From michael at stroeder.com Fri Apr 4 19:20:42 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 04 Apr 2008 19:20:42 +0200 Subject: Commit new-style docs to CVS? In-Reply-To: <47EFABD5.9030009@stroeder.com> References: <47EFABD5.9030009@stroeder.com> Message-ID: <47F6636A.2000507@stroeder.com> Since there were no major objections I've committed new docs. Ciao, Michael. Michael Str?der wrote: > > Waldemar Osuch contributed the converted new-style docs for python-ldap > based on the latest latex-based docs. You can view/browse the PDF and > HTML builds here: > > http://python-ldap.sourceforge.net/new-style-doc/ > > The PDF index does not look too good at the moment but I'm not sure how > important PDF docs are today. > > Please review and comment. Especially I'd like to have feedback whether > this should be committed to CVS and the old latex-based stuff removed > from CVS. > > Also see: > http://sourceforge.net/tracker/index.php?func=detail&aid=1926469&group_id=2072&atid=352072 > > > Ciao, Michael. From python-ldap at tk-webart.de Mon Apr 21 11:46:14 2008 From: python-ldap at tk-webart.de (Torsten Kurbad) Date: Mon, 21 Apr 2008 11:46:14 +0200 Subject: Python-2.3.4 eggs Message-ID: <20080421114614.266ecf15@atalante.iwm-kmrc.de> Hi Folks, I boiled some new eggs for you. In particular: python_ldap-2.3.4-py2.4-linux-i686.egg python_ldap-2.3.4-py2.4-linux-x86_64.egg python_ldap-2.3.4-py2.4-win32.egg python_ldap-2.3.4-py2.5-win32.egg The Linux eggs have been built with OpenLDAP-2.3 and Cyrus-SASL support. The Windows versions have been linked against MinGW versions of OpenSSL-0.98g and OpenLDAP-2.4.8. The get the win32 eggs running, you also need to unzip the file OpenLDAP-2.4.8+OpenSSL-0.9.8g-Win32.zip to a directory in your path, e.g. C:\Windows\System32. It contains the necessary DLLs. All files can be downloaded from our development web server at http://svn.kmrc.de/download/distribution Have fun, Torsten -- Our similarities are different. -Dale Berra, son of Yogi From michael at stroeder.com Mon Apr 21 12:59:28 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 21 Apr 2008 12:59:28 +0200 Subject: Python-2.3.4 eggs In-Reply-To: <20080421114614.266ecf15@atalante.iwm-kmrc.de> References: <20080421114614.266ecf15@atalante.iwm-kmrc.de> Message-ID: <480C7390.2080808@stroeder.com> Torsten Kurbad wrote: > > I boiled some new eggs for you. Thanks for contributing your builds. Could you please provide some descriptive text (HTML snippet) to be added to the web site at http://python-ldap.sourceforge.net/download.shtml? Ciao, Michael. From Ron at USMedRec.com Tue Apr 22 18:40:19 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Tue, 22 Apr 2008 12:40:19 -0400 Subject: One result call per record Message-ID: Hi all, We are experiencing something pretty odd. CentOS 5 python2.4.4 python-ldap 2.3.4 While polling it appears that we have to call result for every record that is waiting to be read. Since we added a 250 millisecond delay between calls larger queries are taking a really long time. def searchForAsync(self, searchString): id = self.connection.search('dc=my,dc=base,dc=rec',2,searchStr ing,['*','+']) result = [None, None] count = 0 start = time.time() while(result[0] == None): count = count + 1 result = self.connection.result(id, True, 0) time.sleep(0.25) print "Total call count: " + str(count) print "Total query time: " + str(time.time - start) return result The result: With 165 records the total call count is 167 and the total time 42.1 seconds. Is this expected or did we do something wrong? Thanks for your help! Ron From oliviersessink at gmail.com Tue Apr 22 21:25:59 2008 From: oliviersessink at gmail.com (Olivier Sessink) Date: Tue, 22 Apr 2008 21:25:59 +0200 Subject: high level API for ldap object handling Message-ID: <480E3BC7.2010100@gmail.com> Hi all, I've been using python-ldap a lot, thanks for the great work! In my use of python-ldap I've often used a self-developed high level class for ldap-object handling. Adding a new ldap entry for example (ld is a python-ldap object): lo = LdapOO.LdapObject() lo.set_dn_attribs(['cn']) lo.add_attribute_value('cn','test2') lo.set_base_dn('ou=People,o=myorg') lo.add_attribute_value('objectClass','inetOrgPerson') lo.commit_s(ld) or modifying an existing ldap entry: res=ld.search_s('ou=People,o=fakenet',ldap.SCOPE_SUBTREE,'(sn=surname)') lo = LdapOO.LdapObject(res[0][0],res[0][1]) lo.add_attribute_value('sn','surname') if (not lo.has_attribute('street')): lo.add_attribute_value('street','new street') lo.commit_s(ld) since I use this class often, I was wondering if there are more people that like such a high-level API, and perhaps this can be developed further and added to python-ldap ? regards, Olivier Sessink From michael at stroeder.com Wed Apr 23 11:29:19 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 23 Apr 2008 11:29:19 +0200 Subject: high level API for ldap object handling In-Reply-To: <480E3BC7.2010100@gmail.com> References: <480E3BC7.2010100@gmail.com> Message-ID: <480F016F.4010003@stroeder.com> Olivier, Olivier Sessink wrote: > > In my use of python-ldap I've often used a self-developed high level > class for ldap-object handling. > > Adding a new ldap entry for example (ld is a python-ldap object): > > lo = LdapOO.LdapObject() > lo.set_dn_attribs(['cn']) > lo.add_attribute_value('cn','test2') > lo.set_base_dn('ou=People,o=myorg') > lo.add_attribute_value('objectClass','inetOrgPerson') > lo.commit_s(ld) > > or modifying an existing ldap entry: > > res=ld.search_s('ou=People,o=fakenet',ldap.SCOPE_SUBTREE,'(sn=surname)') > lo = LdapOO.LdapObject(res[0][0],res[0][1]) > lo.add_attribute_value('sn','surname') > if (not lo.has_attribute('street')): > lo.add_attribute_value('street','new street') > lo.commit_s(ld) Hmm, I'm not sure I would consider this to be very high-level. If a higher-level API is ever add to python-ldap it will definitely be subschema-aware to map OID to NAME aliases and some more stuff and make use of defaultdict stuff new in Python 2.5. > since I use this class often, I was wondering if there are more people > that like such a high-level API, and perhaps this can be developed > further and added to python-ldap ? I'd prefer you to release this as a separate package on your own web space since I wouldn't use it myself and therefore I'd not maintain it. If you do so I would be glad to link to your project page from python-ldap's web page so that others can find it easily. Ciao, Michael. From michael at stroeder.com Wed Apr 23 15:35:40 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 23 Apr 2008 15:35:40 +0200 Subject: One result call per record In-Reply-To: References: Message-ID: <480F3B2C.7030209@stroeder.com> Ron Teitelbaum wrote: > While polling it appears that we have to call result for every record that > is waiting to be read. Since we added a 250 millisecond delay between calls > larger queries are taking a really long time. Why do you wait such a long time in an extra time.sleep() call? > result = self.connection.result(id, True, 0) > time.sleep(0.25) Hmm, I don't know very much of the inner workings of OpenLDAP's function ldap_result(). The behaviour also may depend on the version of OpenLDAP. But how about fiddling around a little bit with the timeout argument for result()? You're blocking your while-loop with time.sleep() anyway. And the C wrapper module releases Python's GIL. Something like [..within while loop..] try: result = l.result(msgid,True,0.25) except ldap.TIMEOUT: continue else: # Process result [..within while loop..] I played around a little bit with the script attached on a local server with more than 1000 entries. BTW: If you're after correctly dispatching results to several outstanding search requests you should probably use method result2() which also returns the message ID of the originating request: http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.LDAPObject.result2 Use result3() if LDAPv3 extended controls are to be used to also receive controls sent by the server. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: async_result.py Type: application/x-python Size: 1143 bytes Desc: not available URL: From michael at stroeder.com Wed Apr 23 16:19:50 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 23 Apr 2008 16:19:50 +0200 Subject: high level API for ldap object handling In-Reply-To: <61722e190804230635v3ec155ddvf4f3830d47e2702b@mail.gmail.com> References: <480E3BC7.2010100@gmail.com> <480F016F.4010003@stroeder.com> <61722e190804230635v3ec155ddvf4f3830d47e2702b@mail.gmail.com> Message-ID: <480F4586.2090905@stroeder.com> Olivier, please follow-up on the python-ldap-dev (Cc:-ed) list because this is certainly of general interest. Olivier Sessink wrote: > 2008/4/23 Michael Str?der : >> Hmm, I'm not sure I would consider this to be very high-level. If a >> higher-level API is ever add to python-ldap it will definitely be >> subschema-aware to map OID to NAME aliases and some more stuff and make use >> of defaultdict stuff new in Python 2.5. > > Can you explain a little what the subschema-awareness would bring for > the python-ldap programmer? Can you give a (pseudo-code) example what > that could look like? It eases dealing with different attribute names and the accompanying OIDs. There's already something implemented in (undocumented) class ldap.schema.models.Entry which I heavily use in web2ldap. It does not implement methods for invoking the LDAP add and modify operations. It is still undocumented because it was never thoroughly reviewed by others and probably some details may need a re-design. Ciao, Michael. From Ron at USMedRec.com Wed Apr 23 19:01:46 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Wed, 23 Apr 2008 13:01:46 -0400 Subject: One result call per record In-Reply-To: <480F3B2C.7030209@stroeder.com> References: <480F3B2C.7030209@stroeder.com> Message-ID: Hi Michael, Thanks for your response. I'll play around with it. The sleep time added was to enable us to test the behavior of result. We are calling python through Smalltalk and we add the sleep on our end (the calling thread in Smalltalk not python) to enable other threads to process while waiting on responses. I guess I assumed that the result wouldn't take more then 1 or 2 waits, and the next call would retrieve the full result set. I didn't expect that I needed to call result once for each record. Thanks again for your suggestions and all your help! Ron > -----Original Message----- > From: Michael Str?der > > Ron Teitelbaum wrote: > > While polling it appears that we have to call result for every record > that > > is waiting to be read. Since we added a 250 millisecond delay between > calls > > larger queries are taking a really long time. > > Why do you wait such a long time in an extra time.sleep() call? > > > result = self.connection.result(id, True, 0) > > time.sleep(0.25) > > Hmm, I don't know very much of the inner workings of OpenLDAP's function > ldap_result(). The behaviour also may depend on the version of OpenLDAP. > > But how about fiddling around a little bit with the timeout argument for > result()? You're blocking your while-loop with time.sleep() anyway. And > the C wrapper module releases Python's GIL. > > Something like > > [..within while loop..] > try: > result = l.result(msgid,True,0.25) > except ldap.TIMEOUT: > continue > else: > # Process result > [..within while loop..] > > I played around a little bit with the script attached on a local server > with more than 1000 entries. > > BTW: If you're after correctly dispatching results to several > outstanding search requests you should probably use method result2() > which also returns the message ID of the originating request: > > http://python- > ldap.sourceforge.net/doc/html/ldap.html#ldap.LDAPObject.result2 > > Use result3() if LDAPv3 extended controls are to be used to also receive > controls sent by the server. > > Ciao, Michael. From Ron at USMedRec.com Sat Apr 26 05:39:28 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Fri, 25 Apr 2008 23:39:28 -0400 Subject: Killed Python2.4 Message-ID: Hi Michael, I know you mentioned that I should send you more info if I get an exception. I got a SERVER_DOWN and then retried the call manually and blew up python2.4 This is CentOS 5, python2.4.4, python-ldap 2.3.4 File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 507, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout= self.timeout) File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 501, in search_ext_s return self.result(msgid,all=1,timeout=timeout)[1] File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 427, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 431, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 437, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"} >>> ico.getNewUsersThatWereInvited() python2.4: io.c:234: ber_flush2: Assertion `( (sb)->sb_opts.lbo_valid == 0x3 )' failed. Aborted I thought I'd send it to you incase it gives you any clues about SERVER_DOWN which has been a royal pain! I actually was able to reproduce this error twice. 3rd time worked. Thanks again for all your help! Ron From michael at stroeder.com Sat Apr 26 11:13:11 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 26 Apr 2008 11:13:11 +0200 Subject: Killed Python2.4 In-Reply-To: References: Message-ID: <4812F227.70704@stroeder.com> Ron Teitelbaum wrote: > > I know you mentioned that I should send you more info if I get an exception. > > I got a SERVER_DOWN and then retried the call manually and blew up python2.4 > > This is CentOS 5, python2.4.4, python-ldap 2.3.4 > [..] > python2.4: io.c:234: ber_flush2: Assertion `( (sb)->sb_opts.lbo_valid == 0x3 > )' failed. > Aborted Hmm, this is a debug message of OpenLDAP's libldap. Never saw this. Which version of OpenLDAP is installed there? CentOS is based on Fedora? Red Hat / Fedora is far behind with its OpenLDAP version. Any chance for a library mix with another libldap? Could you please check which libldap is dynamically linked? Use ldd for that. On my system where OpenLDAP is separately compiled and installed to prefix /opt/openldap-2.3: # ldd /usr/lib/python/site-packages/_ldap.so linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /opt/openldap-2.3/lib/libldap_r-2.3.so.0 (0xb7ecf000) liblber-2.3.so.0 => /opt/openldap-2.3/lib/liblber-2.3.so.0 (0xb7ec1000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7e92000) libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7e4f000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7d08000) libpython2.5.so.1.0 => /usr/lib/libpython2.5.so.1.0 (0xb7be7000) libpthread.so.0 => /lib/libpthread.so.0 (0xb7bd0000) libc.so.6 => /lib/libc.so.6 (0xb7a9d000) libresolv.so.2 => /lib/libresolv.so.2 (0xb7a8a000) libdl.so.2 => /lib/libdl.so.2 (0xb7a86000) libz.so.1 => /lib/libz.so.1 (0xb7a72000) libutil.so.1 => /lib/libutil.so.1 (0xb7a6e000) libm.so.6 => /lib/libm.so.6 (0xb7a49000) /lib/ld-linux.so.2 (0x80000000) > I thought I'd send it to you incase it gives you any clues about SERVER_DOWN > which has been a royal pain! It shouldn't be a problem. It works for me very often. I believe it's an issue with your local installation. > I actually was able to reproduce this error twice. 