From rahul at synovel.com Thu Jul 3 12:17:08 2008 From: rahul at synovel.com (Rahul Amaram) Date: Thu, 03 Jul 2008 15:47:08 +0530 Subject: support for wildcard certficates Message-ID: <486CA724.10605@synovel.com> Hi, I have set up a ldap server with a wildcard certificate. Upon trying to establish a TLS connection using python ldap, I get the error "TLS: hostname does not match CN in peer certificate". This works fine if I use a certificate with the exact domain name. Is this a bug? Are there any known solutions to this? Looking forward to a response. Thanks, Rahul. P.S: "ldapwhoami" command establishes a TLS connection properly even when using a wild-card certificate. So I am assuming it might be a problem with python-ldap library. From michael at stroeder.com Thu Jul 3 12:28:02 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 03 Jul 2008 12:28:02 +0200 Subject: support for wildcard certficates In-Reply-To: <486CA724.10605@synovel.com> References: <486CA724.10605@synovel.com> Message-ID: <486CA9B2.6030701@stroeder.com> Rahul Amaram wrote: > I have set up a ldap server with a wildcard certificate. Upon trying to > establish a TLS connection using python ldap, I get the error "TLS: > hostname does not match CN in peer certificate". This works fine if I > use a certificate with the exact domain name. Is this a bug? Are there > any known solutions to this? Looking forward to a response. Well, personally I'd recommend not to use wildcard certs at all => I never tested anything like this. python-ldap simply relies on OpenLDAP libs which in turn rely on OpenSSL. Hmm, so this should be probably raised on the openldap-software mailing list. > P.S: "ldapwhoami" command establishes a TLS connection properly even > when using a wild-card certificate. So I am assuming it might be a > problem with python-ldap library. You might wanna dive into the source of ldapwhoami and look up which options they set. BTW: Are you sure that your local python-ldap installation uses the same OpenLDAP client libs like the ldapwhoami command-line tool? Ciao, Michael. From rahul at synovel.com Thu Jul 3 14:23:21 2008 From: rahul at synovel.com (Rahul Amaram) Date: Thu, 03 Jul 2008 17:53:21 +0530 Subject: support for wildcard certficates In-Reply-To: <486CA9B2.6030701@stroeder.com> References: <486CA724.10605@synovel.com> <486CA9B2.6030701@stroeder.com> Message-ID: <486CC4B9.4050500@synovel.com> Hi Michael, Thanks for the response. I think you have pointed to the correct problem. ldapwhoami seems to be using ldap library version 2.3.30 whereas python-ldap is probably using 2.1.30. And from this post http://www.openldap.org/lists/openldap-software/200504/msg00304.html it is evident that support for wildcart certificates has been incorporated in a version in between these two. Thanks a ton for the immediate response. Regards, Rahul. Michael Str?der wrote: > Rahul Amaram wrote: >> I have set up a ldap server with a wildcard certificate. Upon trying >> to establish a TLS connection using python ldap, I get the error >> "TLS: hostname does not match CN in peer certificate". This works >> fine if I use a certificate with the exact domain name. Is this a >> bug? Are there any known solutions to this? Looking forward to a >> response. > > Well, personally I'd recommend not to use wildcard certs at all > => I never tested anything like this. > > python-ldap simply relies on OpenLDAP libs which in turn rely on > OpenSSL. Hmm, so this should be probably raised on the > openldap-software mailing list. > >> P.S: "ldapwhoami" command establishes a TLS connection properly even >> when using a wild-card certificate. So I am assuming it might be a >> problem with python-ldap library. > > You might wanna dive into the source of ldapwhoami and look up which > options they set. BTW: Are you sure that your local python-ldap > installation uses the same OpenLDAP client libs like the ldapwhoami > command-line tool? > > Ciao, Michael. From michael at stroeder.com Sun Jul 6 20:03:58 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sun, 06 Jul 2008 20:03:58 +0200 Subject: ANN: python-ldap-2.3.5 Message-ID: <4871090E.8080604@stroeder.com> Find a new release of python-ldap: http://python-ldap.sourceforge.net/ python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAPURLs and LDAPv3 schema). From sommerfeld at hs-heilbronn.de Wed Jul 23 10:38:27 2008 From: sommerfeld at hs-heilbronn.de (sommerfeld at hs-heilbronn.de) Date: Wed, 23 Jul 2008 10:38:27 +0200 Subject: Python-LDAP doesn't like crypt-passwords with 41bit? Message-ID: <001701c8ec9f$7d60a4e0$0604078d@mit.hsheilbronn.de> Hi altogether, I have a little problem with python-ldap, version 2.2.0 (shipped with debian etch). I'm using python-ldap with Plone 3.1 (with PloneLDAP module), Slapd 2.3.3 and LibLDAP 2.1.3. Our passwords in the LDAP server are encrypted with "crypt" and stored as 41bit binary values. The problem is that python-ldap doesn't seem to like 41bit passwords but only 20bit. When I try to authenticate by Plone-LDAP / python-LDAP, it doesn't work, cause the password doesn't match. (Our LDAP server stores the LDAP passwords as 41bit values by standard) If I re-set the password then from Plone-LDAP / python-LDAP, the new password is stored as 20bit binary and authentication works. Is there any way to get python-LDAP 2.2.0 to "eat" 41bit binary crypt passwords? Or do I have to upgrade python-ldap in order to get this working? Thanks in advance, B. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Jul 23 13:24:15 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 23 Jul 2008 13:24:15 +0200 Subject: Python-LDAP doesn't like crypt-passwords with 41bit? In-Reply-To: <001701c8ec9f$7d60a4e0$0604078d@mit.hsheilbronn.de> References: <001701c8ec9f$7d60a4e0$0604078d@mit.hsheilbronn.de> Message-ID: <488714DF.5000103@stroeder.com> sommerfeld at hs-heilbronn.de wrote: > > Our passwords in the LDAP server are encrypted with ?crypt? and stored > as 41bit binary values. The problem is that python-ldap doesn?t seem to > like 41bit passwords but only 20bit. When I try to authenticate by > Plone-LDAP / python-LDAP, it doesn?t work, cause the password doesn?t > match. (Our LDAP server stores the LDAP passwords as 41bit values by > standard) 1. I think you're saying bits but probably mean bytes. 2. If you're talking about using simple_bind_s() to bind to the server then you simply have to use the clear-text password and not the hashed one. 3. Actually there's no length limit in the API for any parameter. > If I re-set the password then from Plone-LDAP / python-LDAP, the new > password is stored as 20bit binary and authentication works. How do you set the password? You probably should get familiar with hashed passwords and how they are generated, stored and validated. See: http://www.openldap.org/faq/data/cache/419.html Ciao, Michael. From sommerfeld at hs-heilbronn.de Wed Jul 23 14:34:52 2008 From: sommerfeld at hs-heilbronn.de (sommerfeld at hs-heilbronn.de) Date: Wed, 23 Jul 2008 14:34:52 +0200 Subject: AW: Python-LDAP doesn't like crypt-passwords with 41bit? In-Reply-To: <488714DF.5000103@stroeder.com> References: <001701c8ec9f$7d60a4e0$0604078d@mit.hsheilbronn.de> <488714DF.5000103@stroeder.com> Message-ID: <003301c8ecc0$8459c210$0604078d@mit.hsheilbronn.de> Hi Michael, I just compiled the latest stable python-ldap version by hand and now authentication works - seems to have been a bug in that old version shipped with Debian Etch. Thanks, B. > -----Urspr?ngliche Nachricht----- > Von: Michael Str?der [mailto:michael at stroeder.com] > Gesendet: Mittwoch, 23. Juli 2008 13:24 > An: sommerfeld at hs-heilbronn.de > Cc: python-ldap-dev at lists.sourceforge.net > Betreff: Re: Python-LDAP doesn't like crypt-passwords with 41bit? > > sommerfeld at hs-heilbronn.de wrote: > > > > Our passwords in the LDAP server are encrypted with ?crypt? and stored > > as 41bit binary values. The problem is that python-ldap doesn?t seem to > > like 41bit passwords but only 20bit. When I try to authenticate by > > Plone-LDAP / python-LDAP, it doesn?t work, cause the password doesn?t > > match. (Our LDAP server stores the LDAP passwords as 41bit values by > > standard) > > 1. I think you're saying bits but probably mean bytes. > > 2. If you're talking about using simple_bind_s() to bind to the server > then you simply have to use the clear-text password and not the hashed > one. > > 3. Actually there's no length limit in the API for any parameter. > > > If I re-set the password then from Plone-LDAP / python-LDAP, the new > > password is stored as 20bit binary and authentication works. > > How do you set the password? You probably should get familiar with > hashed passwords and how they are generated, stored and validated. > > See: http://www.openldap.org/faq/data/cache/419.html > > Ciao, Michael. From djawalkar at gmail.com Sat Jul 26 20:26:33 2008 From: djawalkar at gmail.com (deepti jawalkar) Date: Sat, 26 Jul 2008 19:26:33 +0100 Subject: REG:python-ldap able to handle unicode characters Message-ID: <1df70bc60807261126u40c915bvdaa7622a34ea6f90@mail.gmail.com> Hi, I have been working with python ldap and ADSI modules to get my tasks done in AD and i have noticed that python ldap is able to handle unicode characters when we try to add/remove a particular user from a group who has unicode characters in his DN but the sam eis not possible in ADSI can you gime an insight as to how Python ldap is able to handle this ? -- Cheers, Deepti Jawalkar. -- Cheers, DJ. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sun Jul 27 17:37:29 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sun, 27 Jul 2008 17:37:29 +0200 Subject: REG:python-ldap able to handle unicode characters In-Reply-To: <1df70bc60807261126u40c915bvdaa7622a34ea6f90@mail.gmail.com> References: <1df70bc60807261126u40c915bvdaa7622a34ea6f90@mail.gmail.com> Message-ID: <488C9639.1070501@stroeder.com> deepti jawalkar wrote: > > I have been working with python ldap and ADSI modules to get my tasks > done in AD and i have noticed that python ldap is able to handle unicode > characters when we try to add/remove a particular user from a group who > has unicode characters in his DN but the sam eis not possible in ADSI > can you gime an insight as to how Python ldap is able to handle this ? I'm not sure I fully understand your question. Up to now python-ldap does not have any Unicode handling. That's because the root of the API is still in pre-Unicode-Python-times. So the code using python-ldap is responsible for doing anything related to Unicode encoding/decoding and pass valid strings to python-ldap's functions and object methods. It would help if you show a concrete case maybe with data and Python code where python-ldap works and ADSI does not. (Anyway I'd recommend to use python-ldap since you can then even tweak your AD from a Linux box. ;-) Ciao, Michael. From jhansen at 23andme.com Sat Aug 2 00:19:54 2008 From: jhansen at 23andme.com (Jonathan Hansen) Date: Fri, 1 Aug 2008 15:19:54 -0700 Subject: Really strange error Message-ID: <0C3AF542-9317-47A3-AA69-E57213B5810F@23andme.com> Ok I am only mediocre at python so maybe this is a stupid mistake on my part, but I have exhausted my options from Google searches. When I run the script below it binds successfully, but then when I try and run the search says it cannot contact the server. I have verified the service is running, ports are open, it binds without error so I am quite confused. If someone could point at what I am doing wrong I would greatly appreciate it. This may seem overly complicated but I am trying to build a framework with which I can run queries against the active directory domain. Thanks in advance, -Jonathan Here is the output: In [18]: run ldap-ad.py ldap://my.company.example.com:389 Bind result: (97, []) <-- obviously a successful connection Running search: (objectClass=user)(mail=*) Can't contact LDAP server <-- now it can't connect And here is the script: #!/usr/bin/env python import ldap, ldapurl, sys # AD Hack ldap.set_option(ldap.OPT_REFERRALS, 0) ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) def handle_ldap_exception(e): if type(e.message) == dict and e.message.has_key('info'): if e.message['info'] != '': print e.message['info'] if type(e.message) == dict and e.message.has_key('desc'): if e.message['desc'] != '': print e.message['desc'] else: print e def get_ldap_url(dns_name, proto = 'ldap', port=0): if proto == 'ldap' and port == 0: port = 389 elif proto =='ldaps' and port == 0: port = 636 server = ldapurl.LDAPUrl(urlscheme=proto, hostport="%s:%s" % (dns_name, str(port))).initializeUrl() return server base_dn = "cn=Users,dc=my,dc=company,dc=example,dc=com" dn = 'User at Domain' pw = "itsasecret" ad_conn = ldap.initialize(get_ldap_url("ad-dc.my.company.example.com", proto = 'ldap')) try: ad_conn.protocol_version = ldap.VERSION3 bind = ad_conn.simple_bind_s(dn, pw) print "Bind result: " + str(bind) except ldap.LDAPError, e: handle_ldap_exception(e) ad_conn.unbind_s() sys.exit() search_email='(objectClass=user)(mail=*)' res_attrs = ['*'] print "Running search: %s" % search_email try: res = ad_conn.search_s(base_dn, ldap.SCOPE_SUBTREE, search_email, res_attrs) result_set = [] while True: result_type, result_data = ad_conn.result(res, 0) if (result_data == []): break else: if result_type == ldap.RES_SEARCH_ENTRY: result_set.append(result_data) print result_set except ldap.LDAPError, e: handle_ldap_exception(e) ad_conn.unbind_s() sys.exit() ad_conn.unbind_s() From michael at stroeder.com Sat Aug 2 00:49:13 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 02 Aug 2008 00:49:13 +0200 Subject: Really strange error In-Reply-To: <0C3AF542-9317-47A3-AA69-E57213B5810F@23andme.com> References: <0C3AF542-9317-47A3-AA69-E57213B5810F@23andme.com> Message-ID: <489392E9.3040209@stroeder.com> Jonathan Hansen wrote: > When I run the script below it binds successfully, but then when I try > and run the search says it cannot contact the server. I have verified > the service is running, ports are open, it binds without error so I am > quite confused. You could use tracelevel=2 when calling ldap.initialize() to track things down. This generates debug output of the parameters passed to the LDAPObject methods and the results returned. > This may seem overly complicated but I am trying to build a framework > with which I can run queries against the active directory domain. Something like this? http://www.boskant.nl/trac/python-ad/ Ciao, Michael. From michael at stroeder.com Sat Aug 2 01:03:08 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 02 Aug 2008 01:03:08 +0200 Subject: Really strange error In-Reply-To: <489392E9.3040209@stroeder.com> References: <0C3AF542-9317-47A3-AA69-E57213B5810F@23andme.com> <489392E9.3040209@stroeder.com> Message-ID: <4893962C.3060607@stroeder.com> Michael Str?der wrote: > Jonathan Hansen wrote: >> When I run the script below it binds successfully, but then when I >> try and run the search says it cannot contact the server. I have >> verified the service is running, ports are open, it binds without >> error so I am quite confused. > > You could use tracelevel=2 when calling ldap.initialize() Sorry, it's argument trace_level like documented here: http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.initialize Ciao, Michael. From michael at stroeder.com Sat Aug 2 10:12:22 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 02 Aug 2008 10:12:22 +0200 Subject: Really strange error In-Reply-To: <1AFAA274-6C61-482E-BE54-32B89B64A82D@23andme.com> References: <0C3AF542-9317-47A3-AA69-E57213B5810F@23andme.com> <489392E9.3040209@stroeder.com> <1AFAA274-6C61-482E-BE54-32B89B64A82D@23andme.com> Message-ID: <489416E6.8060906@stroeder.com> Jonathan, please stay on the mailing list. Jonathan Hansen wrote: > Turned that on and it's a little more confusing because I can SEE > results returned... The output '=> LDAPError' in the trace log shows that an exception was raised derived from an error code returned by the underlying OpenLDAP client libs. > PS: Here is the befuddling output in case it tells you more than it does > me. Note that the LDAP URL behind *** shows for which connection the operation was invoked. So let's see... > *** ldap://dc1.mv.corp.23andme.com:389 - SimpleLDAPObject.simple_bind > (('user at Domain', 'password', None, None),{}) > [..] > *** ldap://ad-dc.my.company.example.com:389 - > SimpleLDAPObject.search_ext Obviously the servers differ. Check your code. Ciao, Michael. From djawalkar at gmail.com Sun Aug 3 22:00:30 2008 From: djawalkar at gmail.com (deepti jawalkar) Date: Mon, 4 Aug 2008 01:30:30 +0530 Subject: REG:python-ldap able to handle unicode characters In-Reply-To: <488C9639.1070501@stroeder.com> References: <1df70bc60807261126u40c915bvdaa7622a34ea6f90@mail.gmail.com> <488C9639.1070501@stroeder.com> Message-ID: <1df70bc60808031300x504cdd3awcdaae685191a2581@mail.gmail.com> well these are my 2 cases : *with python-ldap *: so in this case it works even though the object i am passing has unicode characters in it's distinguished name eg: CN=Sen-po ?????(R)??? (senpo),OU=Users,OU=TPE,OU=Offices,DC=corp,DC=google,DC=com i can print the distinguished name without encoding it in utf-8 format and also remove or add this user to a group. import ldap ldap.set_option(ldap.OPT_REFERRALS, 0) group_dn = "CN=sysops,OU=LDAPGroups,DC=corp,DC=google,DC=com" user = 'CN=goadmin sgadekal,OU=Users,OU=Administration,DC=corp,DC= google,DC=com' l = ldap.open("192.168.100.1") l.protocol_version = ldap.VERSION3 l.simple_bind_s(who=user,cred=r'*****') baseDN = 'dc=corp,dc=google,dc=com' searchScope = ldap.SCOPE_SUBTREE retrieveAttributes = ['cn','samaccountname','distinguishedname'] searchFilter = "(&(objectclass=*)(samaccountname=senpo))" ldap_result_id = l.search_ext(baseDN, searchScope, searchFilter, retrieveAttributes,sizelimit=1000) result_type, result_data = l.result(ldap_result_id, 0) if (result_type == ldap.RES_SEARCH_ENTRY): user_dn = result_data[0][1]['distinguishedName'][0] modlist = [] modlist.append((ldap.MOD_ADD,"member",user_dn)) try: l.modify_s(group_dn,modlist) except: print "user not added" *with Win32com.client:* The Same thing when i