just my OS build that is messed up. Thanks for your help! Robert PS Details: root at roberte:~/installs/python-ldap-2.3.1# python setup.py build extra_compile_args: extra_objects: include_dirs: /usr/include/sasl library_dirs: /usr/lib/sasl2 libs: ldap lber running build running build_py file Lib/ldap.py (for module ldap) not found file Lib/ldap/schema.py (for module ldap.schema) not found creating build creating build/lib.linux-i686-2.4 copying Lib/ldapurl.py -> build/lib.linux-i686-2.4 copying Lib/ldif.py -> build/lib.linux-i686-2.4 copying Lib/dsml.py -> build/lib.linux-i686-2.4 creating build/lib.linux-i686-2.4/ldap copying Lib/ldap/__init__.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/async.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/controls.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/cidict.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/dn.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/filter.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/functions.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/ldapobject.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/modlist.py -> build/lib.linux-i686-2.4/ldap copying Lib/ldap/sasl.py -> build/lib.linux-i686-2.4/ldap creating build/lib.linux-i686-2.4/ldap/schema copying Lib/ldap/schema/__init__.py -> build/lib.linux-i686-2.4/ldap/schema copying Lib/ldap/schema/models.py -> build/lib.linux-i686-2.4/ldap/schema copying Lib/ldap/schema/subentry.py -> build/lib.linux-i686-2.4/ldap/schema copying Lib/ldap/schema/tokenizer.py -> build/lib.linux-i686-2.4/ldap/schema file Lib/ldap.py (for module ldap) not found file Lib/ldap/schema.py (for module ldap.schema) not found running build_ext building '_ldap' extension creating build/temp.linux-i686-2.4 creating build/temp.linux-i686-2.4/Modules gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/LDAPObject.c -o build/temp.linux- i686-2.4/Modules/LDAPObject.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/ldapcontrol.c -o build/temp.linux- i686-2.4/Modules/ldapcontrol.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/common.c -o build/temp.linux-i686-2.4 /Modules/common.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/constants.c -o build/temp.linux-i686-2.4 /Modules/constants.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/errors.c -o build/temp.linux-i686-2.4 /Modules/errors.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/functions.c -o build/temp.linux-i686-2.4 /Modules/functions.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/schema.c -o build/temp.linux-i686-2.4 /Modules/schema.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/ldapmodule.c -o build/temp.linux- i686-2.4/Modules/ldapmodule.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/message.c -o build/temp.linux-i686-2.4 /Modules/message.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/version.c -o build/temp.linux-i686-2.4 /Modules/version.o gcc -pthread -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DLDAPMODULE_VERSION=2.3.1 -IModules -I/usr/include/sasl -I/usr/include/python2.4 -c Modules/options.c -o build/temp.linux-i686-2.4 /Modules/options.o Modules/options.c: In function 'LDAP_get_option': Modules/options.c:125: warning: unused variable 'doubleval' gcc -pthread -shared build/temp.linux-i686-2.4/Modules/LDAPObject.o build/temp.linux-i686-2.4/Modules/ldapcontrol.o build/temp.linux-i686-2.4/Modules/common.o build/temp.linux-i686-2.4/Modules/constants.o build/temp.linux-i686-2.4/Modules/errors.o build/temp.linux-i686-2.4/Modules/functions.o build/temp.linux-i686-2.4/Modules/schema.o build/temp.linux-i686-2.4/Modules/ldapmodule.o build/temp.linux-i686-2.4/Modules/message.o build/temp.linux-i686-2.4/Modules/version.o build/temp.linux-i686-2.4/Modules/options.o -L/usr/lib/sasl2 -Wl,-R/usr/lib/sasl2 -lldap -llber -o build/lib.linux- i686-2.4/_ldap.so root at roberte:~/installs/python-ldap-2.3.1# python setup.py install extra_compile_args: extra_objects: include_dirs: /usr/include/sasl library_dirs: /usr/lib/sasl2 libs: ldap lber running install running build running build_py file Lib/ldap.py (for module ldap) not found file Lib/ldap/schema.py (for module ldap.schema) not found file Lib/ldap.py (for module ldap) not found file Lib/ldap/schema.py (for module ldap.schema) not found running build_ext running install_lib copying build/lib.linux-i686-2.4/_ldap.so -> /usr/lib/python2.4/site-packages writing byte-compilation script '/tmp/tmpyS3HrD.py' /usr/bin/python -O /tmp/tmpyS3HrD.py removing /tmp/tmpyS3HrD.py > > > I'll check 2.3.4 because its the earliest version I can find and 2.3.10 > > on the off chance that this is what you meant. > > I'm not talking about OpenLDAP libs. You need at least 2.3.something for > building python-ldap 2.3.1. > > Ciao, Michael. > -- Robert Escorcio Google Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Dec 13 12:28:53 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 13 Dec 2007 12:28:53 +0100 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: References: <4760727C.7090807@stroeder.com> <4760833F.9080904@stroeder.com> Message-ID: <47611775.5070609@stroeder.com> Robert Escorcio wrote: > > I'll try building on a clean install of fedora. Maybe its just my OS > build that is messed up. Maybe a library mix? Do you have several versions of liblber on your system? Several OpenLDAP lib versions or even Fedora DS LDAP libs? Ciao, Michael. From rescorcio at google.com Thu Dec 13 18:29:27 2007 From: rescorcio at google.com (Robert Escorcio) Date: Thu, 13 Dec 2007 09:29:27 -0800 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: <47611775.5070609@stroeder.com> References: <4760727C.7090807@stroeder.com> <4760833F.9080904@stroeder.com> <47611775.5070609@stroeder.com> Message-ID: root at roberte:~/installs/python-ldap-2.3.1# find / -mount -name "liblber*" | xargs ls -l lrwxrwxrwx 1 root root 27 Feb 10 2007 /usr/lib/Adobe/Acrobat7.0/Reader/intellinux/lib/liblber.so -> ../../../../../liblber.so.2 lrwxrwxrwx 1 root root 21 Dec 19 2006 /usr/lib/liblber-2.2.so.7 -> liblber-2.2.so.7.0.19 -rw-r--r-- 1 root root 48420 Nov 20 2006 /usr/lib/liblber-2.2.so.7.0.19 -rw-r--r-- 1 root root 65034 Mar 6 2006 /usr/lib/liblber.a lrwxrwxrwx 1 root root 18 Dec 11 14:03 /usr/lib/liblber.so -> liblber.so.2.0.130 lrwxrwxrwx 1 root root 18 Dec 19 2006 /usr/lib/liblber.so.2 -> liblber.so.2.0.130 -rw-r--r-- 1 root root 46180 Mar 6 2006 /usr/lib/liblber.so.2.0.130 lrwxrwxrwx 1 root root 20 Oct 10 05:43 /usr/lib64/liblber-2.2.so.7 -> liblber-2.2.so.7.0.6 -rwxr-xr-x 1 root root 58664 Dec 12 2006 /usr/lib64/liblber-2.2.so.7.0.6 lrwxrwxrwx 1 root root 20 Oct 10 05:43 /usr/lib64/liblber.so -> liblber-2.2.so.7.0.6 lrwxrwxrwx 1 root root 20 Dec 12 17:14 /usr/local/lib/liblber-2.3.so.0 -> liblber-2.3.so.0.0.4 -rw-r--r-- 1 root root 126344 Dec 12 17:14 /usr/local/lib/liblber-2.3.so.0.0.4 -rw-r--r-- 1 root root 125898 Dec 12 11:26 /usr/local/lib/liblber-2.3.so.0.2.27 -rw-r--r-- 1 root root 169700 Dec 12 17:14 /usr/local/lib/liblber.a -rw-r--r-- 1 root root 693 Dec 12 17:14 /usr/local/lib/liblber.la lrwxrwxrwx 1 root root 20 Dec 12 17:14 /usr/local/lib/liblber.so -> liblber-2.3.so.0.0.4 On 12/13/07, Michael Str?der wrote: > Robert Escorcio wrote: > > > > I'll try building on a clean install of fedora. Maybe its just my OS > > build that is messed up. > > Maybe a library mix? > Do you have several versions of liblber on your system? > Several OpenLDAP lib versions or even Fedora DS LDAP libs? > > Ciao, Michael. > -- Robert Escorcio Google Inc From rescorcio at google.com Thu Dec 13 18:46:55 2007 From: rescorcio at google.com (Robert Escorcio) Date: Thu, 13 Dec 2007 09:46:55 -0800 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: References: <4760727C.7090807@stroeder.com> <4760833F.9080904@stroeder.com> <47611775.5070609@stroeder.com> Message-ID: I move the older ones (/usr/lib/) to a safe place and now I get File "/usr/lib/python2.4/site-packages/ldap/__init__.py", line 23, in ? from _ldap import * ImportError: liblber-2.3.so.0: cannot open shared object file: No such file or directory which I suppose is progress. On 12/13/07, Robert Escorcio wrote: > root at roberte:~/installs/python-ldap-2.3.1# find / -mount -name > "liblber*" | xargs ls -l > lrwxrwxrwx 1 root root 27 Feb 10 2007 > /usr/lib/Adobe/Acrobat7.0/Reader/intellinux/lib/liblber.so -> > ../../../../../liblber.so.2 > lrwxrwxrwx 1 root root 21 Dec 19 2006 /usr/lib/liblber-2.2.so.7 > -> liblber-2.2.so.7.0.19 > -rw-r--r-- 1 root root 48420 Nov 20 2006 /usr/lib/liblber-2.2.so.7.0.19 > -rw-r--r-- 1 root root 65034 Mar 6 2006 /usr/lib/liblber.a > lrwxrwxrwx 1 root root 18 Dec 11 14:03 /usr/lib/liblber.so -> > liblber.so.2.0.130 > lrwxrwxrwx 1 root root 18 Dec 19 2006 /usr/lib/liblber.so.2 -> > liblber.so.2.0.130 > -rw-r--r-- 1 root root 46180 Mar 6 2006 /usr/lib/liblber.so.2.0.130 > lrwxrwxrwx 1 root root 20 Oct 10 05:43 /usr/lib64/liblber-2.2.so.7 > -> liblber-2.2.so.7.0.6 > -rwxr-xr-x 1 root root 58664 Dec 12 2006 /usr/lib64/liblber-2.2.so.7.0.6 > lrwxrwxrwx 1 root root 20 Oct 10 05:43 /usr/lib64/liblber.so -> > liblber-2.2.so.7.0.6 > lrwxrwxrwx 1 root root 20 Dec 12 17:14 > /usr/local/lib/liblber-2.3.so.0 -> liblber-2.3.so.0.0.4 > -rw-r--r-- 1 root root 126344 Dec 12 17:14 /usr/local/lib/liblber-2.3.so.0.0.4 > -rw-r--r-- 1 root root 125898 Dec 12 11:26 /usr/local/lib/liblber-2.3.so.0.2.27 > -rw-r--r-- 1 root root 169700 Dec 12 17:14 /usr/local/lib/liblber.a > -rw-r--r-- 1 root root 693 Dec 12 17:14 /usr/local/lib/liblber.la > lrwxrwxrwx 1 root root 20 Dec 12 17:14 /usr/local/lib/liblber.so > -> liblber-2.3.so.0.0.4 > > On 12/13/07, Michael Str?der wrote: > > Robert Escorcio wrote: > > > > > > I'll try building on a clean install of fedora. Maybe its just my OS > > > build that is messed up. > > > > Maybe a library mix? > > Do you have several versions of liblber on your system? > > Several OpenLDAP lib versions or even Fedora DS LDAP libs? > > > > Ciao, Michael. > > > > > -- > Robert Escorcio > Google Inc > -- Robert Escorcio Google Inc From michael at stroeder.com Fri Dec 14 11:49:01 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 14 Dec 2007 11:49:01 +0100 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: References: <4760727C.7090807@stroeder.com> <4760833F.9080904@stroeder.com> <47611775.5070609@stroeder.com> Message-ID: <47625F9D.6070901@stroeder.com> Robert Escorcio wrote: > I move the older ones (/usr/lib/) to a safe place and now I get Yupp, this is right since python-ldap 2.3.1 requires OpenLDAP 2.3.x+ to build. > File "/usr/lib/python2.4/site-packages/ldap/__init__.py", line 23, in ? > from _ldap import * > ImportError: liblber-2.3.so.0: cannot open shared object file: No such > file or directory > > which I suppose is progress. Yes, somewhat. ;-) Did you adjust the parameters 'library_dirs' and 'include_dirs' in setup.cfg before running python setup.py build? I guess these should point to /usr/local/lib and /usr/local/include. Another quick approach would be to add /usr/local/lib to your LD_LIBRARY_PATH. Ciao, Michael. > > On 12/13/07, Robert Escorcio wrote: >> root at roberte:~/installs/python-ldap-2.3.1# find / -mount -name >> "liblber*" | xargs ls -l >> lrwxrwxrwx 1 root root 27 Feb 10 2007 >> /usr/lib/Adobe/Acrobat7.0/Reader/intellinux/lib/liblber.so -> >> ../../../../../liblber.so.2 >> lrwxrwxrwx 1 root root 21 Dec 19 2006 /usr/lib/liblber-2.2.so.7 >> -> liblber-2.2.so.7.0.19 >> -rw-r--r-- 1 root root 48420 Nov 20 2006 /usr/lib/liblber-2.2.so.7.0.19 >> -rw-r--r-- 1 root root 65034 Mar 6 2006 /usr/lib/liblber.a >> lrwxrwxrwx 1 root root 18 Dec 11 14:03 /usr/lib/liblber.so -> >> liblber.so.2.0.130 >> lrwxrwxrwx 1 root root 18 Dec 19 2006 /usr/lib/liblber.so.2 -> >> liblber.so.2.0.130 >> -rw-r--r-- 1 root root 46180 Mar 6 2006 /usr/lib/liblber.so.2.0.130 >> lrwxrwxrwx 1 root root 20 Oct 10 05:43 /usr/lib64/liblber-2.2.so.7 >> -> liblber-2.2.so.7.0.6 >> -rwxr-xr-x 1 root root 58664 Dec 12 2006 /usr/lib64/liblber-2.2.so.7.0.6 >> lrwxrwxrwx 1 root root 20 Oct 10 05:43 /usr/lib64/liblber.so -> >> liblber-2.2.so.7.0.6 >> lrwxrwxrwx 1 root root 20 Dec 12 17:14 >> /usr/local/lib/liblber-2.3.so.0 -> liblber-2.3.so.0.0.4 >> -rw-r--r-- 1 root root 126344 Dec 12 17:14 /usr/local/lib/liblber-2.3.so.0.0.4 >> -rw-r--r-- 1 root root 125898 Dec 12 11:26 /usr/local/lib/liblber-2.3.so.0.2.27 >> -rw-r--r-- 1 root root 169700 Dec 12 17:14 /usr/local/lib/liblber.a >> -rw-r--r-- 1 root root 693 Dec 12 17:14 /usr/local/lib/liblber.la >> lrwxrwxrwx 1 root root 20 Dec 12 17:14 /usr/local/lib/liblber.so >> -> liblber-2.3.so.0.0.4 >> >> On 12/13/07, Michael Str?der wrote: >>> Robert Escorcio wrote: >>>> I'll try building on a clean install of fedora. Maybe its just my OS >>>> build that is messed up. >>> Maybe a library mix? >>> Do you have several versions of liblber on your system? >>> Several OpenLDAP lib versions or even Fedora DS LDAP libs? >>> >>> Ciao, Michael. >>> >> >> -- >> Robert Escorcio >> Google Inc From rescorcio at google.com Fri Dec 14 17:05:28 2007 From: rescorcio at google.com (Robert Escorcio) Date: Fri, 14 Dec 2007 08:05:28 -0800 Subject: undefined symbol: ber_pvt_opt_on In-Reply-To: <47625F9D.6070901@stroeder.com> References: <4760727C.7090807@stroeder.com> <4760833F.9080904@stroeder.com> <47611775.5070609@stroeder.com> <47625F9D.6070901@stroeder.com> Message-ID: Hi Michael, Thanks for your help. I ended up dropping my old Ubuntu install and rebuilt. I got it working just fine now. It was some sort of library problem as you indicated I am sure. But I never seem to be able to figure out stuff like that :) Thanks again. Robert On Dec 14, 2007 2:49 AM, Michael Str?der wrote: > Robert Escorcio wrote: > > I move the older ones (/usr/lib/) to a safe place and now I get > > Yupp, this is right since python-ldap 2.3.1 requires OpenLDAP 2.3.x+ to > build. > > > File "/usr/lib/python2.4/site-packages/ldap/__init__.py", line 23, in > ? > > from _ldap import * > > ImportError: liblber-2.3.so.0: cannot open shared object file: No such > > file or directory > > > > which I suppose is progress. > > Yes, somewhat. ;-) > > Did you adjust the parameters 'library_dirs' and 'include_dirs' in > setup.cfg before running python setup.py build? I guess these should > point to /usr/local/lib and /usr/local/include. > > Another quick approach would be to add /usr/local/lib to your > LD_LIBRARY_PATH. > > Ciao, Michael. > > > > > On 12/13/07, Robert Escorcio wrote: > >> root at roberte:~/installs/python-ldap-2.3.1# find / -mount -name > >> "liblber*" | xargs ls -l > >> lrwxrwxrwx 1 root root 27 Feb 10 2007 > >> /usr/lib/Adobe/Acrobat7.0/Reader/intellinux/lib/liblber.so -> > >> ../../../../../liblber.so.2 > >> lrwxrwxrwx 1 root root 21 Dec 19 2006 /usr/lib/liblber-2.2.so.7 > >> -> liblber-2.2.so.7.0.19 > >> -rw-r--r-- 1 root root 48420 Nov 20 2006 /usr/lib/liblber- > 2.2.so.7.0.19 > >> -rw-r--r-- 1 root root 65034 Mar 6 2006 /usr/lib/liblber.a > >> lrwxrwxrwx 1 root root 18 Dec 11 14:03 /usr/lib/liblber.so -> > >> liblber.so.2.0.130 > >> lrwxrwxrwx 1 root root 18 Dec 19 2006 /usr/lib/liblber.so.2 -> > >> liblber.so.2.0.130 > >> -rw-r--r-- 1 root root 46180 Mar 6 2006 /usr/lib/liblber.so.2.0.130 > >> lrwxrwxrwx 1 root root 20 Oct 10 05:43 /usr/lib64/liblber-2.2.so.7 > >> -> liblber-2.2.so.7.0.6 > >> -rwxr-xr-x 1 root root 58664 Dec 12 2006 /usr/lib64/liblber- > 2.2.so.7.0.6 > >> lrwxrwxrwx 1 root root 20 Oct 10 05:43 /usr/lib64/liblber.so -> > >> liblber-2.2.so.7.0.6 > >> lrwxrwxrwx 1 root root 20 Dec 12 17:14 > >> /usr/local/lib/liblber-2.3.so.0 -> liblber-2.3.so.0.0.4 > >> -rw-r--r-- 1 root root 126344 Dec 12 17:14 /usr/local/lib/liblber- > 2.3.so.0.0.4 > >> -rw-r--r-- 1 root root 125898 Dec 12 11:26 /usr/local/lib/liblber- > 2.3.so.0.2.27 > >> -rw-r--r-- 1 root root 169700 Dec 12 17:14 /usr/local/lib/liblber.a > >> -rw-r--r-- 1 root root 693 Dec 12 17:14 /usr/local/lib/liblber.la > >> lrwxrwxrwx 1 root root 20 Dec 12 17:14 /usr/local/lib/liblber.so > >> -> liblber-2.3.so.0.0.4 > >> > >> On 12/13/07, Michael Str?der wrote: > >>> Robert Escorcio wrote: > >>>> I'll try building on a clean install of fedora. Maybe its just my OS > >>>> build that is messed up. > >>> Maybe a library mix? > >>> Do you have several versions of liblber on your system? > >>> Several OpenLDAP lib versions or even Fedora DS LDAP libs? > >>> > >>> Ciao, Michael. > >>> > >> > >> -- > >> Robert Escorcio > >> Google Inc > > -- Robert Escorcio Google Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonsp at ca.ibm.com Sat Dec 15 00:36:49 2007 From: leonsp at ca.ibm.com (Leons Petrazickis) Date: Fri, 14 Dec 2007 18:36:49 -0500 Subject: Local Error in simple_bind_s(); Message-ID: When I run this Python script under either 2.5 or 2.4: import ldap ds = ldap.initialize("ldap://foobar.ibm.com:636") ds.protocol_version = ldap.VERSION2 ds.simple_bind_s() I get this error: Traceback (most recent call last): File "test.py", line 13, in ds.simple_bind_s(); File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 199, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 428, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 432, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 438, in result3 rtype, rdata, rmsgid, serverctrls = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 97, in _ldap_call result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'desc': 'Local error'} But OpenLDAP commands work fine from the command prompt: ldapsearch -h foobar.ibm.com -P 2 -x -b "ou=bluepages,o=ibm.com" -s sub "(sn=Test)" cn tieline Any ideas? I can't figure out what would cause a "Local error" from the source code. I am using the python-ldap package on Ubuntu Gutsy. Regards, Leons Petrazickis http://lpetr.org/blog/ From michael at stroeder.com Sat Dec 15 14:30:55 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 15 Dec 2007 14:30:55 +0100 Subject: Local Error in simple_bind_s(); In-Reply-To: References: Message-ID: <4763D70F.4000902@stroeder.com> Leons Petrazickis wrote: > ldap.LOCAL_ERROR: {'desc': 'Local error'} > [..] > But OpenLDAP commands work fine from the command prompt: > [..] > I am using the python-ldap package on Ubuntu Gutsy. I have no clue which version of python-ldap Ubuntu is using. Nor do I know whether they applied any patches *they* believe to be necessary before packaging it. Could you please try to reproduce the problem with a stock python-ldap 2.3.1 built from official source distribution against recent OpenLDAP libs 2.3.x? Another option to track down issues is to turn on debug logging in python-ldap and also in the OpenLDAP libs: ldap.set_option(ldap.OPT_DEBUG_LEVEL,4095) and l = ldap.initialize('ldap://yourserver:port',trace_level=2) Ciao, Michael. From Ron at USMedRec.com Tue Dec 18 04:57:43 2007 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Mon, 17 Dec 2007 22:57:43 -0500 Subject: Exception info: Already Exists on New Add Message-ID: Hello All, I've been searching for an answer to this question but have come up blank. I'm adding an organization I get an exception info:'', desc: 'Already Exists' but if I go to gq the record actually did get added. I'm using {'objectclass':('organization',), 'o': 'test2'} input to modlist which results in [('objectclass',('organization',)), ('o', 'test2')'] With a dn 'o=test2, dc=example, dc=com' I'm calling 'add_s' I have an exception handler that retrys the add on Can't contact server errors. First I check gq for the record and it does not exist. I execute the add_s code, get the Already Exists error then go back and check gq and the