3rd time worked. Strange. Ciao, Michael. From Ron at USMedRec.com Mon Apr 28 17:35:42 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Mon, 28 Apr 2008 11:35:42 -0400 Subject: Killed Python2.4 In-Reply-To: <4812F227.70704@stroeder.com> References: <4812F227.70704@stroeder.com> Message-ID: Hi Michael, Yes CentOS 5 is the free version of Fedora 5, Here is the output: ldd libldap.so linux-gate.so.1 => (0x002d7000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x00176000) libresolv.so.2 => /lib/libresolv.so.2 (0x002f7000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0089a000) libssl.so.6 => /lib/libssl.so.6 (0x00652000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x00416000) libc.so.6 => /lib/libc.so.6 (0x00c0c000) libdl.so.2 => /lib/libdl.so.2 (0x00d4e000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x0399c000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0058d000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x005bd000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x00411000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0054b000) libz.so.1 => /usr/lib/libz.so.1 (0x00101000) /lib/ld-linux.so.2 (0x00bea000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00578000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00573000) libselinux.so.1 => /lib/libselinux.so.1 (0x00dde000) libsepol.so.1 => /lib/libsepol.so.1 (0x00d96000) It looks quite different from your version. Thanks, Ron > -----Original Message----- > From: Michael Str?der > > Ron Teitelbaum wrote: > > > > I know you mentioned that I should send you more info if I get an > exception. > > > > I got a SERVER_DOWN and then retried the call manually and blew up > python2.4 > > > > This is CentOS 5, python2.4.4, python-ldap 2.3.4 > > [..] > > python2.4: io.c:234: ber_flush2: Assertion `( (sb)->sb_opts.lbo_valid == > 0x3 > > )' failed. > > Aborted > > Hmm, this is a debug message of OpenLDAP's libldap. Never saw this. > Which version of OpenLDAP is installed there? CentOS is based on Fedora? > Red Hat / Fedora is far behind with its OpenLDAP version. Any chance for > a library mix with another libldap? Could you please check which libldap > is dynamically linked? Use ldd for that. > > On my system where OpenLDAP is separately compiled and installed to > prefix /opt/openldap-2.3: > > # ldd /usr/lib/python/site-packages/_ldap.so > linux-gate.so.1 => (0xffffe000) > libldap_r-2.3.so.0 => /opt/openldap-2.3/lib/libldap_r-2.3.so.0 > (0xb7ecf000) > liblber-2.3.so.0 => /opt/openldap-2.3/lib/liblber-2.3.so.0 > (0xb7ec1000) > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7e92000) > libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7e4f000) > libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7d08000) > libpython2.5.so.1.0 => /usr/lib/libpython2.5.so.1.0 (0xb7be7000) > libpthread.so.0 => /lib/libpthread.so.0 (0xb7bd0000) > libc.so.6 => /lib/libc.so.6 (0xb7a9d000) > libresolv.so.2 => /lib/libresolv.so.2 (0xb7a8a000) > libdl.so.2 => /lib/libdl.so.2 (0xb7a86000) > libz.so.1 => /lib/libz.so.1 (0xb7a72000) > libutil.so.1 => /lib/libutil.so.1 (0xb7a6e000) > libm.so.6 => /lib/libm.so.6 (0xb7a49000) > /lib/ld-linux.so.2 (0x80000000) > > > I thought I'd send it to you incase it gives you any clues about > SERVER_DOWN > > which has been a royal pain! > > It shouldn't be a problem. It works for me very often. I believe it's an > issue with your local installation. > > > I actually was able to reproduce this error twice. 3rd time worked. > > Strange. > > Ciao, Michael. > > From michael at stroeder.com Mon Apr 28 17:41:50 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 28 Apr 2008 17:41:50 +0200 Subject: Killed Python2.4 In-Reply-To: References: <4812F227.70704@stroeder.com> Message-ID: <4815F03E.8060709@stroeder.com> Ron Teitelbaum wrote: > ldd libldap.so > linux-gate.so.1 => (0x002d7000) > liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x00176000) > libresolv.so.2 => /lib/libresolv.so.2 (0x002f7000) > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0089a000) > libssl.so.6 => /lib/libssl.so.6 (0x00652000) > libcrypto.so.6 => /lib/libcrypto.so.6 (0x00416000) > libc.so.6 => /lib/libc.so.6 (0x00c0c000) > libdl.so.2 => /lib/libdl.so.2 (0x00d4e000) > libcrypt.so.1 => /lib/libcrypt.so.1 (0x0399c000) > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0058d000) > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x005bd000) > libcom_err.so.2 => /lib/libcom_err.so.2 (0x00411000) > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0054b000) > libz.so.1 => /usr/lib/libz.so.1 (0x00101000) > /lib/ld-linux.so.2 (0x00bea000) > libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00578000) > libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00573000) > libselinux.so.1 => /lib/libselinux.so.1 (0x00dde000) > libsepol.so.1 => /lib/libsepol.so.1 (0x00d96000) > > It looks quite different from your version. Well, it likely looks differently because install paths might be different. Is that listing complete? libldap(_r) seems to be missing. You should check with e.g. rpm -qf /usr/lib/liblber-2.3.so.0 if these files are part of a RPM package and of which version your OpenLDAP installation is. Hmm, another point popping up from your lib listing above: Any SE Linux policy prohibiting execution/linking of shared libs? Ciao, Michael. From Ron at USMedRec.com Mon Apr 28 18:35:21 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Mon, 28 Apr 2008 12:35:21 -0400 Subject: Killed Python2.4 In-Reply-To: <4815F03E.8060709@stroeder.com> References: <4812F227.70704@stroeder.com> <4815F03E.8060709@stroeder.com> Message-ID: Hi Michael, Here are the results: $ rpm -qf /usr/lib/liblber-2.3.so.0 openldap-2.3.27-8.el5_1.3 $ rpm -qf /lib/libresolv.so.2 glibc-2.5-18.el5_1.1 $ rpm -qf /usr/lib/libsasl2.so.2 cyrus-sasl-lib-2.1.22-4 $ rpm -qf /lib/libssl.so.6 openssl-0.9.8b-8.3.el5_0.2 $ rpm -qf /lib/libcrypt.so.1 glibc-2.5-18.el5_1.1 $ rpm -qf /usr/lib/libgssapi_krb5.so.2 krb5-libs-1.6.1-17.el5_1.1 $ rpm -qf /usr/lib/libkrb5.so.3 krb5-libs-1.6.1-17.el5_1.1 There is no limit on linking that I know of. Here is a proper listing using _ldap.so. Sorry about that I did libldap.so ldd /usr/lib/python2.4/site-packages/_ldap.so linux-gate.so.1 => (0x00774000) libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0x002dd000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x0040c000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00582000) libssl.so.6 => /lib/libssl.so.6 (0x00b5a000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x00110000) libpthread.so.0 => /lib/libpthread.so.0 (0x0053e000) libc.so.6 => /lib/libc.so.6 (0x00d83000) libresolv.so.2 => /lib/libresolv.so.2 (0x00708000) libdl.so.2 => /lib/libdl.so.2 (0x00243000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00247000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00275000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00322000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x00832000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00f1f000) libz.so.1 => /usr/lib/libz.so.1 (0x00a05000) /lib/ld-linux.so.2 (0x00bea000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x002a3000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x002ac000) libselinux.so.1 => /lib/libselinux.so.1 (0x002af000) libsepol.so.1 => /lib/libsepol.so.1 (0x004c1000) Thanks, Ron > -----Original Message----- > From: Michael Str?der [mailto:michael at stroeder.com] > > Ron Teitelbaum wrote: > > ldd libldap.so > > linux-gate.so.1 => (0x002d7000) > > liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x00176000) > > libresolv.so.2 => /lib/libresolv.so.2 (0x002f7000) > > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0089a000) > > libssl.so.6 => /lib/libssl.so.6 (0x00652000) > > libcrypto.so.6 => /lib/libcrypto.so.6 (0x00416000) > > libc.so.6 => /lib/libc.so.6 (0x00c0c000) > > libdl.so.2 => /lib/libdl.so.2 (0x00d4e000) > > libcrypt.so.1 => /lib/libcrypt.so.1 (0x0399c000) > > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0058d000) > > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x005bd000) > > libcom_err.so.2 => /lib/libcom_err.so.2 (0x00411000) > > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0054b000) > > libz.so.1 => /usr/lib/libz.so.1 (0x00101000) > > /lib/ld-linux.so.2 (0x00bea000) > > libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00578000) > > libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00573000) > > libselinux.so.1 => /lib/libselinux.so.1 (0x00dde000) > > libsepol.so.1 => /lib/libsepol.so.1 (0x00d96000) > > > > It looks quite different from your version. > > Well, it likely looks differently because install paths might be > different. Is that listing complete? libldap(_r) seems to be missing. > > You should check with e.g. > rpm -qf /usr/lib/liblber-2.3.so.0 > if these files are part of a RPM package and of which version your > OpenLDAP installation is. > > Hmm, another point popping up from your lib listing above: > Any SE Linux policy prohibiting execution/linking of shared libs? > > Ciao, Michael. From Ron at USMedRec.com Mon Apr 28 18:48:55 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Mon, 28 Apr 2008 12:48:55 -0400 Subject: Killed Python2.4 In-Reply-To: <4815F03E.8060709@stroeder.com> References: <4812F227.70704@stroeder.com> <4815F03E.8060709@stroeder.com> Message-ID: I'm sorry I did it wrong again. We are running our actual server on VMWare image. I forgot to connect to that first before checking. Here are the right values: ldd _ldap.so linux-gate.so.1 => (0x00d5e000) libldap_r-2.4.so.2 => /usr/local/openldap/lib/libldap_r-2.4.so.2 (0x00bfe000) liblber-2.4.so.2 => /usr/local/openldap/lib/liblber-2.4.so.2 (0x00ae2000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00aaf000) libssl.so.6 => /lib/libssl.so.6 (0x00165000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x00427000) libpthread.so.0 => /lib/libpthread.so.0 (0x00e92000) libc.so.6 => /lib/libc.so.6 (0x00259000) libresolv.so.2 => /lib/libresolv.so.2 (0x00df1000) libdl.so.2 => /lib/libdl.so.2 (0x00111000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00115000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00143000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00d73000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x0015c000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0065d000) libz.so.1 => /usr/lib/libz.so.1 (0x001aa000) /lib/ld-linux.so.2 (0x0023e000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00c63000) Sorry about that, Ron > -----Original Message----- > From: Michael Str?der [mailto:michael at stroeder.com] > Sent: Monday, April 28, 2008 11:42 AM > To: Ron at USMedRec.com > Cc: python-ldap-dev at lists.sourceforge.net > Subject: Re: Killed Python2.4 > > Ron Teitelbaum wrote: > > ldd libldap.so > > linux-gate.so.1 => (0x002d7000) > > liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0x00176000) > > libresolv.so.2 => /lib/libresolv.so.2 (0x002f7000) > > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0089a000) > > libssl.so.6 => /lib/libssl.so.6 (0x00652000) > > libcrypto.so.6 => /lib/libcrypto.so.6 (0x00416000) > > libc.so.6 => /lib/libc.so.6 (0x00c0c000) > > libdl.so.2 => /lib/libdl.so.2 (0x00d4e000) > > libcrypt.so.1 => /lib/libcrypt.so.1 (0x0399c000) > > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0058d000) > > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x005bd000) > > libcom_err.so.2 => /lib/libcom_err.so.2 (0x00411000) > > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0054b000) > > libz.so.1 => /usr/lib/libz.so.1 (0x00101000) > > /lib/ld-linux.so.2 (0x00bea000) > > libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00578000) > > libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00573000) > > libselinux.so.1 => /lib/libselinux.so.1 (0x00dde000) > > libsepol.so.1 => /lib/libsepol.so.1 (0x00d96000) > > > > It looks quite different from your version. > > Well, it likely looks differently because install paths might be > different. Is that listing complete? libldap(_r) seems to be missing. > > You should check with e.g. > rpm -qf /usr/lib/liblber-2.3.so.0 > if these files are part of a RPM package and of which version your > OpenLDAP installation is. > > Hmm, another point popping up from your lib listing above: > Any SE Linux policy prohibiting execution/linking of shared libs? > > Ciao, Michael. From michael at stroeder.com Mon Apr 28 18:50:55 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 28 Apr 2008 18:50:55 +0200 Subject: Killed Python2.4 In-Reply-To: References: <4812F227.70704@stroeder.com> <4815F03E.8060709@stroeder.com> Message-ID: <4816006F.1050302@stroeder.com> Ron Teitelbaum wrote: > > Here are the results: Ron, it seems I can't help much. Did you compile python-ldap from source? Any chance that there is a library/header mismatch between compile and run time with other software on your system? Also note that OpenLDAP 2.3.27 is quite old (2006/08/19) and there has been many fixes also to libldap since then which might be important for you. Unfortunately Red Hat does not support their OpenLDAP package very well. OpenLDAP 2.3's file CHANGES