try to do it with "win32com.client module" using "adsi" i cannot print the distinguished name of the user without first encoding in utf-8 format and even if i do this i cannot add or remove user from a group it throws a error . import win32com.client from win32com.client import * conn = Dispatch('ADODB.Connection') conn.Open("Provider=ADSDSOObject") search = ";(&(ObjectClass=*)(sAMAccountName=senpo));cn,distinguishedname;subtree" record_set = conn.Execute(search)[0] dn = record_set.Fields("distinguishedName").value dn = dn.encode('utf-8') adsi = win32com.client.Dispatch('AdsNameSpaces') ldap = adsi.getobject("","LDAP:") logon_ex = "CN=goadmin sgadekal,OU=Users,OU=Administration,DC=corp,DC=google,DC=com" passwd = "*******" ex_path = "LDAP:// 192.168.100.1/CN=sysops,OU=LDAPGroups,DC=corp,DC=google,DC=com" myDSObject = ldap.OpenDSObject(ex_path,logon_ex,passwd,0) myDSObject.Getinfo() list_member = dn print dn append_list=[list_member] myDSObject.putEx(3,'Member',append_list) myDSObject.Setinfo() Can you let me know how exactly is this happening in python ldap and how is it able to add and remove accounts with unicode characters. It will be really helpfull for me to know it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sun Aug 3 22:08:38 2008 From: michael at stroeder.com (=?windows-1252?Q?Michael_Str=F6der?=) Date: Sun, 03 Aug 2008 22:08:38 +0200 Subject: REG:python-ldap able to handle unicode characters In-Reply-To: <1df70bc60808031300x504cdd3awcdaae685191a2581@mail.gmail.com> References: <1df70bc60807261126u40c915bvdaa7622a34ea6f90@mail.gmail.com> <488C9639.1070501@stroeder.com> <1df70bc60808031300x504cdd3awcdaae685191a2581@mail.gmail.com> Message-ID: <48961046.1070409@stroeder.com> deepti jawalkar wrote: > well these are my 2 cases : > > *with python-ldap *: so in this case it works even though the object i > am passing has unicode characters in it's distinguished name > eg: CN=Sen-po ????????? > (senpo),OU=Users,OU=TPE,OU=Offices,DC=corp,DC=google,DC=com Well, *I* can't read this distinguished name. I don't have the necessary fonts and installed and I don't understand them anyway. ;-) > i can print the distinguished name without encoding it in utf-8 format > and also remove or add this user to a group. Off course you can pass around UTF-8-encoded Unicode strings. But you have to invoke .decode() and .encode() in your application code (e.g. like my web2ldap does). python-ldap does *never* invoke these methods internally. > Can you let me know how exactly is this happening in python ldap and how > is it able to add and remove accounts with unicode characters. You can always just treat the DNs opaque. ;-) Ciao, Michael. From sig at akasig.org Wed Aug 6 23:10:42 2008 From: sig at akasig.org (Sig) Date: Wed, 06 Aug 2008 23:10:42 +0200 Subject: Error while building Message-ID: <489A1352.8020609@akasig.org> I can't build python-ldap-2.3.5. What should I do ? My steps: - downloaded the 2.3.5 tarball from sourceforge - tar xvzf ... - python setup.py build - The error and output messages are attached to this email. My setup: - Python 2.5.2 - libldap-2.4-2 (ubuntu package version = 2.4.9-0ubuntu0.8.04.1, same for slapd) - Ubuntu hardy Tell me if you need any other piece of info. By the way, I first met this problem when trying to refresh a Plone buildout (PloneUserFolder has a python-ldap dependency). Which lead me to this post on a blog : http://boz.tumblr.com/post/43534569/error-couldnt-install-python-ldap-2-3-5 But I am not happy enough with the workaround suggested there. By the way #2 : there is no web archive of this list ? Thanks. -- Sig -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: output.txt URL: From vela at debian.org Wed Aug 6 23:21:51 2008 From: vela at debian.org (Matej Vela) Date: Wed, 06 Aug 2008 23:21:51 +0200 Subject: Error while building In-Reply-To: <489A1352.8020609@akasig.org> (sig@akasig.org's message of "Wed\, 06 Aug 2008 23\:10\:42 +0200") References: <489A1352.8020609@akasig.org> Message-ID: <87ljz9ltzk.fsf@zelendur.carpriv.carnet.hr> Sig writes: > I can't build python-ldap-2.3.5. What should I do ? > > My steps: > - downloaded the 2.3.5 tarball from sourceforge > - tar xvzf ... > - python setup.py build > - The error and output messages are attached to this email. > > My setup: > - Python 2.5.2 > - libldap-2.4-2 (ubuntu package version = 2.4.9-0ubuntu0.8.04.1, same > for slapd) > - Ubuntu hardy > > Tell me if you need any other piece of info. Looks like you're missing libldap2-dev. Please run # apt-get install build-essential libldap2-dev