record and it is there. I've been getting errors: Can't contact LDAP server. But it appears that if I retry bind, or search, (and now add) after hitting this error it succeeds, which is why I added a retry handler. Looking at the trace this could be my problem. It might be that it succeeds in the add but raises the Can't contact server error anyway. I'm running on Ubuntu 7.04 (VMWare). Python2.4. Python-ldap 2.2.1 I've attached the trace file. Any idea why I would get this result? If the record was inserted then why am I getting this Can't contact error, and if it didn't insert the record because it couldn't contact the server then why am I getting the Already Exists error? Any ideas about what may be causing either one of these errors are welcome! Thank you for your help! Ron Teitelbaum -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: PyLdapTrace.txt URL: From michael at stroeder.com Tue Dec 18 10:53:33 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 18 Dec 2007 10:53:33 +0100 Subject: Exception info: Already Exists on New Add In-Reply-To: References: Message-ID: <4767989D.2080408@stroeder.com> Ron Teitelbaum wrote: > > I'm adding an organization > > I get an exception info:'', desc: 'Already Exists' but if I go to gq the > record actually did get added. You're trying to re-add an entry with the same RDN. That's what this message says. > I have an exception handler that retrys the add on Can't contact server > errors. You should examine your exception handler... > I've been getting errors: Can't contact LDAP server. But it appears that if > I retry bind, or search, (and now add) after hitting this error it succeeds, > which is why I added a retry handler. You might want to use yet undocumented ldapobject.ReconnectLDAPObject. It does a good job for this particular problem. > I'm running on Ubuntu 7.04 (VMWare). Python2.4. Python-ldap 2.2.1 You should use python-ldap 2.3.1 although this is probably not part of your problem. > I've attached the trace file. There are two calls of add_ext in there. > Any idea why I would get this result? Well, it's your code... ;-) Ciao, Michael. From Ron at USMedRec.com Tue Dec 18 13:26:37 2007 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Tue, 18 Dec 2007 07:26:37 -0500 Subject: Exception info: Already Exists on New Add In-Reply-To: <4767989D.2080408@stroeder.com> References: <4767989D.2080408@stroeder.com> Message-ID: Hi Michael, Thank you very much for your help. I will look at the exception handler and ReconnectLDAPObject. I see the multiple calls to add_ext and the different results, so you are right, it's me! Thanks! Ron > -----Original Message----- > From: Michael Str?der > > Ron Teitelbaum wrote: > > > > You should examine your exception handler... > > > I've been getting errors: Can't contact LDAP server. But it appears > > that if > > I retry bind, or search, (and now add) after hitting this error it > > succeeds, > > which is why I added a retry handler. > > You might want to use yet undocumented ldapobject.ReconnectLDAPObject. > It does a good job for this particular problem. > > There are two calls of add_ext in there. > > > Any idea why I would get this result? > > Well, it's your code... ;-) > > Ciao, Michael. > From leonsp at ca.ibm.com Tue Dec 18 20:37:52 2007 From: leonsp at ca.ibm.com (Leons Petrazickis) Date: Tue, 18 Dec 2007 14:37:52 -0500 Subject: Local Error in simple_bind_s(); In-Reply-To: <4763D70F.4000902@stroeder.com> Message-ID: Hi Michael, Thank you very much for the logging tip. I've installed Thorsten Kurbad's python_ldap-2.3.1-py2.4-linux-i686.egg on my Python 2.4 install This is the script: ldap.set_option(ldap.OPT_DEBUG_LEVEL,4095) l = ldap.initialize("ldap://bluepages.ibm.com:636/",trace_level=2); l.protocol_version = ldap.VERSION2; l.simple_bind_s(); And this is the log output: ldap_create ldap_url_parse_ext(ldap://bluepages.ibm.com:636/) *** ldap://bluepages.ibm.com:636/ - SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://bluepages.ibm.com:636/ - SimpleLDAPObject.set_option ((17, 2),{}) *** ldap://bluepages.ibm.com:636/ - SimpleLDAPObject.simple_bind (('', '', None, None),{}) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP bluepages.ibm.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 9.17.186.253:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request => result: 1 *** ldap://bluepages.ibm.com:636/ - SimpleLDAPObject.result3 ((1, 1, -1),{}) ldap_result ld 0x81afba8 msgid 1 ldap_chkResponseList ld 0x81afba8 msgid 1 all 1 ldap_chkResponseList returns ld 0x81afba8 NULL wait4msg ld 0x81afba8 msgid 1 (infinite timeout) wait4msg continue ld 0x81afba8 msgid 1 all 1 ** ld 0x81afba8 Connections: * host: bluepages.ibm.com port: 636 (default) refcnt: 2 status: Connected last used: Mon Dec 17 18:34:20 2007 ** ld 0x81afba8 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x81afba8 Response Queue: Empty ldap_chkResponseList ld 0x81afba8 msgid 1 all 1 ldap_chkResponseList returns ld 0x81afba8 NULL ldap_int_select read1msg: ld 0x81afba8 msgid 1 all 1 ldap_err2string => LDAPError - LOCAL_ERROR: {'desc': 'Local error'} Traceback (most recent call last): File "test.py", line 15, in ? l.simple_bind_s(); File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 199, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 428, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 432, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 438, in result3 rtype, rdata, rmsgid, serverctrls = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 97, in _ldap_call result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'desc': 'Local error'} ldap_free_request (origid 1, msgid 1) ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed Does this mean that the connection is successful, but then there is a crash in message processing? What can I do? Thanks, Leons Petrazickis http://lpetr.org/blog/ Michael Str?der To Leons Petrazickis/Toronto/IBM at IBMCA 15/12/2007 08:30 cc AM python-ldap-dev at lists.sourceforge.n et Subject Re: Local Error in simple_bind_s(); Leons Petrazickis wrote: > ldap.LOCAL_ERROR: {'desc': 'Local error'} > [..] > But OpenLDAP commands work fine from the command prompt: > [..] > I am using the python-ldap package on Ubuntu Gutsy. I have no clue which version of python-ldap Ubuntu is using. Nor do I know whether they applied any patches *they* believe to be necessary before packaging it. Could you please try to reproduce the problem with a stock python-ldap 2.3.1 built from official source