lists the following fixes for libldap since 2.3.27: Fixed libldap ppolicy control creation (ITS#5103) Fixed libldap ldap_add_result_entry (ITS#5056) Fixed libldap referral chasing loop (ITS#4955) Fixed libldap response code handling on rebind (ITS#4924) Fixed libldap SASL_MAX_BUFF_SIZE (ITS#4935) Fixed libldap cldap assert (ITS#4992) Fixed libldap_r thread debug issues (ITS#4972) Fixed libldap time_t signedness (ITS#4872) Fixed libldap_r tpool reset (ITS#4855,#4899) Fixed libldap missing get_option(TLS CipherSuite) (ITS#4815) Fixed libldap ldap_pvt_put_filter syntax checks (ITS#4648) Fixed libldap unchased referral leak (ITS#4545) Fixed libldap tls callback (ITS#4723) Fixed liblber/libldap error codes on Windows (ITS#4606) Fixed libldap string length assert (ITS#4740) Fixed libldap ldap.conf max line length (ITS#4669) Fixed libldap use keepalive for syncrepl (ITS#4708) Likely not everything is relevant for everybody but some issues look serious in general. Ciao, Michael. From michael at stroeder.com Mon Apr 28 18:55:25 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 28 Apr 2008 18:55:25 +0200 Subject: Killed Python2.4 In-Reply-To: References: <4812F227.70704@stroeder.com> <4815F03E.8060709@stroeder.com> Message-ID: <4816017D.8000902@stroeder.com> Ron Teitelbaum wrote: > Here are the right values: > > ldd _ldap.so > linux-gate.so.1 => (0x00d5e000) > libldap_r-2.4.so.2 => /usr/local/openldap/lib/libldap_r-2.4.so.2 > (0x00bfe000) > liblber-2.4.so.2 => /usr/local/openldap/lib/liblber-2.4.so.2 > (0x00ae2000) Did you specify these OpenLDAP libs and the accompanying header files correctly in your setup.cfg before invoking the build? Which exact version of OpenLDAP is this? Fixes to libldap mentioned in file CHANGES of not yet released OpenLDAP 2.4.9: Fixed libldap to use unsigned port (ITS#5436) Fixed libldap error message for missing close paren (ITS#5458) Fixed libldap_r tpool pause checks (ITS#5364, #5407) Fixed libldap extended decoding (ITS#5304) Fixed libldap filter abort (ITS#5300) Fixed libldap ldap_parse_sasl_bind_result (ITS#5263) Fixed libldap result codes for open (ITS#5338) Fixed libldap search timeout crash (ITS#5291) Fixed libldap paged results crash (ITS#5315) Fixed libldap cipher suite with GnuTLS (ITS#5341) Fixed libldap_r threaded library linking (ITS#4982) Fixed libldap use of %n (ITS#5324) Fixed liblber socket library linking (ITS#5224) Ciao, Michael. From david at hlacik.eu Thu Jun 5 15:50:05 2008 From: david at hlacik.eu (=?ISO-8859-2?Q?David_Hl=E1=E8ik?=) Date: Thu, 5 Jun 2008 15:50:05 +0200 Subject: module ldap : no module named .py Message-ID: Hello, i am trying to write python authentification hook for InternetNewsService (INN) using *python-ldap module* I have created nnrpd_auth.py ,which is working for me, when i am calling it from my test.py script. Alltought when i pass it to INN, when INN calls nnrpd_auth.py and comes to line *when ldap module is used first time* it will return error "no module named.py" I will post you my test.py and nnrpd_auth.py. test.py i am using to debug my nnrpd_auth.py. Trought test.py as i mentioned nnrpd_auth.py is working (ldap module will load fine and post results) Is there some bug, or am i blind and forgetting about somethin? I am using it on CentOs5.1 with python-2.4.3-19.el5 and python-ldap-2.2.0-2.1 ----------------nnrpd_auth.py---------------------- class AUTH: """Provide authentication and authorization callbacks to nnrpd.""" def __init__(self): """This is a good place to initialize variables or open a database connection. """ # Create a list of NNTP codes to respond on connect self.connectcodes = { 'READPOST':200, 'READ':201, 'AUTHNEEDED':480, 'PERMDENIED':502 } # Create a list of NNTP codes to respond on authentication self.authcodes = { 'ALLOWED':281, 'DENIED':502 } #LDAP search definitions self.server = 'ldap://dev01.net.hlacik.eu' self.user_dn = 'cn=pdg,ou=Operators,o=Polarion' self.user_pw = 'Pdg1' self.base_dn_users = 'ou=Users,o=Polarion' self.base_dn_groups = 'ou=Groups,o=Polarion' syslog('notice', 'nnrpd authentication class instance created') def __newsauth(self,match_username,match_password): filter = "(uid=" + match_username + ")" attrs = ['userPassword'] try : l = ldap.initialize(self.server) l.bind_s(self.user_dn, self.user_pw) search = l.search_s( self.base_dn_users, ldap.SCOPE_SUBTREE, filter, attrs )[0][1] l.unbind() except ldap.SERVER_DOWN: syslog('notice', 'Error, server down') return 2 except ldap.INVALID_CREDENTIALS: syslog('Notice','Error, invalid credentials"') return 2 except ldap.LDAPError, e: syslog('Notice', "Error, %s" % e) for password in search["userPassword"]: if password == match_password: return 1 return 0 def newsaccess(self,match_username,match_password): filter = "(uid=" + match_username + ")" attrs = ['cn'] try : l = ldap.initialize(self.server) l.bind_s(self.user_dn, self.user_pw) cn = l.search_s( self.base_dn_users, ldap.SCOPE_SUBTREE, filter, attrs )[0] [0] raw_res = l.search_s( self.base_dn_groups, ldap.SCOPE_SUBTREE, "(member=" + cn + ")",attrs) l.unbind() except ldap.SERVER_DOWN: syslog('notice', 'Error, LDAP server down') return 2 except ldap.INVALID_CREDENTIALS: syslog('Notice','Error, invalid LDAP credentials"') return 2 except ldap.LDAPError, e: syslog('Notice', "LDAP error, %s" % e) return raw_res def authenticate(self, attributes): """Called when python_auth is encountered in readers.conf""" # just for debugging purposes syslog('notice', 'n_a authenticate() invoked: hostname %s, ipaddress %s, interface %s, user %s' % (\ attributes['hostname'], \ attributes['ipaddress'], \ attributes['interface'], \ attributes['user'])) # username & password auth using LDAP try: if self.__newsauth(str(attributes['user']),str(attributes['pass'])): syslog('notice', 'authentication by username succeeded') return ( self.authcodes['ALLOWED'], 'No error', 'default_user') else: syslog('notice', 'authentication by username failed') return ( self.authcodes['DENIED'], 'Access Denied!') except Exception, e: syslog('notice', "Error: %s" % e) def access(self, attributes): """Called when python_access is encountered in readers.conf""" # just for debugging purposes syslog('notice', 'n_a access() invoked: hostname %s, ipaddress %s, interface %s, us er %s' % (\ attributes['hostname'], \ attributes['ipaddress'], \ attributes['interface'], \ attributes['user'])) # allow newsreading from specific host only if '127.0.0.1' == str(attributes['ipaddress']): syslog('notice', 'authentication by IP address succeeded') return {'read':'*','post':'*'} else: syslog('notice', 'authentication by IP address failed') return {'read':'!*','post':'!*'} def dynamic(self, attributes): """Called when python_dynamic was reached in the processing of readers.conf and a reader requests either read or post permission for particular newsgroup. """ # just for debugging purposes syslog('notice', 'n_a dyanmic() invoked against type %s, hostname %s, ipaddress %s, interface %s, user %s' % (\ attributes['type'], \ attributes['hostname'], \ attributes['ipaddress'], \ attributes['interface'], \ attributes['user'])) # Allow reading of any newsgroup but not posting if 'post' == str(attributes['type']): syslog('notice', 'authorization for post access denied') return "no posting for you" elif 'read' == str(attributes['type']): syslog('notice', 'authorization for read access granted') return None else: syslog('notice', 'authorization type is not known: %s' % attributes['type']) return "Internal error"; # # The rest is used to hook up the auth module on nnrpd. It is unlikely # you will ever need to modify this. # # Import functions exposed by nnrpd. This import must succeed, or nothing # will work! from nnrpd import * #from ldap import * import ldap # Create a class instance myauth = AUTH() # ...and try to hook up on nnrpd. This would make auth object methods visible # to nnrpd. try: set_auth_hook(myauth) syslog('notice', "authentication module successfully hooked into nnrpd") except Exception, errmsg: syslog('error', "Cannot obtain nnrpd hook for authentication method: %s" % errmsg[0]) ----test.py---------- from nnrpd_auth import * myauth = AUTH() #print dir(myauth) print myauth.authenticate({'user':'boss','pass':'xxx','interface':None,'ipaddress': None,'hostname':None}) #print myauth.newsauth('boss','22') #print myauth.newsaccess('boss','xxx') -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hlacik.eu Thu Jun 5 15:53:04 2008 From: david at hlacik.eu (=?ISO-8859-2?Q?David_Hl=E1=E8ik?=) Date: Thu, 5 Jun 2008 15:53:04 +0200 Subject: module ldap : no module named .py In-Reply-To: References: Message-ID: FYI, this is the result of test.py : -- syslog level: notice message: nnrpd authentication class instance created ** set_auth_hook for -- syslog level: notice message: authentication module successfully hooked into nnrpd -- syslog level: notice message: nnrpd authentication class instance created -- syslog level: notice message: n_a authenticate() invoked: hostname None, ipaddress None, interface None, user boss -- syslog level: notice message: authentication by username succeeded (281, 'No error', 'default_user') And this is the result (from news.notice) when used as auth hook in INN : (inn will load nnrpd_auth.py and instantiate as in nnrpd_auth.py on the end written and call method authenticate(attributes) ) : Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu (10.10.10.199) connect Jun 5 13:33:12 dev01 nnrpd[9550]: python interpreter initialized OK Jun 5 13:33:12 dev01 nnrpd[9550]: python: nnrpd authentication class instance created Jun 5 13:33:12 dev01 nnrpd[9550]: python: authentication module successfully hooked into nnrpd Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python: n_a authenticate() invoked: hostname david-nb.net.hlacik.eu, ipaddress 10.10.10.199, interface 10.10.10.183, user boss Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py Jun 5 13:33:12 dev01 nnrpd[9550]: python authenticate method returned wrong result Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu times user 0.016 system 0.016 idle 0.000 elapsed 0.073 On Thu, Jun 5, 2008 at 3:50 PM, David Hl??ik wrote: > Hello, i am trying to write python authentification hook for > InternetNewsService (INN) using *python-ldap module* > > I have created nnrpd_auth.py ,which is working for me, when i am calling it > > from my test.py script. > > Alltought when i pass it to INN, when INN calls nnrpd_auth.py and comes to > line *when ldap module is used first time* it will return error > "no module named.py" > > I will post you my test.py and nnrpd_auth.py. > test.py i am using to debug my > nnrpd_auth.py. Trought test.py as i mentioned nnrpd_auth.py is working > (ldap module will load fine and post results) > Is there some bug, or am i blind and forgetting about somethin? > I am using it on CentOs5.1 with python-2.4.3-19.el5 and > python-ldap-2.2.0-2.1 > > > ----------------nnrpd_auth.py---------------------- > class AUTH: > """Provide authentication and authorization callbacks to nnrpd.""" > def __init__(self): > """This is a good place to initialize variables or open a > database connection. > """ > # Create a list of NNTP codes to respond on connect > self.connectcodes = { 'READPOST':200, > 'READ':201, > 'AUTHNEEDED':480, > 'PERMDENIED':502 > } > > # Create a list of NNTP codes to respond on authentication > self.authcodes = { 'ALLOWED':281, > 'DENIED':502 > > } > > #LDAP search definitions > self.server = 'ldap://dev01.net.hlacik.eu' > self.user_dn = 'cn=pdg,ou=Operators,o=Polarion' > self.user_pw = 'Pdg1' > self.base_dn_users = 'ou=Users,o=Polarion' > self.base_dn_groups = 'ou=Groups,o=Polarion' > > syslog('notice', 'nnrpd authentication class instance created') > > def __newsauth(self,match_username,match_password): > filter = "(uid=" + match_username + ")" > attrs = ['userPassword'] > > try : > l = ldap.initialize(self.server) > l.bind_s(self.user_dn, self.user_pw) > search = l.search_s( self.base_dn_users, > ldap.SCOPE_SUBTREE, filter, attrs > )[0][1] > l.unbind() > except ldap.SERVER_DOWN: > syslog('notice', 'Error, server down') > return 2 > except ldap.INVALID_CREDENTIALS: > syslog('Notice','Error, invalid credentials"') > return 2 > except ldap.LDAPError, e: > syslog('Notice', "Error, %s" % e) > for password in search["userPassword"]: > if password == match_password: return 1 > return 0 > > def newsaccess(self,match_username,match_password): > filter = "(uid=" + match_username + ")" > attrs = ['cn'] > > try : > l = ldap.initialize(self.server) > l.bind_s(self.user_dn, self.user_pw) > cn = l.search_s( self.base_dn_users, ldap.SCOPE_SUBTREE, > filter, attrs )[0] > [0] > raw_res = l.search_s( self.base_dn_groups, > ldap.SCOPE_SUBTREE, "(member=" + > cn + ")",attrs) > l.unbind() > except ldap.SERVER_DOWN: > syslog('notice', 'Error, LDAP server down') > return 2 > except ldap.INVALID_CREDENTIALS: > syslog('Notice','Error, invalid LDAP credentials"') > return 2 > except ldap.LDAPError, e: > syslog('Notice', "LDAP error, %s" % e) > > return raw_res > def authenticate(self, attributes): > """Called when python_auth is encountered in readers.conf""" > > # just for debugging purposes > syslog('notice', 'n_a authenticate() invoked: hostname %s, > ipaddress %s, interface > %s, user %s' % (\ > attributes['hostname'], \ > attributes['ipaddress'], \ > attributes['interface'], \ > attributes['user'])) > # username & password auth using LDAP > try: > if > self.__newsauth(str(attributes['user']),str(attributes['pass'])): > syslog('notice', 'authentication by username > succeeded') > return ( self.authcodes['ALLOWED'], 'No error', > 'default_user') > else: > syslog('notice', 'authentication by username > failed') > return ( self.authcodes['DENIED'], 'Access > Denied!') > except Exception, e: > syslog('notice', "Error: %s" % e) > > def access(self, attributes): > """Called when python_access is encountered in readers.conf""" > > # just for debugging purposes > syslog('notice', 'n_a access() invoked: hostname %s, ipaddress %s, > interface %s, us > er %s' % (\ > attributes['hostname'], \ > attributes['ipaddress'], \ > attributes['interface'], \ > attributes['user'])) > > # allow newsreading from specific host only > if '127.0.0.1' == str(attributes['ipaddress']): > syslog('notice', 'authentication by IP address succeeded') > return {'read':'*','post':'*'} > else: > syslog('notice', 'authentication by IP address failed') > return {'read':'!