libsasl2-dev python-dev [...] > By the way #2 : there is no web archive of this list ? See . Cheers, Matej From sig at akasig.org Thu Aug 7 00:03:29 2008 From: sig at akasig.org (Sig) Date: Thu, 07 Aug 2008 00:03:29 +0200 Subject: Error while building In-Reply-To: <87ljz9ltzk.fsf@zelendur.carpriv.carnet.hr> References: <489A1352.8020609@akasig.org> <87ljz9ltzk.fsf@zelendur.carpriv.carnet.hr> Message-ID: <489A1FB1.3050603@akasig.org> Matej Vela a ?crit : > Sig writes: >> I can't build python-ldap-2.3.5. What should I do ? > Looks like you're missing libldap2-dev. Please run > > # apt-get install build-essential libldap2-dev libsasl2-dev python-dev It helped, thanks ! I also had to add libssl-dev (before that I was getting another message saying that lssl could not be found). Now it works OK. Too bad all these dev libs are required for installing python-ldap from the cheeseshop. Or maybe these requirements should be clearly indicated on the python-ldap package page ? Anyway, thanks for your help and reactivity ! -- Sig From ryan at stat.berkeley.edu Thu Aug 7 00:06:55 2008 From: ryan at stat.berkeley.edu (Ryan Lovett) Date: Wed, 6 Aug 2008 15:06:55 -0700 Subject: Error while building In-Reply-To: <489A1FB1.3050603@akasig.org> References: <489A1352.8020609@akasig.org> <87ljz9ltzk.fsf@zelendur.carpriv.carnet.hr> <489A1FB1.3050603@akasig.org> Message-ID: <20080806220655.GT7923@stat.berkeley.edu> On Thu, Aug 07, 2008 at 12:03:29AM +0200, Sig wrote: > Matej Vela a ?crit : > > Sig writes: > >> I can't build python-ldap-2.3.5. What should I do ? > > Looks like you're missing libldap2-dev. Please run > > > > # apt-get install build-essential libldap2-dev libsasl2-dev python-dev > > It helped, thanks ! I also had to add libssl-dev (before that I was > getting another message saying that lssl could not be found). > > Now it works OK. > > Too bad all these dev libs are required for installing python-ldap from > the cheeseshop. Or maybe these requirements should be clearly indicated > on the python-ldap package page ? > > Anyway, thanks for your help and reactivity ! In the future you can try # apt-get build-dep python-ldap apt-get.8: "build-dep causes apt-get to install/remove packages in an attempt to satisfy the build dependencies for a source package." Ryan From michael at stroeder.com Thu Aug 7 10:26:43 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 07 Aug 2008 10:26:43 +0200 Subject: Error while building In-Reply-To: <489A1FB1.3050603@akasig.org> References: <489A1352.8020609@akasig.org> <87ljz9ltzk.fsf@zelendur.carpriv.carnet.hr> <489A1FB1.3050603@akasig.org> Message-ID: <489AB1C3.1070001@stroeder.com> Sig wrote: > Matej Vela a ?crit : >> Sig writes: >>> I can't build python-ldap-2.3.5. What should I do ? >> Looks like you're missing libldap2-dev. Please run >> >> # apt-get install build-essential libldap2-dev libsasl2-dev python-dev > [..] > Too bad all these dev libs are required for installing python-ldap from > the cheeseshop. Or maybe these requirements should be clearly indicated > on the python-ldap package page ? The build prerequisites are mentioned in the python-ldap docs: http://python-ldap.sourceforge.net/doc/html/installing.html#prerequisites Note that apt-get is specific for Debian-based Linux distributions. The python-ldap docs have to be generic. I'd accept distribution-specific sections for the installation docs though. Ciao, Michael. From lars.erik.kolden at gmail.com Wed Aug 13 15:10:52 2008 From: lars.erik.kolden at gmail.com (Lars Erik Kolden) Date: Wed, 13 Aug 2008 15:10:52 +0200 Subject: Problems importing from LDIF file generated with python-ldap Message-ID: <2735333d0808130610v4024a7d5xc3a016295cb0ffe9@mail.gmail.com> Hi. I am sorry if this is a stupid question. I have pretty basic knowledge of both LDAP and python, and am having trouble with some scripts for creating LDAP records, written by my predecessor. This script worked fine from an Ubuntu 7.10 client environment before the summer, but now, after actually upgrading to Ubuntu 8.04, the script yields an error message when adding the user to groups, using the modify changetype operator. The offending statement looks like this: ######### dn: cn=audio,ou=Group,dc=ourdc,dc=no changetype: modify memberUid: newuser ######### The errormessage from ldapmodify: ######### larsekol at skarphedin:~$ /usr/bin/ldapmodify -ZZ -h ldap.server -D "cn=Manager,dc=ourdc,dc=no" -w passwrrd -x -a -f ./newaccounts.ldif adding new entry "uid=newuser,ou=people,dc=ourdc,dc=no" adding new entry "cn=newuser,ou=Group,dc=ourdc,dc=no" ldapmodify: modify operation type is missing at line 26, entry "cn=audio,ou=Group,dc=ourdc,dc=no" larsekol at skarphedin:~$ ######### When I look in the LDAP docs, this looks reasonable, as it states that you ned an "add: memberUid" statement with the changetype: modify. But how come it worked before? And when I try to incorporate this into the LDIF generator script, which uses python-ldap, it just won't work. The relevant code looked like this: ######### # add the new user to a set of default groups: # audio, cdrom, floppy, plugdev, video entry={ 'changetype' : ['modify'], 'memberUid': [username], } dn='cn=audio,ou=Group,dc=ourdc,dc=no' ldif_writer=ldif.LDIFWriter(newusers) ldif_writer.unparse(dn,entry) ######### I thought I could add another element to the dict, "'add': ['memberUid']", but that's probably a naiive assumption, and wishful thinking. When I add it between the changetype and memberuid elements, it will appear in the top of the LDIF statement, which won't work: My "improvement": ######### # add the new user to a set of default groups: # audio, cdrom, floppy, plugdev, video entry={ 'changetype' : ['modify'], 'add': ['memberUid'], 'memberUid': [username], } dn='cn=audio,ou=Group,dc=ourdc,dc=no' ldif_writer=ldif.LDIFWriter(newusers) ldif_writer.unparse(dn,entry) ######### Result: ######## dn: cn=audio,ou=Group,dc=ourdc,dc=no add: memberUid changetype: modify memberUid: newuser ######## Here the add and changetype statements should be the other way (changetype first, add afterwards), if I understand the docs right. If I do that manually in the LDIF file, ldapmodify will add the user to the audio group with no complaints. But I haven't been able to do that thru the python-ldap libraries. Could someone please point me to where I've totally misunderstood here, or how I could make this right with python-ldap (adding the user to audio group)? Thanks from a noob. Lars Erik Lars Erik From michael at stroeder.com Wed Aug 13 15:28:05 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 13 Aug 2008 15:28:05 +0200 Subject: Problems importing from LDIF file generated with python-ldap In-Reply-To: <2735333d0808130610v4024a7d5xc3a016295cb0ffe9@mail.gmail.com> References: <2735333d0808130610v4024a7d5xc3a016295cb0ffe9@mail.gmail.com> Message-ID: <48A2E165.5080806@stroeder.com> Lars Erik Kolden wrote: > ldapmodify: modify operation type is missing at line 26, entry > "cn=audio,ou=Group,dc=ourdc,dc=no" > [..] > When I look in the LDAP docs, this looks reasonable, as it states that > you ned an "add: memberUid" statement with the changetype: modify. But > how come it worked before? And when I try to incorporate this into the > LDIF generator script, which uses python-ldap, it just won't work. I don't know why it worked in the past. The LDIF generator script is wrong since it uses module ldif for generating entry records (provided by a dict) instead of providing a modification list (list type) which would make LDIFWriter.unparse() to generate a change record. See __doc__ string in ldif.py: class LDIFWriter: [..] def unparse(self,dn,record): """ dn string-representation of distinguished name record Either a dictionary holding the LDAP entry {attrtype:record} or a list with a modify list like for LDAPObject.modify(). """ > relevant code looked like this: > > ######### > # add the new user to a set of default groups: > # audio, cdrom, floppy, plugdev, video > > entry={ 'changetype' : ['modify'], > 'memberUid': [username], > } > dn='cn=audio,ou=Group,dc=ourdc,dc=no' > ldif_writer=ldif.LDIFWriter(newusers) > ldif_writer.unparse(dn,entry) Should be: modlist=[(ldap.MOD_ADD,'memberUid',[username])] ldif_writer.unparse(dn,modlist) BTW: Anyway I'd recommend to directly use a LDAP connection for this task, not generate LDIF and then using command-line tools. This would give you much better control in case of LDAP errors. Ciao, Michael. From lars.erik.kolden at gmail.com Wed Aug 13 16:01:52 2008 From: lars.erik.kolden at gmail.com (Lars Erik Kolden) Date: Wed, 13 Aug 2008 16:01:52 +0200 Subject: Problems importing from LDIF file generated with python-ldap In-Reply-To: <48A2E165.5080806@stroeder.com> References: <2735333d0808130610v4024a7d5xc3a016295cb0ffe9@mail.gmail.com> <48A2E165.5080806@stroeder.com> Message-ID: <2735333d0808130701u39d1cedl244fd89ea3a2278a@mail.gmail.com> Thanks a lot, this worked perfectly! You really saved my day (or week, for that matter). I will rewrite the script when I have the time and maybe a better understanding of LDAP and Python-ldap. Best