distribution against recent OpenLDAP libs 2.3.x? Another option to track down issues is to turn on debug logging in python-ldap and also in the OpenLDAP libs: ldap.set_option(ldap.OPT_DEBUG_LEVEL,4095) and l = ldap.initialize('ldap://yourserver:port',trace_level=2) Ciao, Michael. From michael at stroeder.com Tue Dec 18 23:05:16 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 18 Dec 2007 23:05:16 +0100 Subject: Local Error in simple_bind_s(); In-Reply-To: References: Message-ID: <4768441C.6050005@stroeder.com> Leons Petrazickis wrote: > > I've installed Thorsten Kurbad's python_ldap-2.3.1-py2.4-linux-i686.egg on > my Python 2.4 install Which OS? Which Linux distribution? Which OpenLDAP libs? > And this is the log output: Cannot see anything obviously wrong. > ldap.LOCAL_ERROR: {'desc': 'Local error'} > ldap_free_request (origid 1, msgid 1) > ldap_free_connection 1 1 > ldap_send_unbind > ldap_free_connection: actually freed > > Does this mean that the connection is successful, but then there is a crash > in message processing? Hmm, yes something's really strange. If on Linux could you please check with ldd /_ldap.so which OpenLDAP libs are actually used. Ciao, Michael. From mw at agamisystems.eu Wed Dec 19 15:46:53 2007 From: mw at agamisystems.eu (Martin Winkler) Date: Wed, 19 Dec 2007 15:46:53 +0100 Subject: Traceback with "No such object" although there is indeed such an object (works with "ldapsearch") Message-ID: <20071219154653.4c158070@agamisystems.eu> Hi all, Doing an ldapsearch in the shell works, but the same search in python does not. I tried for a couple of hours already to no avail, so I write here hoping that one of you might be able to give me help: Working example (in bash shell): ================================ $ ldapsearch -x -LLL "(ou=People)" -b "dc=mydomain,dc=com" dn: ou=People,dc=mydomain,dc=com ou: People objectClass: organizationalUnit description: Users of my domain Not working (in python shell): ============================== >>> import ldap >>> l = ldap.initialize("ldap://127.0.0.1") >>> l.simple_bind_s("","") >>> l.search_s('o=mydomain, c=com', ldap.SCOPE_SUBTREE, '(ou=People)') # I also tried it with ...'ou=People' without the parentheses In both cases I get this traceback: File "", line 1, in ? File "/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 461, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,timeout=self.timeout) File "/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 455, in search_ext_s return self.result(msgid,all=1,timeout=timeout)[1] File "/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 392, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 398, in result2 return self._ldap_call(self._l.result2,msgid,all,timeout) File "/usr/lib64/python2.3/site-packages/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) ldap.NO_SUCH_OBJECT: {'info': '', 'desc': 'No such object'} Does someone have an idea how I can get any results? Martin From d at adaptive-enterprises.com.au Wed Dec 19 15:51:22 2007 From: d at adaptive-enterprises.com.au (David Leonard) Date: Thu, 20 Dec 2007 00:51:22 +1000 Subject: Traceback with "No such object" although there is indeed such an object (works with "ldapsearch") In-Reply-To: <20071219154653.4c158070@agamisystems.eu> References: <20071219154653.4c158070@agamisystems.eu> Message-ID: <47692FEA.80301@adaptive-enterprises.com.au> Martin Winkler wrote: > $ ldapsearch -x -LLL "(ou=People)" -b "dc=mydomain,dc=com" > >>>> l = ldap.initialize("ldap://127.0.0.1") >>>> l.simple_bind_s("","") >>>> l.search_s('o=mydomain, c=com', ldap.SCOPE_SUBTREE, '(ou=People)') >>>> > because "o=mydomain,c=com" != "dc=mydomain,dc=com" ? -- David Leonard d at adaptive-enterprises.com.au Ph:+61 404 844 850 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mw at agamisystems.eu Wed Dec 19 15:52:24 2007 From: mw at agamisystems.eu (Martin Winkler) Date: Wed, 19 Dec 2007 15:52:24 +0100 Subject: Traceback with "No such object" although there is indeed such an object (works with "ldapsearch") In-Reply-To: <20071219154653.4c158070@agamisystems.eu> References: <20071219154653.4c158070@agamisystems.eu> Message-ID: <20071219155224.7199fea8@agamisystems.eu> Sorry, forgot to mention some facts: python-ldap version: >>> ldap.VERSION 2 Python Version: Python 2.3.4 [GCC 3.4.6 20060404 (Red Hat 3.4.6-3)] $ ldapsearch -VV ldapsearch: @(#) $OpenLDAP: ldapsearch 2.2.13 (May 3 2007 01:38:21) $ mockbuild at builder6.centos.org:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-clients/clients/tools (LDAP library: OpenLDAP 20213) Maybe these things are important. Martin From mw at agamisystems.eu Wed Dec 19 16:02:06 2007 From: mw at agamisystems.eu (Martin Winkler) Date: Wed, 19 Dec 2007 16:02:06 +0100 Subject: Traceback with "No such object" although there is indeed such an object (works with "ldapsearch") In-Reply-To: <20071219154653.4c158070@agamisystems.eu> References: <20071219154653.4c158070@agamisystems.eu> Message-ID: <20071219160206.1044f3e1@agamisystems.eu> Please ignore my previous postings. My error was so trivial... I had different ldap-bases in my 2 examples. everything works fine now. sorry to have bothered you all. Martin From leonsp at ca.ibm.com Wed Dec 19 20:05:04 2007 From: leonsp at ca.ibm.com (Leons Petrazickis) Date: Wed, 19 Dec 2007 14:05:04 -0500 Subject: Local Error in simple_bind_s(); In-Reply-To: <4768441C.6050005@stroeder.com> Message-ID: Michael Str?der wrote on 18/12/2007 05:05:16 PM: > Leons Petrazickis wrote: > > > > I've installed Thorsten Kurbad's python_ldap-2.3.1-py2.4-linux-i686.egg on > > my Python 2.4 install > > Which OS? Which Linux distribution? Which OpenLDAP libs? I was using: Ubuntu 7.10 with Linux kernel 2.6.22-14-386 OpenLDAP 2.3.35-1ubuntu0.1 libsasl2 2.1.22.dfsg1-9ubuntu2 Python 2.4.4-6ubuntu4 Just now, I installed: OpenLDAP 2.3.39 This command worked fine: ldapsearch -h bluepages.ibm.com -P 2 -x -b "ou=bluepages,o=ibm.com" -s sub "(sn=Leon)" cn tieline But the python-ldap error stayed the same. I then compiled a custom copy of python-ldap 2.3.1. I got these warnings during compilation: file Lib/ldap.py (for module ldap) not found file Lib/ldap/schema.py (for module ldap.schema) not found (The files are not in the download.) It compiled and installed without fatal errors. However, it now crashes very differently: Traceback (most recent call last): File "test.py", line 10, in ? ldap.set_option(ldap.OPT_DEBUG_LEVEL,4095) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/functions.py", line 