*','post':'!*'} > > def dynamic(self, attributes): > """Called when python_dynamic was reached in the processing of > readers.conf and a reader requests either read or post > permission for particular newsgroup. > """ > # just for debugging purposes > syslog('notice', 'n_a dyanmic() invoked against type %s, hostname > %s, ipaddress %s, > interface %s, user %s' % (\ > attributes['type'], \ > attributes['hostname'], \ > attributes['ipaddress'], \ > attributes['interface'], \ > attributes['user'])) > > # Allow reading of any newsgroup but not posting > if 'post' == str(attributes['type']): > syslog('notice', 'authorization for post access denied') > return "no posting for you" > elif 'read' == str(attributes['type']): > syslog('notice', 'authorization for read access granted') > return None > else: > syslog('notice', 'authorization type is not known: %s' % > attributes['type']) > return "Internal error"; > > > # > # The rest is used to hook up the auth module on nnrpd. It is unlikely > # you will ever need to modify this. > # > > # Import functions exposed by nnrpd. This import must succeed, or nothing > # will work! > from nnrpd import * > #from ldap import * > import ldap > > # Create a class instance > myauth = AUTH() > > # ...and try to hook up on nnrpd. This would make auth object methods > visible > # to nnrpd. > try: > set_auth_hook(myauth) > syslog('notice', "authentication module successfully hooked into > nnrpd") > except Exception, errmsg: > syslog('error', "Cannot obtain nnrpd hook for authentication method: > %s" % errmsg[0]) > > ----test.py---------- > from nnrpd_auth import * > > myauth = AUTH() > > #print dir(myauth) > print > myauth.authenticate({'user':'boss','pass':'xxx','interface':None,'ipaddress': > None,'hostname':None}) > #print myauth.newsauth('boss','22') > #print myauth.newsaccess('boss','xxx') > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hlacik.eu Thu Jun 5 15:53:47 2008 From: david at hlacik.eu (=?ISO-8859-2?Q?David_Hl=E1=E8ik?=) Date: Thu, 5 Jun 2008 15:53:47 +0200 Subject: module ldap : no module named .py In-Reply-To: References: Message-ID: FYI, this is the result of test.py : -- syslog level: notice message: nnrpd authentication class instance created ** set_auth_hook for -- syslog level: notice message: authentication module successfully hooked into nnrpd -- syslog level: notice message: nnrpd authentication class instance created -- syslog level: notice message: n_a authenticate() invoked: hostname None, ipaddress None, interface None, user boss -- syslog level: notice message: authentication by username succeeded (281, 'No error', 'default_user') And this is the result (from news.notice) when used as auth hook in INN : (inn will load nnrpd_auth.py and instantiate as in nnrpd_auth.py on the end written and call method authenticate(attributes) ) : Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu (10.10.10.199) connect Jun 5 13:33:12 dev01 nnrpd[9550]: python interpreter initialized OK Jun 5 13:33:12 dev01 nnrpd[9550]: python: nnrpd authentication class instance created Jun 5 13:33:12 dev01 nnrpd[9550]: python: authentication module successfully hooked into nnrpd Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python: n_a authenticate() invoked: hostname david-nb.net.hlacik.eu, ipaddress 10.10.10.199, interface 10.10.10.183, user boss Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py Jun 5 13:33:12 dev01 nnrpd[9550]: python authenticate method returned wrong result Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu times user 0.016 system 0.016 idle 0.000 elapsed 0.073 -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hlacik.eu Thu Jun 5 15:54:54 2008 From: david at hlacik.eu (=?ISO-8859-2?Q?David_Hl=E1=E8ik?=) Date: Thu, 5 Jun 2008 15:54:54 +0200 Subject: module ldap : no module named .py In-Reply-To: References: Message-ID: As you can see : Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py comes from nnrpd_auth.py : try: if self.__newsauth(str(attributes['user']),str(attributes['pass'])): syslog('notice', 'authentication by username succeeded') return ( self.authcodes['ALLOWED'], 'No error', 'default_user') else: syslog('notice', 'authentication by username failed') return ( self.authcodes['DENIED'], 'Access Denied!') except Exception, e: syslog('notice', "Error: %s" % e) On Thu, Jun 5, 2008 at 3:53 PM, David Hl??ik wrote: > FYI, > > this is the result of test.py : > -- syslog level: notice message: nnrpd authentication class instance > created > ** set_auth_hook for > -- syslog level: notice message: authentication module successfully hooked > into nnrpd > -- syslog level: notice message: nnrpd authentication class instance > created > -- syslog level: notice message: n_a authenticate() invoked: hostname None, > ipaddress None, interface None, user boss > -- syslog level: notice message: authentication by username succeeded > (281, 'No error', 'default_user') > > And this is the result (from news.notice) when used as auth hook in INN : > (inn will load nnrpd_auth.py and instantiate as in nnrpd_auth.py on the end > written and call method authenticate(attributes) ) : > > Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu (10.10.10.199) > connect > Jun 5 13:33:12 dev01 nnrpd[9550]: python interpreter initialized OK > Jun 5 13:33:12 dev01 nnrpd[9550]: python: nnrpd authentication class > instance created > Jun 5 13:33:12 dev01 nnrpd[9550]: python: authentication module > successfully hooked into nnrpd > Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_init not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_close not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_init not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_close not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_init not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_close not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python: n_a authenticate() invoked: > hostname david-nb.net.hlacik.eu, ipaddress 10.10.10.199, interface > 10.10.10.183, user boss > Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py > Jun 5 13:33:12 dev01 nnrpd[9550]: python authenticate method returned > wrong result > Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu times user 0.016 > system 0.016 idle 0.000 elapsed 0.073 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Jun 5 16:04:26 2008 From: michael at stroeder.com (=?ISO-8859-2?Q?Michael_Str=F6der?=) Date: Thu, 05 Jun 2008 16:04:26 +0200 Subject: module ldap : no module named .py In-Reply-To: References: Message-ID: <4847F26A.5040704@stroeder.com> David Hl??ik wrote: > As you can see : > Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py > comes from nnrpd_auth.py : Frankly I don't see anything I can understand or for what I have a clue how to help you. > Alltought when i pass it to INN, when INN calls nnrpd_auth.py and comes to > line when ldap module is used first time it will return error > "no module named.py" python-ldap itself does not have a module called named.py at all. So this is probably off-topic here. Being in your situation I'd try to log a full Python traceback to examine where the exception is raised in your or INN's code. Ciao, Michael. From Ron at USMedRec.com Fri Jun 6 17:24:40 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Fri, 6 Jun 2008 11:24:40 -0400 Subject: module ldap : no module named .py In-Reply-To: References: Message-ID: Hi David, I had this happen before because I tried to do this: Import aModuleName.py I don't see that mistake in your code though, but maybe something you are calling is doing that. You need to leave off the .py when doing import. Hope that helps, Ron _____ From: python-ldap-dev-bounces at lists.sourceforge.net [mailto:python-ldap-dev-bounces at lists.sourceforge.net] On Behalf Of David Hl?cik Sent: Thursday, June 05, 2008 9:55 AM To: python-ldap-dev at lists.sourceforge.net Subject: Re: module ldap : no module named .py As you can see : Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py comes from nnrpd_auth.py : try: if self.__newsauth(str(attributes['user']),str(attributes['pass'])): syslog('notice', 'authentication by username succeeded') return ( self.authcodes['ALLOWED'], 'No error', 'default_user') else: syslog('notice', 'authentication by username failed') return ( self.authcodes['DENIED'], 'Access Denied!') except Exception, e: syslog('notice', "Error: %s" % e) On Thu, Jun 5, 2008 at 3:53 PM, David Hl??ik wrote: FYI, this is the result of test.py : -- syslog level: notice message: nnrpd authentication class instance created ** set_auth_hook for -- syslog level: notice message: authentication module successfully hooked into nnrpd -- syslog level: notice message: nnrpd authentication class instance created -- syslog level: notice message: n_a authenticate() invoked: hostname None, ipaddress None, interface None, user boss -- syslog level: notice message: authentication by username succeeded (281, 'No error', 'default_user') And this is the result (from news.notice) when used as auth hook in INN : (inn will load nnrpd_auth.py and instantiate as in nnrpd_auth.py on the end written and call method authenticate(attributes) ) : Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu (10.10.10.199) connect Jun 5 13:33:12 dev01 nnrpd[9550]: python interpreter initialized OK Jun 5 13:33:12 dev01 nnrpd[9550]: python: nnrpd authentication class instance created Jun 5 13:33:12 dev01 nnrpd[9550]: python: authentication module successfully hooked into nnrpd Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_init not found Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_close not found Jun 5 13:33:12 dev01 nnrpd[9550]: python: n_a authenticate() invoked: hostname david-nb.net.hlacik.eu, ipaddress 10.10.10.199, interface 10.10.10.183, user boss Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py Jun 5 13:33:12 dev01 nnrpd[9550]: python authenticate method returned wrong result Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu times user 0.016 system 0.016 idle 0.000 elapsed 0.073 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michele.petrazzo at unipex.it Sat Jun 7 09:08:32 2008 From: michele.petrazzo at unipex.it (Michele Petrazzo - Unipex srl) Date: Sat, 07 Jun 2008 09:08:32 +0200 Subject: Problem on add Message-ID: <484A33F0.2020009@unipex.it> Hi list, I'm trying, for the first time, to use python-ldap and I find some problems on add. I have a code that are, more or less: LDAP_BASE_DN = "dc=unipex,dc=it" ldif = [('dn', 'cn=A name,ou=People,dc=unipex,dc=it'), ('cn', 'A name'), ('objectclass', ['top', 'person', 'inetOrgPerson', 'organizationalPerson', 'mozillaOrgPerson']), ('sn', 'A name'), ('mail', 'a_real at mail.it'), ('givenName', 'Michele')] l.add_s(LDAP_BASE_DN, ldif) And I receive: ldap.UNDEFINED_TYPE: {'info': 'dn: attribute type undefined', 'desc': 'Undefined attribute type'} d But if I save the same data into a ldif file and add it with: ldapadd -xv -D "cn=admin,dc=unipex,dc=it" -f test_entry.ldif -W it works! What can I try or where look for solve it? Thanks, Michele P.s. I trying to add an ldif data into ldap with mozilla scheme From michael at stroeder.com Sat Jun 7 10:10:20 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 07 Jun 2008 10:10:20 +0200 Subject: Problem on add In-Reply-To: <484A33F0.2020009@unipex.it> References: <484A33F0.2020009@unipex.it> Message-ID: <484A426C.7060603@stroeder.com> Michele Petrazzo - Unipex srl wrote: > > ldif = [('dn', 'cn=A name,ou=People,dc=unipex,dc=it'), I think this variable is misnamed. > [..] > l.add_s(LDAP_BASE_DN, ldif) > [..] > ldap.UNDEFINED_TYPE: {'info': 'dn: attribute type undefined', 'desc': > 'Undefined attribute type'} It means exactly what it says: The attribute type 'dn' in your modification list is not known in the server's subschema. => So remove ('dn', 'cn=A name,ou=People,dc=unipex,dc=it') from your mod list. > But if I save the same data into a ldif file and add it with: > ldapadd -xv -D "cn=admin,dc=unipex,dc=it" -f test_entry.ldif -W > > it works! LDIF is something completely different. Also note that module ldif treats the entry's DN as a different argument, not as normal attribute. Ciao, Michael. From michele.petrazzo at unipex.it Sat Jun 7 09:54:40 2008 From: michele.petrazzo at unipex.it (Michele Petrazzo - Unipex srl) Date: Sat, 07 Jun 2008 09:54:40 +0200 Subject: Problem on add In-Reply-To: <20080607073106.GU477@samfundet.no> References: <484A33F0.2020009@unipex.it> <20080607073106.GU477@samfundet.no> Message-ID: <484A3EC0.7070208@unipex.it> Bj?rn Ove Gr?tan wrote: > You misunderstood somehow. The DN is not a part of the ldif when > using the API. Hi, I forgot to say that it's the also the first time that I try to use ldap ;) Now it's working! > See below sample. I also suggest using the modlist-module for > automating the list-generating for add and modify operations. > In my code, I use also that (following the simple but pratical examples found at http://www.grotan.com/ldap/python-ldap-samples.html) , but for the mail I remove some annoying code. However thanks! Michele From david at hlacik.eu Sat Jun 7 11:28:17 2008 From: david at hlacik.eu (=?ISO-8859-2?Q?David_Hl=E1=E8ik?=) Date: Sat, 7 Jun 2008 11:28:17 +0200 Subject: module ldap : no module named .py In-Reply-To: References: Message-ID: Hello Ron, thanks for your help. Yes i know this exactly can cause problem like that, but i am sure that i did not do such schollar mistake. Actulaly as i mentioned i have this problem with INN python_auth hook. I was doing a lot of experiments last days and i found that problem is on their side. Simply in nnrpd_auth.py script ---> which is called by INN news server when doing authentication & access thinks ... have problems with importing anything except python built-in modules. So my only one possibility how to accomplish was simple to make a python script which is using python module and will work on commandline (use arguments username and password and replies to standart out result). Then in nnrpd_auth import sys and simply call that as a external program and script with popen and read the result. With such a simple trick i have avoid need to use import ldap in nnrpd_auth.py directly. I am not satisfied with that solution, becouse it looks really lame, but unfortunately there is no other solution i hope - as no one on INN mailinglist was not able to answer me with the solution. Thanks, David 2008/6/6 Ron Teitelbaum : > Hi David, > > > > I had this happen before because I tried to do this: > > > > Import aModuleName.py > > > > I don't see that mistake in your code though, but maybe something you are > calling is doing that. You need to leave off the .py when doing import. > > > > Hope that helps, > > > > Ron > > > ------------------------------ > > *From:* python-ldap-dev-bounces at lists.sourceforge.net [mailto: > python-ldap-dev-bounces at lists.sourceforge.net] *On Behalf Of *David Hl?cik > *Sent:* Thursday, June 05, 2008 9:55 AM > *To:* python-ldap-dev at lists.sourceforge.net > *Subject:* Re: module ldap : no module named .py > > > > As you can see : > Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py > comes from nnrpd_auth.py : > > try: > if > self.__newsauth(str(attributes['user']),str(attributes['pass'])): > syslog('notice', 'authentication by username > succeeded') > return ( self.authcodes['ALLOWED'], 'No error', > 'default_user') > else: > syslog('notice', 'authentication by username > failed') > return ( self.authcodes['DENIED'], 'Access > Denied!') > except Exception, e: > syslog('notice', "Error: %s" % e) > > On Thu, Jun 5, 2008 at 3:53 PM, David Hl??ik wrote: > > FYI, > > this is the result of test.py : > -- syslog level: notice message: nnrpd authentication class instance > created > ** set_auth_hook for > -- syslog level: notice message: authentication module successfully hooked > into nnrpd > -- syslog level: notice message: nnrpd authentication class instance > created > -- syslog level: notice message: n_a authenticate() invoked: hostname None, > ipaddress None, interface None, user boss > -- syslog level: notice message: authentication by username succeeded > (281, 'No error', 'default_user') > > And this is the result (from news.notice) when used as auth hook in INN : > (inn will load nnrpd_auth.py and instantiate as in nnrpd_auth.py on the end > written and call method authenticate(attributes) ) : > > Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu (10.10.10.199) > connect > Jun 5 13:33:12 dev01 nnrpd[9550]: python interpreter initialized OK > Jun 5 13:33:12 dev01 nnrpd[9550]: python: nnrpd authentication class > instance created > Jun 5 13:33:12 dev01 nnrpd[9550]: python: authentication module > successfully hooked into nnrpd > Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_init not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method authen_close not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_init not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method access_close not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_init not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python method dynamic_close not found > Jun 5 13:33:12 dev01 nnrpd[9550]: python: n_a authenticate() invoked: > hostname david-nb.net.hlacik.eu, ipaddress 10.10.10.199, interface > 10.10.10.183, user boss > Jun 5 13:33:12 dev01 nnrpd[9550]: python: Error: No module named py > Jun 5 13:33:12 dev01 nnrpd[9550]: python authenticate method returned > wrong result > Jun 5 13:33:12 dev01 nnrpd[9550]: david-nb.net.hlacik.eu times user 0.016 > system 0.016 idle 0.000 elapsed 0.073 > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at hlacik.eu Sat Jun 7 13:16:11 2008 From: david at hlacik.eu (=?ISO-8859-2?Q?David_Hl=E1=E8ik?=) Date: Sat, 7 Jun 2008 13:16:11 +0200 Subject: investigate python auth problem In-Reply-To: References: <1D2DDD39D8944253BE2FF56CAE667E6C@Iulius> Message-ID: Hello Julien, ALL I have reproduced steps, to show you sample on another module and its results in INN (becouse i really like to solve this :) Here is part from nnrpd_auth.py module autheticate(args) which is called when authentication begins: part from readers.conf : *auth "pdg" { python_auth: "nnrpd_auth.py" }* part from nnrpd_auth.py: (here you can also see how i solved problem with ldap module, i am calling external script and reading result from its standard output - commented lines) *def authenticate(self, attributes): """Called when python_auth is encountered in readers.conf""" # just for debugging purposes syslog('notice', 'n_a authenticate() invoked: hostname %s, ipaddress %s, interface %s, user %s' % (\ attributes['hostname'], \ attributes['ipaddress'], \ attributes['interface'], \ attributes['user'])) # do username passworld authentication #if 'foo' == str(attributes['user']) \ # and 'foo' == str(attributes['pass']): # syslog('notice', 'authentication by username succeeded') # return ( self.authcodes['ALLOWED'], 'No error', 'default_user') #else: # syslog('notice', 'authentication by username failed') # return ( self.authcodes['DENIED'], 'Access Denied!') #import os #result = int(os.popen("%s %s %s" %("/opt/pdg/newsauth.py",str(attributes['user']),str(attributes['pass'])), "r").read()) #if result == 1: # syslog('notice', 'authentication by username succeeded') # return(self.authcodes['ALLOWED'], 'OK') #else: # syslog('notice', 'authentication by username failed') # return ( self.authcodes['DENIED'], 'FAILED') import commands result = commands.getoutput('ls -l') syslog('notice', result) *And now comes my test.py where i am testing my nnrpd_auth.py: *from nnrpd_auth import * myauth = AUTH() print myauth.authenticate({'user':'boss','pass':'supersecret','interface':None,'ipaddress':None,'hostname':None}) * As you can see my test.py is calling autenticate method same as INN is calling when auth begins. Here comes the result from my test.py: -- syslog level: notice message: nnrpd authentication class instance created ** set_auth_hook for -- syslog level: notice message: authentication module successfully hooked into nnrpd -- syslog level: notice message: nnrpd authentication class instance created -- syslog level: notice message: n_a authenticate() invoked: hostname None, ipaddress None, interface None, user boss *-- syslog level: notice message: total 104 -rw-r--r-- 1 news news 859 Jun 4 10:38 INN.py -rw-r--r-- 1 news news 1351 Jun 4 10:38 INN.pyc -rw-r--r-- 1 news news 1351 Jun 4 10:38 INN.pyo -rw-r--r-- 1 news news 479 Jun 4 10:38 filter.tcl -rw-r--r-- 1 news news 8860 Jun 4 10:38 filter_innd.py -rw-r--r-- 1 news news 7381 Jun 4 10:38 filter_innd.pyc -rw-r--r-- 1 news news 7381 Jun 4 10:38 filter_innd.pyo -rw-r--r-- 1 news news 2259 Jun 4 10:38 filter_nnrpd.pl -rw-r--r-- 1 root root 512 Jun 4 10:37 nnrpd.py -rw-r--r-- 1 root root 603 Jun 5 11:34 nnrpd.pyc -rw-r--r-- 1 news news 4181 Jun 4 10:38 nnrpd_access.pl -rw-r--r-- 1 news news 2657 Jun 4 10:38 nnrpd_auth.pl -rw-r--r-- 1 root root 7998 Jun 7 13:06 nnrpd_auth.py -rw-r--r-- 1 root root 8200 Jun 5 12:18 nnrpd_auth.py.backup -rw-r--r-- 1 root root 3109 Jun 7 13:06 nnrpd_auth.pyc -rw-r--r-- 1 news news 469 Jun 4 10:38 startup.tcl -rw-r--r-- 1 news news 1324 Jun 4 10:38 startup_innd.pl -rw-r--r-- 1 root root 259 Jun 7 13:06 test.py* None Please note the syslog result .. which is this part from nnrpd_auth.py : *import commands result = commands.getoutput('ls -l') syslog('notice', result) *And now please note the result from INN where result is completely ignored :* Jun 7 13:15:20 dev01 nnrpd[1400]: python: n_a authenticate() invoked: hostname david-nb.net.hlacik.eu, ipaddress 10.10.10.199, interface 10.10.10.183, user b Jun 7 13:15:20 dev01 nnrpd[1400]: python authenticate method returned wrong result Jun 7 13:15:20 dev01 nnrpd[1400]: david-nb.net.hlacik.eu times user 0.000 system 0.008 idle 0.000 elapsed 0.034 Thanks! David * On Sat, Jun 7, 2008 at 11:35 AM, David Hl??ik wrote: > Hello , of course i am importing without .py . I have checked all paths > with sys.path and also check if INN is using same python version with same > environment as mine - and yes it is. > What i have discovered is that nnrpd_auth.py has a really problem with > importing anything except builtin sys module. > Module ldap is not working, module commands is not working ... it will > simple print no result ... > When i test it trought my test script it will does. When i test it directly > with INN i see only "python auth returned wrong result". > When i try to investigate that with try except Exception .. i simple see no > error there but null result ... it will simple not call the result... even > simple commands.getoutput("ls -l") does not work! :( > Only one solution i have found is to import sys module and call popen to > open external script .. also writen in python .. which will simple to > standart out return result (and which is using module ldap without problem) > .. and then i read output in nnrpd_auth and work with that. > Such ugly think , i spent 3 days working with nnrpd_auth.py and nothing > worked as i wanted (and i am programming in python for 3 years actually so i > dont think i am lame ). > > Thanks! and if someone really will help me to investigate problem i will > sent them a package of Czech Beers (Gambrinus,Plzen or Budvar) as i am live > in czech republic! > > > On Fri, Jun 6, 2008 at 8:27 PM, Julien ?LIE > wrote: > >> Hi David (thrice), >> >> I have created own try, except part to see error, but all i got is : >>> python: >>> Error: No module named py >>> I want to know more , i want to know why? There is no other info in logs. >>> >> >> Do you "import module.py" or "import module"? The last one is the right >> thing to do >> inside your scripts. Also check whether paths are correct. >> >> And in readers.conf, did you try without ".py" too in the python_auth: >> parameter? >> (I do not know whether it is required.) >> >> -- >> Julien ?LIE >> >> ? Mon p?re, ce h?ros au sourire si doux. ? (Victor Hugo) >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ron at USMedRec.com Sun Jun 8 19:30:39 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Sun, 8 Jun 2008 13:30:39 -0400 Subject: Problem on add In-Reply-To: <484A33F0.2020009@unipex.it> References: <484A33F0.2020009@unipex.it> Message-ID: Hi Michele, Have a look at this http://www.grotan.com/ldap/python-ldap-samples.html I thought it was pretty helpful. It's easier to build the ldif using the modlist. Ron > -----Original Message----- > From: python-ldap-dev-bounces at lists.sourceforge.net [mailto:python-ldap- > dev-bounces at lists.sourceforge.net] On Behalf Of Michele Petrazzo - Unipex > srl > Sent: Saturday, June 07, 2008 3:09 AM > To: python-ldap-dev at lists.sourceforge.net > Subject: Problem on add > > Hi list, > I'm trying, for the first time, to use python-ldap and I find some > problems on add. I have a code that are, more or less: > > LDAP_BASE_DN = "dc=unipex,dc=it" > > ldif = [('dn', 'cn=A name,ou=People,dc=unipex,dc=it'), ('cn', 'A name'), > ('objectclass', ['top', 'person', 'inetOrgPerson', > 'organizationalPerson', 'mozillaOrgPerson']), ('sn', 'A name'), ('mail', > 'a_real at mail.it'), ('givenName', 'Michele')] > > > l.add_s(LDAP_BASE_DN, ldif) > > And I receive: > > ldap.UNDEFINED_TYPE: {'info': 'dn: attribute type undefined', 'desc': > 'Undefined attribute type'} > d > > > But if I save the same data into a ldif file and add it with: > ldapadd -xv -D "cn=admin,dc=unipex,dc=it" -f test_entry.ldif -W > > it works! > > What can I try or where look for solve it? > > Thanks, > Michele > > P.s. I trying to add an ldif data into ldap with mozilla scheme > > > From michele.petrazzo at unipex.it Mon Jun 9 08:53:58 2008 From: michele.petrazzo at unipex.it (Michele Petrazzo - Unipex srl) Date: Mon, 09 Jun 2008 08:53:58 +0200 Subject: Problem on add In-Reply-To: <484A33F0.2020009@unipex.it> References: <484A33F0.2020009@unipex.it> Message-ID: <484CD386.6070103@unipex.it> Michele Petrazzo - Unipex srl wrote: <-cut-> Hi, thanks to all for the quickly reply. It was that it's the first time that I try to use ldap ;) and that like Bj?rn says, "The DN is not a part of the ldif when using the API. " Remove that, now it's all working! Michele From work at infomaniak.ch Wed Jun 11 08:17:07 2008 From: work at infomaniak.ch (cedric briner) Date: Wed, 11 Jun 2008 08:17:07 +0200 Subject: unable to download Message-ID: <484F6DE3.3040704@infomaniak.ch> Hi, I'm using ez_install to have a fresh python-ldap modules. I do: python ez_setup.py -s ../bin -d ../lib python-ldap Searching for python-ldap Reading http://pypi.python.org/simple/python-ldap/ Reading http://python-ldap.sourceforge.net/ Reading http://python-ldap.sourceforge.net/download.shtml Best match: python-ldap cvsroot Downloading http://cvs.sourceforge.net/cvstarballs/python-ldap-cvsroot.tar.gz error: Can't download http://cvs.sourceforge.net/cvstarballs/python-ldap-cvsroot.tar.gz: 503 Service Unavailable and yes, as you can see cvs.sourceforge.net is down ! Did you know about this ? Is this under your responsabilities ? Because, I do need an egg for SunOS for Python 2.4.4 :| Sed -- Cedric BRINER Geneva - Switzerland From michael at stroeder.com Wed Jun 11 09:36:27 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 11 Jun 2008 09:36:27 +0200 Subject: unable to download In-Reply-To: <484F6DE3.3040704@infomaniak.ch> References: <484F6DE3.3040704@infomaniak.ch> Message-ID: <484F807B.2080107@stroeder.com> cedric briner wrote: > > I'm using ez_install to have a fresh python-ldap modules. Frankly I'm not really familiar with ez_install. > python ez_setup.py -s ../bin -d ../lib python-ldap > Searching for python-ldap > Reading http://pypi.python.org/simple/python-ldap/ > Reading http://python-ldap.sourceforge.net/ > Reading http://python-ldap.sourceforge.net/download.shtml > Best match: python-ldap cvsroot > Downloading > http://cvs.sourceforge.net/cvstarballs/python-ldap-cvsroot.tar.gz > error: Can't download > http://cvs.sourceforge.net/cvstarballs/python-ldap-cvsroot.tar.gz: 503 > Service Unavailable Well, that link is obsolete since years...removed it. I also edited the package info for