126, in set_option _ldap_function_call(_ldap.set_option,option,invalue) AttributeError: 'module' object has no attribute 'set_option' Should I go back to the prebuilt .egg? > Hmm, yes something's really strange. > > If on Linux could you please check with ldd > /_ldap.so which OpenLDAP libs are actually used. With Ubuntu's OpenLDAP: linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f2a000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f1d000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f05000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7ec4000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d81000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7d69000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c1f000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7c0b000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c07000) libz.so.1 => /usr/lib/libz.so.1 (0xb7bf2000) /lib/ld-linux.so.2 (0x80000000) With custom OpenLDAP: linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7ebd000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7eb0000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7e98000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e57000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d14000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7cfc000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bb2000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b9e000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b9a000) libz.so.1 => /usr/lib/libz.so.1 (0xb7b85000) /lib/ld-linux.so.2 (0x80000000) Regards, Leons Petrazickis http://lpetr.org/blog From michael at stroeder.com Thu Dec 20 12:19:10 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 20 Dec 2007 12:19:10 +0100 Subject: Local Error in simple_bind_s(); In-Reply-To: References: Message-ID: <476A4FAE.1020002@stroeder.com> Leons Petrazickis wrote: > Michael Str?der wrote on 18/12/2007 05:05:16 PM: > >> Leons Petrazickis wrote: >>> I've installed Thorsten Kurbad's python_ldap-2.3.1-py2.4-linux-i686.egg > on >>> my Python 2.4 install >> Which OS? Which Linux distribution? Which OpenLDAP libs? > > I was using: > Ubuntu 7.10 with Linux kernel 2.6.22-14-386 > OpenLDAP 2.3.35-1ubuntu0.1 > libsasl2 2.1.22.dfsg1-9ubuntu2 > Python 2.4.4-6ubuntu4 > > Just now, I installed: > OpenLDAP 2.3.39 Well, I simply don't know whether Thorsten's egg file is really binary compatible with your system. That's why I always recommend to build from source when strange issues arise. > This command worked fine: > ldapsearch -h bluepages.ibm.com -P 2 -x -b "ou=bluepages,o=ibm.com" -s sub > "(sn=Leon)" cn tieline Ok. Just for the records: What kind of LDAP server product is this? Is LDAPv3 connect definitely not possible? > I then compiled a custom copy of python-ldap 2.3.1. I got these warnings > during compilation: > file Lib/ldap.py (for module ldap) not found > file Lib/ldap/schema.py (for module ldap.schema) not found Yes, ignore it. http://python-ldap.sourceforge.net/faq.shtml item 6 > It compiled and installed without fatal errors. However, it now crashes > very differently: > > Traceback (most recent call last): > File "test.py", line 10, in ? > ldap.set_option(ldap.OPT_DEBUG_LEVEL,4095) > File > "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/functions.py", > line 126, in set_option > _ldap_function_call(_ldap.set_option,option,invalue) > AttributeError: 'module' object has no attribute 'set_option' > > Should I go back to the prebuilt .egg? No. I'd rather recommend to really remove the stuff from the formerly installed egg file since that's what the path above look like. Closely examine your /usr/lib/python2.4/site-packages and rm everything which looks like the egg files and these python-ldap files: _ldap.so ldap/ ldif.py* dsml.py* ldapurl.py* Then go into the directory where you built the source distribution and invoke as root: python setup.py install >> If on Linux could you please check with ldd >> /_ldap.so which OpenLDAP libs are actually used. > > With Ubuntu's OpenLDAP: > [..] > With custom OpenLDAP: ??? Did you install OpenLDAP 2.3.39 in a different prefix? Beware you have to adjust parameters library_dirs and include_dirs in setup.cfg then when building python-ldap from source. Ciao, Michael. From leonsp at ca.ibm.com Fri Dec 21 18:41:41 2007 From: leonsp at ca.ibm.com (Leons Petrazickis) Date: Fri, 21 Dec 2007 12:41:41 -0500 Subject: Local Error in simple_bind_s(); In-Reply-To: <476A4FAE.1020002@stroeder.com> Message-ID: Michael Str?der wrote on 20/12/2007 06:19:10 AM: > Ok. Just for the records: What kind of LDAP server product is this? Is > LDAPv3 connect definitely not possible? I was mistaken earlier. LDAPv3 connect is possible. It just has to use simple authentication, not SASL. > No. I'd rather recommend to really remove the stuff from the formerly > installed egg file since that's what the path above look like. Closely > examine your /usr/lib/python2.4/site-packages and rm everything which > looks like the egg files and these python-ldap files: > _ldap.so > ldap/ > ldif.py* > dsml.py* > ldapurl.py* I removed these. I then moved the OpenLDAP libs from /usr/lib to /usr/lib-backup, and removed all the extraneous copies lying around. Finally, I reinstalled OpenLDAP 2.3.39 from source into /usr/lib and then rebuilt python-ldap into the python2.4 site-packages. ldd _ldap.so gives this: linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f4f000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f42000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f2a000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7ee9000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7da6000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7d8e000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c44000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7c30000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c2c000) libz.so.1 => /usr/lib/libz.so.1 (0xb7c17000) /lib/ld-linux.so.2 (0x80000000) But the old error has returned: ... ldap_chkResponseList returns ld 0x81a3e70 NULL wait4msg ld 0x81a3e70 msgid 1 (infinite timeout) wait4msg continue ld 0x81a3e70 msgid 1 all 1 ** ld 0x81a3e70 Connections: * host: bluepages.ibm.com port: 636 (default) refcnt: 2 status: Connected last used: Thu Dec 20 16:13:02 2007 ** ld 0x81a3e70 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x81a3e70 Response Queue: Empty ldap_chkResponseList ld 0x81a3e70 msgid 1 all 1 ldap_chkResponseList returns