the recent release: http://pypi.python.org/pypi?name=python-ldap&version=2.3.4&:action=display Sigh! One more place to go when doing a release... Ciao, Michael. From jens at dataflake.org Wed Jun 11 15:20:19 2008 From: jens at dataflake.org (Jens Vagelpohl) Date: Wed, 11 Jun 2008 08:20:19 -0500 Subject: unable to download In-Reply-To: <484F807B.2080107@stroeder.com> References: <484F6DE3.3040704@infomaniak.ch> <484F807B.2080107@stroeder.com> Message-ID: <0627A3AD-5239-4249-9F13-A2D686D420AE@dataflake.org> On Jun 11, 2008, at 02:36 , Michael Str?der wrote: > Sigh! One more place to go when doing a release... If I were you I'd put releases on PyPI only and just point people there. Using setuptools this is a one line command from within your checkout, you don't even need to create the tarball yourself anymore. If you want to chat about a good release strategy and/or help handling that let me know. Personally, I can't stand that SF setup. Just a few days ago I had the hardest time to find a release older than the current release so I could look at its documentation. jens From michael at stroeder.com Wed Jun 11 16:25:08 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 11 Jun 2008 16:25:08 +0200 Subject: unable to download In-Reply-To: <0627A3AD-5239-4249-9F13-A2D686D420AE@dataflake.org> References: <484F6DE3.3040704@infomaniak.ch> <484F807B.2080107@stroeder.com> <0627A3AD-5239-4249-9F13-A2D686D420AE@dataflake.org> Message-ID: <484FE044.3050900@stroeder.com> Jens Vagelpohl wrote: > On Jun 11, 2008, at 02:36 , Michael Str?der wrote: >> Sigh! One more place to go when doing a release... > > If I were you I'd put releases on PyPI only and just point people > there. I'll consider this. > Personally, I can't stand that SF setup. Are you talking about python-ldap? I generally hide old releases. There are pros and cons for that. > Just a few days ago I had the hardest time to find a release older > than the current release so I could look at its documentation. Note that the versioning of the python-ldap docs isn't that strictly tied to the implementation itself (like it is with Python). This should be better in the future but still the current API isn't fully documented. Ciao, Michael. From jens at dataflake.org Wed Jun 11 16:45:14 2008 From: jens at dataflake.org (Jens Vagelpohl) Date: Wed, 11 Jun 2008 09:45:14 -0500 Subject: unable to download In-Reply-To: <484FE044.3050900@stroeder.com> References: <484F6DE3.3040704@infomaniak.ch> <484F807B.2080107@stroeder.com> <0627A3AD-5239-4249-9F13-A2D686D420AE@dataflake.org> <484FE044.3050900@stroeder.com> Message-ID: On Jun 11, 2008, at 09:25 , Michael Str?der wrote: > Jens Vagelpohl wrote: >> Personally, I can't stand that SF setup. > > Are you talking about python-ldap? I generally hide old releases. > There > are pros and cons for that. python-ldap and general. SF is a pile of steaming you know what. It's slow, ugly, annoying, and they make it near impossible to give people reliable download links that do not require jumping into a browser so they can push ads into your face. And yes, I really don't like hiding older releases. ;-) jens From michael at stroeder.com Mon Jun 16 15:48:39 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 16 Jun 2008 15:48:39 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? Message-ID: <48566F37.4060306@stroeder.com> HI! I'd like to hear from the Python community whether support for Python version prior to 2.3 is still needed in python-ldap. Please tell me which Python version you're using and why it'd be important for you to have python-ldap updates still supporting it. BTW: Actually older Python versions are not tested with recent python-ldap since at least two years. But I'd like to clearly decide on that. Ciao, Michael. From Ron at USMedRec.com Mon Jun 16 15:56:38 2008 From: Ron at USMedRec.com (Ron Teitelbaum) Date: Mon, 16 Jun 2008 09:56:38 -0400 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <48566F37.4060306@stroeder.com> References: <48566F37.4060306@stroeder.com> Message-ID: Hi Michael, Thank you for all your hard work! We are using python2.4.4, but only because of other software that is tied to it and the lack of available time to upgrade. Ron Teitelbaum > -----Original Message----- > From: python-ldap-dev-bounces at lists.sourceforge.net [mailto:python-ldap- > dev-bounces at lists.sourceforge.net] On Behalf Of Michael Str?der > Sent: Monday, June 16, 2008 9:49 AM > To: python-ldap-dev at lists.sourceforge.net > Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? > > HI! > > I'd like to hear from the Python community whether support for Python > version prior to 2.3 is still needed in python-ldap. Please tell me > which Python version you're using and why it'd be important for you to > have python-ldap updates still supporting it. > > BTW: Actually older Python versions are not tested with recent > python-ldap since at least two years. But I'd like to clearly decide on > that. > > Ciao, Michael. > > > From jens at dataflake.org Mon Jun 16 15:59:08 2008 From: jens at dataflake.org (Jens Vagelpohl) Date: Mon, 16 Jun 2008 15:59:08 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <48566F37.4060306@stroeder.com> References: <48566F37.4060306@stroeder.com> Message-ID: <04823A59-DD2D-48F0-BF1A-B8905E314CE5@dataflake.org> On Jun 16, 2008, at 15:48 , Michael Str?der wrote: > HI! > > I'd like to hear from the Python community whether support for Python > version prior to 2.3 is still needed in python-ldap. Please tell me > which Python version you're using and why it'd be important for you to > have python-ldap updates still supporting it. Using Python 2.4 in 95% of all cases, 2.3 for rare cases when someone needs to run Zope older than 2.8. Not using anything older at all, but also not using 2.5. So in essence, I'm not looking for any compatibility for Python versions < 2.3. IMHO it's really not a big deal to tell people they must use older python-ldap releases if they insist on running Python versions that are no longer supported by anyone. jens From python-ldap at tk-webart.de Mon Jun 16 16:54:45 2008 From: python-ldap at tk-webart.de (Torsten Kurbad) Date: Mon, 16 Jun 2008 16:54:45 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <04823A59-DD2D-48F0-BF1A-B8905E314CE5@dataflake.org> References: <48566F37.4060306@stroeder.com> <04823A59-DD2D-48F0-BF1A-B8905E314CE5@dataflake.org> Message-ID: <921875906.20080616165445@tk-webart.de> Hi! >> I'd like to hear from the Python community whether support for Python >> version prior to 2.3 is still needed in python-ldap. Please tell me >> which Python version you're using and why it'd be important for you to >> have python-ldap updates still supporting it. We are solely using 2.4.4 at the moment and will move to 2.5 as soon as the restricted Python in Zope3 fully supports it. > IMHO it's really not a big deal to tell people they must use older > python-ldap releases if they insist on running Python versions that > are no longer supported by anyone. Exactly my opinion! Best regards, Torsten -- Never make anything simple and efficient when a way can be found to make it complex and wonderful. - Murphy's Law No. 13 - From michael at stroeder.com Mon Jun 16 17:07:24 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 16 Jun 2008 17:07:24 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <921875906.20080616165445@tk-webart.de> References: <48566F37.4060306@stroeder.com> <04823A59-DD2D-48F0-BF1A-B8905E314CE5@dataflake.org> <921875906.20080616165445@tk-webart.de> Message-ID: <485681AC.2030909@stroeder.com> Torsten Kurbad wrote: > Jens Vagelpohl wrote: >> IMHO it's really not a big deal to tell people they must use older >> python-ldap releases if they insist on running Python versions that >> are no longer supported by anyone. > > Exactly my opinion! You both want to convince me to keep older versions visible. ;-) Well, that's an admirable plan. But only worth the trouble if someone tracks which python-ldap release is guaranteed to work with which Python release. That's not done at the moment. Voluntary work in this field is appreciated. ;-} Ciao, Michael. From jens at dataflake.org Mon Jun 16 17:40:04 2008 From: jens at dataflake.org (Jens Vagelpohl) Date: Mon, 16 Jun 2008 17:40:04 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <485681AC.2030909@stroeder.com> References: <48566F37.4060306@stroeder.com> <04823A59-DD2D-48F0-BF1A-B8905E314CE5@dataflake.org> <921875906.20080616165445@tk-webart.de> <485681AC.2030909@stroeder.com> Message-ID: On Jun 16, 2008, at 17:07 , Michael Str?der wrote: > Torsten Kurbad wrote: >> Jens Vagelpohl wrote: >>> IMHO it's really not a big deal to tell people they must use older >>> python-ldap releases if they insist on running Python versions that >>> are no longer supported by anyone. >> >> Exactly my opinion! > > You both want to convince me to keep older versions visible. ;-) > > Well, that's an admirable plan. But only worth the trouble if someone > tracks which python-ldap release is guaranteed to work with which > Python > release. That's not done at the moment. Voluntary work in this field > is > appreciated. ;-} I'm not sure what you mean by tracking this compatibility. I can see by looking at e.g. python-ldap-2.2.1 the INSTALL document says "Python 2.0 or greater". IMHO that's enough information. I don't think there's any need to go back and specify the highest release the package is supposed to work with (I'm guessing that's what you mean), like saying "only works with the Python 2.0-2.4 releases". People should be intelligent enough to not expect compatibility with a major Python release that did not exist when a given python-ldap package version was released. jens From garlandkr at gmail.com Mon Jun 16 18:18:28 2008 From: garlandkr at gmail.com (Garland, Ken R) Date: Mon, 16 Jun 2008 12:18:28 -0400 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <48566F37.4060306@stroeder.com> References: <48566F37.4060306@stroeder.com> Message-ID: 2.3 to 2.5 in all of my environments. On Mon, Jun 16, 2008 at 9:48 AM, Michael Str?der wrote: > HI! > > I'd like to hear from the Python community whether support for Python > version prior to 2.3 is still needed in python-ldap. Please tell me > which Python version you're using and why it'd be important for you to > have python-ldap updates still supporting it. > > BTW: Actually older Python versions are not tested with recent > python-ldap since at least two years. But I'd like to clearly decide on > that. > > Ciao, Michael. > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Python-LDAP-dev mailing list > Python-LDAP-dev at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan at stat.Berkeley.EDU Mon Jun 16 18:49:35 2008 From: ryan at stat.Berkeley.EDU (Ryan Lovett) Date: Mon, 16 Jun 2008 09:49:35 -0700 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <48566F37.4060306@stroeder.com> References: <48566F37.4060306@stroeder.com> Message-ID: <20080616164935.GA41094@stat.berkeley.edu> On Mon, Jun 16, 2008 at 03:48:39PM +0200, Michael Str?der wrote: > I'd like to hear from the Python community whether support for Python > version prior to 2.3 is still needed in python-ldap. Please tell me > which Python version you're using and why it'd be important for you to > have python-ldap updates still supporting it. We're using the versions that ship with any Ubuntu LTS. From experience they sometimes don't backport crucial fixes, though python-ldap is in their main repository so I'm sure its higher priority for them. Ryan From michael at stroeder.com Mon Jun 16 19:48:33 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 16 Jun 2008 19:48:33 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <20080616164935.GA41094@stat.berkeley.edu> References: <48566F37.4060306@stroeder.com> <20080616164935.GA41094@stat.berkeley.edu> Message-ID: <4856A771.5030906@stroeder.com> Ryan Lovett wrote: > On Mon, Jun 16, 2008 at 03:48:39PM +0200, Michael Str?der wrote: >> I'd like to hear from the Python community whether support for Python >> version prior to 2.3 is still needed in python-ldap. Please tell me >> which Python version you're using and why it'd be important for you to >> have python-ldap updates still supporting it. > > We're using the versions that ship with any Ubuntu LTS. Can you please explain what that means for the Python versions available in the Ubuntu repository? Just a side note: I vaguely remember that Ubuntu also uses Debian packages (please correct me if I'm wrong). And since there were Debian packages heavily patched in May 2007 to still work with ancient OpenLDAP libs 2.1 and Debian links OpenLDAP to gnutls (which is insecure and sometimes crashes) I don't give any support for their python-ldap packages. Even the API might not be compatible... Ciao, Michael. From vela at debian.org Mon Jun 16 19:52:35 2008 From: vela at debian.org (Matej Vela) Date: Mon, 16 Jun 2008 19:52:35 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <20080616164935.GA41094@stat.berkeley.edu> (Ryan Lovett's message of "Mon\, 16 Jun 2008 09\:49\:35 -0700") References: <48566F37.4060306@stroeder.com> <20080616164935.GA41094@stat.berkeley.edu> Message-ID: <8763s91d3w.fsf@zelendur.carpriv.carnet.hr> Ryan Lovett writes: > On Mon, Jun 16, 2008 at 03:48:39PM +0200, Michael Str?der wrote: >> I'd like to hear from the Python community whether support for Python >> version prior to 2.3 is still needed in python-ldap. Please tell me >> which Python version you're using and why it'd be important for you to >> have python-ldap updates still supporting it. > > We're using the versions that ship with any Ubuntu LTS. From experience > they sometimes don't backport crucial fixes, though python-ldap is in their > main repository so I'm sure its higher priority for them. In this case it shouldn't be a problem, all currently supported versions of Ubuntu use Python 2.4 or higher. Debian currently ships with 2.3 and 2.4. Cheers, Matej From michael at stroeder.com Mon Jun 16 20:17:51 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 16 Jun 2008 20:17:51 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <8763s91d3w.fsf@zelendur.carpriv.carnet.hr> References: <48566F37.4060306@stroeder.com> <20080616164935.GA41094@stat.berkeley.edu> <8763s91d3w.fsf@zelendur.carpriv.carnet.hr> Message-ID: <4856AE4F.7030708@stroeder.com> Matej Vela wrote: > Ryan Lovett writes: > >> On Mon, Jun 16, 2008 at 03:48:39PM +0200, Michael Str?der wrote: >>> I'd like to hear from the Python community whether support for Python >>> version prior to 2.3 is still needed in python-ldap. Please tell me >>> which Python version you're using and why it'd be important for you to >>> have python-ldap updates still supporting it. >> We're using the versions that ship with any Ubuntu LTS. From experience >> they sometimes don't backport crucial fixes, though python-ldap is in their >> main repository so I'm sure its higher priority for them. > > In this case it shouldn't be a problem, all currently supported versions of > Ubuntu use Python 2.4 or higher. Debian currently ships with 2.3 and 2.4. And how about OpenLDAP libs and gnutls? Yes, I'm nagging here, but because of very good reasons. Ciao, Michael. From ryan at stat.Berkeley.EDU Mon Jun 16 20:39:24 2008 From: ryan at stat.Berkeley.EDU (Ryan Lovett) Date: Mon, 16 Jun 2008 11:39:24 -0700 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <4856A771.5030906@stroeder.com> References: <48566F37.4060306@stroeder.com> <20080616164935.GA41094@stat.berkeley.edu> <4856A771.5030906@stroeder.com> Message-ID: <20080616183923.GE41094@stat.berkeley.edu> On Mon, Jun 16, 2008 at 07:48:33PM +0200, Michael Str?der wrote: > Ryan Lovett wrote: > > We're using the versions that ship with any Ubuntu LTS. > > Can you please explain what that means for the Python versions available > in the Ubuntu repository? http://packages.ubuntu.com/python-ldap gives a good overview. LTS means "long term support" where Ubuntu pledges to support the release for 5 years. (https://wiki.ubuntu.com/LTS) There have been two LTS releases, dapper (6.06) and hardy (8.04) where http://packages.ubuntu.com/dapper/python-ldap which is 2.0.4. http://packages.ubuntu.com/hardy/python-ldap which is 2.3.1. > I vaguely remember that Ubuntu also uses Debian packages (please correct > me if I'm wrong). That is correct, Ubuntu is a Debian-based distro: http://www.ubuntu.com/community/ubuntustory/Debian > And since there were Debian packages heavily patched in May 2007 to still > work with ancient OpenLDAP libs 2.1 and Debian links OpenLDAP to gnutls > (which is insecure and sometimes crashes) I don't give any support for > their python-ldap packages. Even the API might not be compatible... On an amd64 hardy machine: $ ldd /usr/lib/python2.5/site-packages/_ldap.so linux-vdso.so.1 => (0x00007ffff1dfe000) libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00007f4ee97f2000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00007f4ee95e4000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f4ee93ca000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007f4ee91ae000) libc.so.6 => /lib/libc.so.6 (0x00007f4ee8e4c000) libresolv.so.2 => /lib/libresolv.so.2 (0x00007f4ee8c35000) libgnutls.so.13 => /usr/lib/libgnutls.so.13 (0x00007f4ee89b1000) libdl.so.2 => /lib/libdl.so.2 (0x00007f4ee87ad000) /lib64/ld-linux-x86-64.so.2 (0x00007f4ee9c63000) libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00007f4ee859c000) libz.so.1 => /usr/lib/libz.so.1 (0x00007f4ee8385000) libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00007f4ee8137000) libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00007f4ee7f33000) I'm sure the gnutls folks would welcome your bug reports about its security and stability. All in your abundant spare time of course. :) https://savannah.gnu.org/support/?group=gnutls http://www.gnu.org/software/gnutls/bugs.html Ryan From vela at debian.org Mon Jun 16 22:36:40 2008 From: vela at debian.org (Matej Vela) Date: Mon, 16 Jun 2008 22:36:40 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <4856AE4F.7030708@stroeder.com> ("Michael =?iso-8859-1?Q?Str?= =?iso-8859-1?Q?=F6der=22's?= message of "Mon\, 16 Jun 2008 20\:17\:51 +0200") References: <48566F37.4060306@stroeder.com> <20080616164935.GA41094@stat.berkeley.edu> <8763s91d3w.fsf@zelendur.carpriv.carnet.hr> <4856AE4F.7030708@stroeder.com> Message-ID: <87abhlazhj.fsf@zelendur.carpriv.carnet.hr> Michael Str?der writes: > And how about OpenLDAP libs and gnutls? Yes, I'm nagging here, but > because of very good reasons. I don't see it as nagging at all, you're perfectly right not to support modifications you're not comfortable with. I hope we provide a reasonable level of support ourselves, both on this list and through bugs.debian.org. To provide some context, OpenLDAP 2.1 client libraries were not quite as ancient at the time the current Debian release was frozen in late 2006. A newer version didn't make it in time due to problems with symbol versioning -- because of the large number of libraries and plugins linked with libldap, a binary could end up simultaneously using code compiled with different LDAP ABIs, and promptly crash. The next Debian release (due out later this year) will use libldap 2.4 with versioned symbols. I'm not sure which python-ldap package you were looking at, but the one we released with, 2.2.0-3, has a 19-line patch for OpenLDAP 2.1. Later development versions used a 130-line patch, but none of these were released for production use. The patch is a currently a no-op, and I intend to fully remove it before we release. As for GnuTLS, the main reason it's used is the unfortunate incompatibility between the OpenSSL license and the GPL [1]. I'm not aware of stability or security issues in current versions. [1] Cheers, Matej From michael at stroeder.com Tue Jun 17 00:09:50 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 17 Jun 2008 00:09:50 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <20080616183923.GE41094@stat.berkeley.edu> References: <48566F37.4060306@stroeder.com> <20080616164935.GA41094@stat.berkeley.edu> <4856A771.5030906@stroeder.com> <20080616183923.GE41094@stat.berkeley.edu> Message-ID: <4856E4AE.7070804@stroeder.com> Ryan Lovett wrote: > I'm sure the gnutls folks would welcome your bug reports about its security > and stability. Howard Chu did an analysis and discussed that with gnutls developers since OpenLDAP users reported crashes when using LDAP with SSL. I'm not feeling comfortable with what he found out: http://www.openldap.org/lists/openldap-devel/200802/msg00072.html More related postings: http://www.openldap.org/lists/openldap-devel/200802/msg00100.html Well, assuming a single-valued subjectAltName extension is simply naive. I'm aware of Debian's licensing paranoia regarding OpenSSL. But deploying a X.509 lib which is not capable of handling widely used X.509v3 extensions safely is not a solution either. I'm not a C programmer. But I wrote a X.509 cert parser in Python myself running it through a collection of several hundred weird formatted certs when testing. So I know what you have to expect when doing this. Ciao, Michael. From michael at stroeder.com Tue Jun 17 00:21:14 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 17 Jun 2008 00:21:14 +0200 Subject: Who is using python-ldap with Python 1.5.x and 2.0-2.2? In-Reply-To: <87abhlazhj.fsf@zelendur.carpriv.carnet.hr> References: <48566F37.4060306@stroeder.com> <20080616164935.GA41094@stat.berkeley.edu> <8763s91d3w.fsf@zelendur.carpriv.carnet.hr> <4856AE4F.7030708@stroeder.com> <87abhlazhj.fsf@zelendur.carpriv.carnet.hr> Message-ID: <4856E75A.90502@stroeder.com> Matej Vela wrote: > Michael Str?der writes: > >> And how about OpenLDAP libs and gnutls? Yes, I'm nagging here, but >> because of very good reasons. > > I don't see it as nagging at all, you're perfectly right not to support > modifications you're not comfortable with. I hope we provide a > reasonable level of support ourselves, both on this list and through > bugs.debian.org. Matej, sure I appreciate your contributions to python-ldap's code. Your patches in the past helped a lot. > To provide some context, OpenLDAP 2.1 client libraries were not quite as > ancient at the time the current Debian release was frozen in late 2006. Late 2006 the OpenLDAP 2.3.x branch really matured. Since the OpenLDAP developers never maintain more than two branches at the same time they surely had set at least the status of OpenLDAP 2.1 to historic. Which means: Don't use it. I believe work on OpenLDAP 2.4.x code branch might have already started so 2.2.x was maybe already historic at that time either. The files' timestamp here seem plausible to me (I even remember Kurt releasing OpenLDAP 1.0 back in '98): ftp://ftp.openldap.org/pub/openldap/openldap-release > A newer version didn't make it in time due to problems with symbol > versioning -- because of the large number of libraries and plugins > linked with libldap, a binary could end up simultaneously using code > compiled with different LDAP ABIs, and promptly crash. Well, the even API of python-ldap is different when linked to such old OpenLDAP libs. My aim is to really stream-line that. > The next Debian > release (due out later this year) will use libldap 2.4 with versioned > symbols. I appreciate it. Maybe it would be worth to talk more with upstream developers which version of their code to use in a freezed distribution release. Ciao, Michael. From michael at stroeder.com Wed Jun 18 10:18:13 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 18 Jun 2008 10:18:13 +0200 Subject: python-ldap question In-Reply-To: <6520687b0806180055i4ab7df77m261effb46916b6cc@mail.gmail.com> References: <6520687b0806180055i4ab7df77m261effb46916b6cc@mail.gmail.com> Message-ID: <4858C4C5.1060108@stroeder.com> Melita, I'd kindly ask you to come over to the python-ldap-dev mailing list (See To:, Bcc: to you to protect your e-mail address) to further discuss things like this because others are surely interested in this too. http://lists.sourceforge.net/lists/listinfo/python-ldap-dev Melita Mihaljevic wrote: > > I'm developing extending MoinMoin groups to LDAP, and I need to read all > groups from LDAP dir and map then with users that are members of certain > group. Hmm, you probably should not read all groups since group entries can be very large. One of my customers has entries 'groupOfNames' containing over 100.000 DNs in the attribute 'member'! Rather after the user's login you should determine the groups the user is a direct member of. > I looked at your web2ldap application and thought maybe you have > some ideas. Did you have a look at the filters sent by web2ldap? The [groupadm] feature sends two search request (not requesting the member attribute!): - search (different types of) groups the user is a member of - search all groups > I tried to search with ou=Groups but this is only one case. Do you know/ > have idea how to do it generaly. Hmm, I'm not sure I fully understand what you're after. Ciao, Michael. From melita.mihaljevic at gmail.com Wed Jun 18 09:23:57 2008 From: melita.mihaljevic at gmail.com (Melita Mihaljevic) Date: Wed, 18 Jun 2008 09:23:57 +0200 Subject: Reading groups from LDAP Message-ID: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> Hi, I'm wondering which is the generic way to search for groups in LDAP. I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, '(ou=Group)') Is there a better way? Also I need to get a groups that a certain user is a member of. Any ideas how to read it? Thank you very much for all ideas -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Jun 18 11:15:12 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 18 Jun 2008 11:15:12 +0200 Subject: Reading groups from LDAP In-Reply-To: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> Message-ID: <4858D220.4020507@stroeder.com> Melita Mihaljevic wrote: > Hi, > I'm wondering which is the generic way to search for groups in LDAP. > I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, > '(ou=Group)') The filter (ou=Group) does not make sense to me. You're probably mixing this with the search root. 1. Bear in mind that there are many different types of group entries out in the wild. LDAP entries are typed by object class. So your filter has to specifically search for group entries by object class. 2. Additionally for determining whether a certain user is member of a group you have to compare a certain member attribute within the group entry with an attribute within the user's entry or the DN of the entry. 3. You should never ever (accidently) request the member attribute within the group entry to be returned in the search results since some groups can be big leading to a large amount of data to be returned. The user entry: dn: cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de uid: michael mail: michael at stroeder.com Example of a filter generated by web2ldap (normally everything in one line, broke up here for readability): (| (&(objectClass=organizationalRole)(roleOccupant=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) (&(objectClass=rfc822MailGroup)(mail=michael at stroeder.com)) (&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) (&(objectClass=mailGroup)(mgrpRFC822MailMember=michael at stroeder.com)) (&(objectClass=posixGroup)(memberUid=michael)) (&(objectClass=nisMailAlias)(rfc822MailMember=michael at stroeder.com)) (&(objectClass=groupOfNames)(member=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) )) Ciao, Michael. From melita.mihaljevic at gmail.com Wed Jun 18 17:39:42 2008 From: melita.mihaljevic at gmail.com (Melita Mihaljevic) Date: Wed, 18 Jun 2008 17:39:42 +0200 Subject: Reading groups from LDAP In-Reply-To: <4858D220.4020507@stroeder.