ld 0x81a3e70 NULL ldap_int_select read1msg: ld 0x81a3e70 msgid 1 all 1 ldap_err2string => LDAPError - LOCAL_ERROR: {'desc': 'Local error'} Traceback (most recent call last): File "test.py", line 8, in ? l.simple_bind_s() File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 199, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 428, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 432, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 438, in result3 rtype, rdata, rmsgid, serverctrls = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", line 97, in _ldap_call result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'desc': 'Local error'} ldap_free_request (origid 1, msgid 1) ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed > Beware you have to adjust parameters library_dirs and include_dirs in > setup.cfg then when building python-ldap from source. What should they be set to? I used this in the last compile: library_dirs = /usr/openldap-2.3/lib /usr/lib include_dirs = /usr/openldap-2.3/include /usr/include/sasl Before, I was leaving them unchanged. I'm going to set up a fresh Ubuntu system. If it works, I'll rebuild the current server from scratch. Thank you very much for all the help, Michael. This is a frustrating problem. Regards, Leons Petrazickis From michael at stroeder.com Fri Dec 21 18:53:38 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 21 Dec 2007 18:53:38 +0100 Subject: Local Error in simple_bind_s(); In-Reply-To: References: Message-ID: <476BFDA2.3020900@stroeder.com> Leons Petrazickis wrote: >> _ldap.so >> ldap/ >> ldif.py* >> dsml.py* >> ldapurl.py* > > I removed these. I then moved the OpenLDAP libs from /usr/lib to > /usr/lib-backup, and removed all the extraneous copies lying around. > [..] > "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", > line 97, in _ldap_call > result = func(*args,**kwargs) > ldap.LOCAL_ERROR: {'desc': 'Local error'} A fresh install of python-ldap does not reside in this directory like the ones used in the traceback: /usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg Remove that completely. After a python setup.py install the python-ldap modules reside in /usr/lib/python2.4/site-packages. And in case of an error this module path is shown in traceback. There is some module mix on your system. Ciao, Michael. From michael at stroeder.com Fri Dec 21 18:53:38 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 21 Dec 2007 18:53:38 +0100 Subject: Local Error in simple_bind_s(); In-Reply-To: References: Message-ID: <476BFDA2.3020900@stroeder.com> Leons Petrazickis wrote: >> _ldap.so >> ldap/ >> ldif.py* >> dsml.py* >> ldapurl.py* > > I removed these. I then moved the OpenLDAP libs from /usr/lib to > /usr/lib-backup, and removed all the extraneous copies lying around. > [..] > "/usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg/ldap/ldapobject.py", > line 97, in _ldap_call > result = func(*args,**kwargs) > ldap.LOCAL_ERROR: {'desc': 'Local error'} A fresh install of python-ldap does not reside in this directory like the ones used in the traceback: /usr/lib/python2.4/site-packages/python_ldap-2.3.1-py2.4-linux-i686.egg Remove that completely. After a python setup.py install the python-ldap modules reside in /usr/lib/python2.4/site-packages. And in case of an error this module path is shown in traceback. There is some module mix on your system. Ciao, Michael. From michael at stroeder.com Sat Dec 22 13:18:31 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 22 Dec 2007 13:18:31 +0100 Subject: Local Error in simple_bind_s(); In-Reply-To: References: Message-ID: <476D0097.10802@stroeder.com> Leons Petrazickis wrote: > Michael Str?der wrote on 20/12/2007 06:19:10 AM: > >> Ok. Just for the records: What kind of LDAP server product is this? Is >> LDAPv3 connect definitely not possible? > > I was mistaken earlier. LDAPv3 connect is possible. It just has to use > simple authentication, not SASL. BTW: You should definitely use LDAPv3 instead of LDAPv2. Out of curiosity: What kind of server is this (vendor/version)? Ciao, Michael. From michael at stroeder.com Wed Dec 26 14:24:22 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 26 Dec 2007 14:24:22 +0100 Subject: documentation updates In-Reply-To: <471E3D1F.7040501@stroeder.com> References: <1193102127.31900.7.camel@zarvora> <1193131642.31900.22.camel@zarvora> <1193161793.1307.13.camel@zarvora> <471E3D1F.7040501@stroeder.com> Message-ID: <47725606.7050706@stroeder.com> James, Michael Str?der wrote: > > I've started reviewing your patches this morning and I have some doubts > about some details which need clarification. This will take a little > bit. I will follow-up on this when I have some spare time left. Maybe > tomorrow... Well, actually it took more time to have a running latex environment again. I've committed many modifications to ldap*.tex but not all. Please review. Some new module descriptions are still not in there. > One general note: I didn't document some stuff since I didn't want to > endorse it because I don't consider certain APIs to be really stable > (say: designed well). Examples are class SmartLDAPObject, the API of > ldap.schema etc. Hmm, I don't know whether I want to endorse the use of module ldap.cidict. Since Python 2.3 has support for sets now this is somewhat outdated. Ciao, Michael. From leonsp at ca.ibm.com Sat Dec 29 23:03:11 2007 From: leonsp at ca.ibm.com (Leons Petrazickis) Date: Sat, 29 Dec 2007 17:03:11 -0500 Subject: Local Error in simple_bind_s(); In-Reply-To: <476D0097.10802@stroeder.com> Message-ID: Hi Michael, I now have a fresh Ubuntu 7.10 install with OpenLDAP 2.1 in /usr/lib and a manually compiled OpenLDAP 2.3.39 in /usr/local/lib. The appropriate dirs are in setup.cfg: library_dirs = /usr/local/lib include_dirs = /usr/local/include /usr/include/sasl ldd _ldap.so says that python-ldap links to the right one: linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /usr/local/lib/libldap_r-2.3.so.0 (0xb7f36000) liblber-2.3.so.0 => /usr/local/lib/liblber-2.3.so.0 (0xb7f29000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f06000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7ec5000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d82000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7d6a000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c20000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7c0c000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c08000) libz.so.1 => /usr/lib/libz.so.1 (0xb7bf3000) /lib/ld-linux.so.2 (0x80000000) Doing a simple_bind_s() on ldap.openldap.org works: ... wait4msg ld 0x81e50b8 msgid 1 (infinite timeout) wait4msg continue ld 0x81e50b8 msgid 1 all 1 ** ld 0x81e50b8 Connections: * host: ldap.openldap.org port: 389 (default) refcnt: 2 status: Connected last used: Sat Dec 29 15:11:47 2007 ** ld 0x81e50b8 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x81e50b8 Response Queue: Empty ldap_chkResponseList ld 0x81e50b8 msgid 1 all 1 ldap_chkResponseList returns ld 0x81e50b8 NULL ldap_int_select read1msg: ld 0x81e50b8 msgid 1 all 1 read1msg: ld 0x81e50b8 msgid 1 message type bind new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x81e50b8 0 new referrals read1msg: mark request completed, ld 0x81e50b8 msgid 1 request done: ld 0x81e50b8 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree => result: (97, [], 1, []) ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed But a simple_bind_s() on bluepages.ibm.com doesn't: wait4msg continue ld 0x81e4ef0 msgid 1 all 1 ** ld 0x81e4ef0 Connections: * host: bluepages.ibm.com port: 636 (default) refcnt: 2 status: Connected last used: Sat Dec 29 15:11:16 2007 ** ld 0x81e4ef0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x81e4ef0 Response Queue: Empty ldap_chkResponseList ld 0x81e4ef0 msgid 1 all 1 ldap_chkResponseList returns ld 0x81e4ef0 NULL ldap_int_select read1msg: ld 0x81e4ef0 msgid 1 all 1 ldap_err2string => LDAPError - LOCAL_ERROR: {'desc': 'Local error'} Traceback (most recent call last): File "test.py", line 10, in l.simple_bind_s(); File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 199, in simple_bind_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 428, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 432, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 438, in result3 rtype, rdata, rmsgid, serverctrls = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 97, in _ldap_call result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'desc': 'Local error'} ldap_free_request (origid 1, msgid 1) ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed However, ldapsearch doesn't crash at this point: ... ** ld 0x8084d08 Response Queue: Empty ldap_chkResponseList ld 0x8084d08 msgid 1 all 1 ldap_chkResponseList returns ld 0x8084d08 NULL ldap_int_select read1msg: ld 0x8084d08 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x8084d08 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x8084d08 0 new referrals read1msg: mark request completed, ld 0x8084d08 msgid 1 request done: ld 0x8084d08 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ... It probably uses the OpenLDAP 2.1 libraries, though. I could make it use the 2.3 ones if it would help. Michael Str?der wrote on 22/12/2007 07:18:31 AM: > > Out of curiosity: What kind of server is this (vendor/version)? It's Tivoli Directory Server 5.2: dn: namingcontexts: CN=SCHEMA namingcontexts: CN=LOCALHOST namingcontexts: CN=PWDPOLICY namingcontexts: CN=IBMPOLICIES namingcontexts: O=IBM.COM namingcontexts: O=DELETED.IBM.COM subschemasubentry: cn=schema ... secureport: 636 security: ssl port: 389 supportedsaslmechanisms: CRAM-MD5 supportedsaslmechanisms: DIGEST-MD5 supportedldapversion: 2 supportedldapversion: 3 ibmdirectoryversion: 5.2 ibm-ldapservicename: d03ldr215a ibm-serverId: 34519bc0-4c01-102b-8a2e-caf840af47c5 ... vendorname: International Business Machines (IBM) vendorversion: 5.2 ... ibm-slapdisconfigurationmode: FALSE ibm-slapdSizeLimit: 100000 ibm-slapdTimeLimit: 0 ibm-slapdDerefAliases: never ibm-supportedAuditVersion: 2 ibm-sasldigestrealmname: d03ldr215a Could the blank dn be a problem? What can I do? What can I log? I tried telneting to the ldap server, but that didn't give any useful output. Thanks, Leons Petrazickis http://lpetr.org/blog/ From michael at stroeder.com Sun Dec 30 14:04:07 2007 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sun, 30 Dec 2007 14:04:07 +0100 Subject: Local Error in simple_bind_s(); In-Reply-To: References: Message-ID: <47779747.4080805@stroeder.com> Leons Petrazickis wrote: > > I now have a fresh Ubuntu 7.10 install with OpenLDAP 2.1 in /usr/lib and a > manually compiled OpenLDAP 2.3.39 in /usr/local/lib. I hope you did not install python-ldap from Ubuntu. Do you have more than one version of Python on this system? Did you really configure --prefix=/usr/local make make install when compiling OpenLDAP? Are you sure that the include file ldap.h and lber.h were present under /usr/local/include when building python-ldap? I'd recommend to completely stay out of the standard LIB path. 1. Remove what you manually copied to /usr/local/lib and /usr/local/include. 2. Build OpenLDAP 2.3 with configure --prefix=/opt/openldap-2.3 make make install (as root) If you only want the OpenLDAP client libs you can add --disable-slapd and --disable-slurpd to the configure command line. 3. and then set library_dirs = /opt/openldap-2.3/lib include_dirs = /opt/openldap-2.3/include /usr/include/sasl 4. and invoke as root python2.5 setup.py install Make sure to remove the old content of build/ in the python-ldap source dir before. > ldd _ldap.so says that python-ldap links to the right one: > > linux-gate.so.1 => (0xffffe000) > libldap_r-2.3.so.0 => /usr/local/lib/libldap_r-2.3.so.0 (0xb7f36000) > liblber-2.3.so.0 => /usr/local/lib/liblber-2.3.so.0 (0xb7f29000) And how about ldd /usr/local/lib/libldap_r-2.3.so.0? > Doing a simple_bind_s() on ldap.openldap.org works: > [..] > But a simple_bind_s() on bluepages.ibm.com doesn't: > ldap_err2string > => LDAPError - LOCAL_ERROR: {'desc': 'Local error'} Hmm, really strange. > wait4msg continue ld 0x81e4ef0 msgid 1 all 1 > ** ld 0x81e4ef0 Connections: > * host: bluepages.ibm.com port: 636 (default) Hmm, did you really use ldap.initialize('ldaps://bluepages.ibm.com') for creating the LDAPObject instance? Note the URL scheme ldaps instead of just ldap. I don't see any SSL-related debug messages. > However, ldapsearch doesn't crash at this point: > [..] > It probably uses the OpenLDAP 2.1 libraries, though. I could make it use > the 2.3 ones if it would help. If you invoke make install the OpenLDAP command-line utilities are installed under /bin, e.g. /opt/openldap-2.3/bin/ldapsearch if using the --prefix as suggested above. Then this command-line tool is using the right libs. > It's Tivoli Directory Server 5.2: > > dn: > > Could the blank dn be a problem? It's correct. This is the rootDSE which indeed has an empty DN, "" in Python syntax. Ciao, Michael.