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> <4858D220.4020507@stroeder.com> Message-ID: <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> On Wed, Jun 18, 2008 at 11:15 AM, Michael Str?der wrote: > > Example of a filter generated by web2ldap (normally everything in one line, > broke up here for readability): > > (| > (&(objectClass=organizationalRole)(roleOccupant=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > (&(objectClass=rfc822MailGroup)(mail=michael at stroeder.com)) > (&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > (&(objectClass=mailGroup)(mgrpRFC822MailMember=michael at stroeder.com)) > (&(objectClass=posixGroup)(memberUid=michael)) > (&(objectClass=nisMailAlias)(rfc822MailMember=michael at stroeder.com)) > (&(objectClass=groupOfNames)(member=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > )) > > Ciao, Michael. Thank you all for everything, but I have some more problems: My current LDAP situation is: dn: cn=Group A,ou=Groups,ou=testing,dc=example,dc=org cn: Group A member: cn=dummy member: uid=usera,ou=Unit A,ou=Users,ou=testing,dc=example,dc=org objectClass: groupOfNames dn: cn=Group B,ou=Groups,ou=testing,dc=example,dc=org cn: Group B objectClass: groupOfUniqueNames uniqueMember: cn=dummy uniqueMember: uid=userb,ou=Unit B,ou=Users,ou=testing,dc=example,dc=org And I tried to do a generic search for all groups usera is a member of. (I searched for all objectClass that could be groupOfUniqueNames, groupOfNames or posixGroup at the momen). My search filter is (it's all in one line): search_filter = '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) (&(objectClass=groupOfNames)(member=uid=usera*)) (&(objectClass=posixGroup)(memberUid=usera*)))' and when I do a search: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, search_filter) I got an empty list. Could someon explain me why is that so and how to fix it. I only want to search for uid. Also the other thing I want to do is to search (objectClass=*)&(*member*=uid=usera*). Is that possible ? Thank you a lot. Mel -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Jun 18 17:52:26 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 18 Jun 2008 17:52:26 +0200 Subject: Reading groups from LDAP In-Reply-To: <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> <4858D220.4020507@stroeder.com> <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> Message-ID: <48592F3A.5020203@stroeder.com> Melita Mihaljevic wrote: > > My search filter is (it's all in one line): > search_filter = > '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) > (&(objectClass=groupOfNames)(member=uid=usera*)) > (&(objectClass=posixGroup)(memberUid=usera*)))' Why do you want to do wildcard searches? This is not guaranteed to work since some of the member attributes might not even have a SUBSTR matching rule assigned. > Also the other thing I want to do is to search > (objectClass=*)&(*member*=uid=usera*). Is that possible ? No it's not. And for security reasons you should really stay away from wildcard searches when doing group evaluation! That's a security mechanism and therefore your code MUST be as exact as possible! Ciao, Michael. From michael at stroeder.com Wed Jun 18 17:58:30 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 18 Jun 2008 17:58:30 +0200 Subject: Reading groups from LDAP In-Reply-To: <48592F3A.5020203@stroeder.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> <4858D220.4020507@stroeder.com> <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> <48592F3A.5020203@stroeder.com> Message-ID: <485930A6.4080504@stroeder.com> Michael Str?der wrote: > Melita Mihaljevic wrote: >> >> My search filter is (it's all in one line): >> search_filter = >> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) >> (&(objectClass=groupOfNames)(member=uid=usera*)) >> (&(objectClass=posixGroup)(memberUid=usera*)))' > > Why do you want to do wildcard searches? This is not guaranteed to work > since some of the member attributes might not even have a SUBSTR > matching rule assigned. And note that user-IDs might not always be in the attribute 'uid'. It's perfectly valid that a user enters his e-mail address into the login form and you first have to search for the user's entry which might not have attribute 'uid' set at all. Ciao, Michael. From melita.mihaljevic at gmail.com Wed Jun 18 18:06:12 2008 From: melita.mihaljevic at gmail.com (Melita Mihaljevic) Date: Wed, 18 Jun 2008 18:06:12 +0200 Subject: Reading groups from LDAP In-Reply-To: <485930A6.4080504@stroeder.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> <4858D220.4020507@stroeder.com> <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> <48592F3A.5020203@stroeder.com> <485930A6.4080504@stroeder.com> Message-ID: <6520687b0806180906p629aeb78t6f364c446a552f39@mail.gmail.com> On Wed, Jun 18, 2008 at 5:58 PM, Michael Str?der wrote: > Michael Str?der wrote: > >> Melita Mihaljevic wrote: >> >>> >>> My search filter is (it's all in one line): >>> search_filter = >>> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) >>> (&(objectClass=groupOfNames)(member=uid=usera*)) >>> (&(objectClass=posixGroup)(memberUid=usera*)))' >>> >> >> Why do you want to do wildcard searches? This is not guaranteed to work >> since some of the member attributes might not even have a SUBSTR matching >> rule assigned. > > Because I know only uid and don't now the other user informations > >> > And note that user-IDs might not always be in the attribute 'uid'. It's > perfectly valid that a user enters his e-mail address into the login form > and you first have to search for the user's entry which might not have > attribute 'uid' set at all. Because in the MoinMoin I search only groups with uid in it,only those are important for me. Mel -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Jun 18 18:46:54 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 18 Jun 2008 18:46:54 +0200 Subject: Reading groups from LDAP In-Reply-To: <6520687b0806180906p629aeb78t6f364c446a552f39@mail.gmail.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> <4858D220.4020507@stroeder.com> <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> <48592F3A.5020203@stroeder.com> <485930A6.4080504@stroeder.com> <6520687b0806180906p629aeb78t6f364c446a552f39@mail.gmail.com> Message-ID: <48593BFE.5000602@stroeder.com> Melita Mihaljevic wrote: > On Wed, Jun 18, 2008 at 5:58 PM, Michael Str?der > wrote: > Michael Str?der wrote: > Melita Mihaljevic wrote: > My search filter is (it's all in one line): > search_filter = > '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) > (&(objectClass=groupOfNames)(member=uid=usera*)) > (&(objectClass=posixGroup)(memberUid=usera*)))' > > Why do you want to do wildcard searches? This is not guaranteed > to work since some of the member attributes might not even have > a SUBSTR matching rule assigned. > > Because I know only uid and don't now the other user informations The user enters some user name. During login you have to use a configurable search filter for searching the user's entry. Something like: user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' An then replace %s with what the user entered as user name. Then you have the DN and some more eventually needed attributes for conducting a exact search for the group entries a user is member of like I described in my former posting. > Because in the MoinMoin I search only groups with uid in it,only those > are important for me. LDAP directories can have user entries which do not have attribute 'uid' at all! Ciao, Michael. From michael at stroeder.com Wed Jun 18 19:17:06 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 18 Jun 2008 19:17:06 +0200 Subject: Reading groups from LDAP In-Reply-To: <48593BFE.5000602@stroeder.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> <4858D220.4020507@stroeder.com> <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> <48592F3A.5020203@stroeder.com> <485930A6.4080504@stroeder.com> <6520687b0806180906p629aeb78t6f364c446a552f39@mail.gmail.com> <48593BFE.5000602@stroeder.com> Message-ID: <48594312.6080701@stroeder.com> Michael Str?der wrote: > The user enters some user name. During login you have to use a > configurable search filter for searching the user's entry. > > Something like: > user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' > > An then replace %s with what the user entered as user name. Furthermore: 1. You have to check whether exactly *one* entry is returned in the search results. search_ext_s(..,sizelimit=2) 2. You MUST only accept non-empty passwords when checking the user's password with a bind request. If you send a simple bind request with an empty password the bind is ok because it's only treated as anonymous bind by most LDAP servers. Ciao, Michael. From melita.mihaljevic at gmail.com Thu Jun 19 14:24:36 2008 From: melita.mihaljevic at gmail.com (Melita Mihaljevic) Date: Thu, 19 Jun 2008 14:24:36 +0200 Subject: Reading groups from LDAP In-Reply-To: <48594312.6080701@stroeder.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> <4858D220.4020507@stroeder.com> <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> <48592F3A.5020203@stroeder.com> <485930A6.4080504@stroeder.com> <6520687b0806180906p629aeb78t6f364c446a552f39@mail.gmail.com> <48593BFE.5000602@stroeder.com> <48594312.6080701@stroeder.com> Message-ID: <6520687b0806190524m2697cb35v1cf58625930fbbe4@mail.gmail.com> On Wed, Jun 18, 2008 at 7:17 PM, Michael Str?der wrote: > Michael Str?der wrote: > >> The user enters some user name. During login you have to use a >> configurable search filter for searching the user's entry. >> >> Something like: >> user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' >> >> An then replace %s with what the user entered as user name. >> > > Furthermore: > > 1. You have to check whether exactly *one* entry is returned in the search > results. search_ext_s(..,sizelimit=2) > 2. You MUST only accept non-empty passwords when checking the user's > password with a bind request. If you send a simple bind request with an > empty password the bind is ok because it's only treated as anonymous bind by > most LDAP servers. > > Ciao, Michael. Ok, Probably we didn't understand.I will use uid=userid_name ( %s = userid_name). I have a test that I want to succeed: def testMemberOfGroup(self): """Authenticate to LDAP and read all groups that user with uid usera is a member of. """ server_uri = self.ldap_env.slapd.url base_dn = self.ldap_env.basedn lo = ldap.initialize(server_uri) ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) lo.simple_bind_s('', '') search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for checking if this works search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, search_filter) (yes this works but I don't want to need to know all those stuff after the uid=usera) I know you said it's a bad thing to search for substring nut this is the only way how I can say something is a grop -> for me in ma definition, something is a group if has a member (or a type containing word member- there is wher it will be grat to use substrings) and in the member part of the record it has uid, the rest of the groups I don't want to know about them. And I have a part of record record: 'member': ['cn=dummy', 'uid=usera,ou=Unit A,ou=Users,ou=testing,dc=example,dc=org'] And I only want to search for uid=usera, not the rest of the record. This is only for test and for the real search I will use it more configurable. -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Jun 19 16:22:48 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 19 Jun 2008 16:22:48 +0200 Subject: Reading groups from LDAP In-Reply-To: <6520687b0806190524m2697cb35v1cf58625930fbbe4@mail.gmail.com> References: <6520687b0806180023l1ff7ec55ta994a888fe2e4e4@mail.gmail.com> <4858D220.4020507@stroeder.com> <6520687b0806180839s17ca8815u9358096151dbda7c@mail.gmail.com> <48592F3A.5020203@stroeder.com> <485930A6.4080504@stroeder.com> <6520687b0806180906p629aeb78t6f364c446a552f39@mail.gmail.com> <48593BFE.5000602@stroeder.com> <48594312.6080701@stroeder.com> <6520687b0806190524m2697cb35v1cf58625930fbbe4@mail.gmail.com> Message-ID: <485A6BB8.3010109@stroeder.com> Melita Mihaljevic wrote: > > > On Wed, Jun 18, 2008 at 7:17 PM, Michael Str?der > wrote: > > Michael Str?der wrote: > > The user enters some user name. During login you have to use a > configurable search filter for searching the user's entry. > > Something like: > user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' > > An then replace %s with what the user entered as user name. > > > Furthermore: > > 1. You have to check whether exactly *one* entry is returned in the > search results. search_ext_s(..,sizelimit=2) > 2. You MUST only accept non-empty passwords when checking the user's > password with a bind request. If you send a simple bind request with > an empty password the bind is ok because it's only treated as > anonymous bind by most LDAP servers. > > Ok, > Probably we didn't understand.I will use uid=userid_name ( %s = > userid_name). Did you actually read what I wrote before? > I have a test that I want to succeed: > [..] > search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit > A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for > checking if this works > search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, > search_filter) > > (yes this works but I don't want to need to know all those stuff after > the uid=usera) You have to deal with all those "stuff after the uid=usera". Hint: In MS AD the DN of the user's entry does not even start with uid=! If you don't follow the concepts I described you will fail finishing this project correctly. Period. > I know you said it's a bad thing to search for substring nut this is the > only way how I can say something is a grop -> for me in ma definition, Nope. Rethink! Period. > something is a group if has a member (or a type containing word member- > there is wher it will be grat to use substrings) and in the member part > of the record it has uid, the rest of the groups I don't want to know > about them. Again: There may be user entries which do not have attribute 'uid' at all! Believe me, you're oversimplifying things. > And I have a part of record record: > 'member': ['cn=dummy', 'uid=usera,ou=Unit > A,ou=Users,ou=testing,dc=example,dc=org'] Don't request attribute 'member' during group lookup. Your application just have to know in which groups a user is member of. It should not retrieve all members since that can be many! > And I only want to search for uid=usera, not the rest of the record. Explicitly set the requested attributes with argument attrlist. See also: http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.LDAPObject.search Ciao, Michael.