regards, Lars Erik On Wed, Aug 13, 2008 at 3:28 PM, Michael Str?der wrote: > Lars Erik Kolden wrote: >> >> ldapmodify: modify operation type is missing at line 26, entry >> "cn=audio,ou=Group,dc=ourdc,dc=no" >> [..] >> When I look in the LDAP docs, this looks reasonable, as it states that >> you ned an "add: memberUid" statement with the changetype: modify. But >> how come it worked before? And when I try to incorporate this into the >> LDIF generator script, which uses python-ldap, it just won't work. > > I don't know why it worked in the past. The LDIF generator script is wrong > since it uses module ldif for generating entry records (provided by a dict) > instead of providing a modification list (list type) which would make > LDIFWriter.unparse() to generate a change record. > > See __doc__ string in ldif.py: > > class LDIFWriter: > [..] > def unparse(self,dn,record): > """ > dn > string-representation of distinguished name > record > Either a dictionary holding the LDAP entry {attrtype:record} > or a list with a modify list like for LDAPObject.modify(). > """ > >> relevant code looked like this: >> >> ######### >> # add the new user to a set of default groups: >> # audio, cdrom, floppy, plugdev, video >> >> entry={ 'changetype' : ['modify'], >> 'memberUid': [username], >> } >> dn='cn=audio,ou=Group,dc=ourdc,dc=no' >> ldif_writer=ldif.LDIFWriter(newusers) >> ldif_writer.unparse(dn,entry) > > Should be: > > modlist=[(ldap.MOD_ADD,'memberUid',[username])] > ldif_writer.unparse(dn,modlist) > > BTW: Anyway I'd recommend to directly use a LDAP connection for this task, > not generate LDIF and then using command-line tools. This would give you > much better control in case of LDAP errors. > > Ciao, Michael. > From anilj at entic.net Fri Aug 22 16:56:57 2008 From: anilj at entic.net (Anil) Date: Fri, 22 Aug 2008 07:56:57 -0700 Subject: SunStudio compile Message-ID: <48AED3B9.9020503@entic.net> I am trying to compile python ldap with SunStudio, I get this error. Any idea? ... /opt/SUNWspro/bin/CC -I/opt/coolstack/include -DNDEBUG -fast -xipo -xtarget=generic -xcode=pic32 -DHAVE_LIBLDAP_R -DHAVE_TLS -DLDAPMODULE_VERSION=2.3.5 -IModules -I/opt/coolstack/include -I/opt/coolstack/include/sasl -I/opt/coolstack/include/python2.5 -c Modules/message.c -o build/temp.solaris-2.10-sun4u-2.5/Modules/message.o "Modules/message.c", line 39: Warning: String literal converted to char* in formal argument msg in call to LDAPerror(ldap*, char*). "Modules/message.c", line 134: Warning: String literal converted to char* in formal argument msg in call to LDAPerror(ldap*, char*). 2 Warning(s) detected. /opt/SUNWspro/bin/CC -I/opt/coolstack/include -DNDEBUG -fast -xipo -xtarget=generic -xcode=pic32 -DHAVE_LIBLDAP_R -DHAVE_TLS -DLDAPMODULE_VERSION=2.3.5 -IModules -I/opt/coolstack/include -I/opt/coolstack/include/sasl -I/opt/coolstack/include/python2.5 -c Modules/version.c -o build/temp.solaris-2.10-sun4u-2.5/Modules/version.o /opt/SUNWspro/bin/CC -I/opt/coolstack/include -DNDEBUG -fast -xipo -xtarget=generic -xcode=pic32 -DHAVE_LIBLDAP_R -DHAVE_TLS -DLDAPMODULE_VERSION=2.3.5 -IModules -I/opt/coolstack/include -I/opt/coolstack/include/sasl -I/opt/coolstack/include/python2.5 -c Modules/options.c -o build/temp.solaris-2.10-sun4u-2.5/Modules/options.o "Modules/options.c", line 108: Error: Formal argument 1 of type ldapcontrol** in call to LDAPControl_List_DEL(ldapcontrol**) is being passed void*. 1 Error(s) detected. error: command '/opt/SUNWspro/bin/CC' failed with exit status 1 From vela at debian.org Fri Aug 22 17:09:02 2008 From: vela at debian.org (Matej Vela) Date: Fri, 22 Aug 2008 17:09:02 +0200 Subject: SunStudio compile In-Reply-To: <48AED3B9.9020503@entic.net> (Anil's message of "Fri\, 22 Aug 2008 07\:56\:57 -0700") References: <48AED3B9.9020503@entic.net> Message-ID: <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> Anil writes: > I am trying to compile python ldap with SunStudio, I get this error. Any > idea? [...] > "Modules/options.c", line 108: Error: Formal argument 1 of type > ldapcontrol** in call to LDAPControl_List_DEL(ldapcontrol**) is being > passed void*. The type checking seems to be a bit overzealous. Try changing line 108 of Modules/options.c from LDAPControl_List_DEL(ptr); to LDAPControl_List_DEL((LDAPControl**) ptr); Cheers, Matej From michael at stroeder.com Fri Aug 22 17:11:12 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 22 Aug 2008 17:11:12 +0200 Subject: SunStudio compile In-Reply-To: <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> References: <48AED3B9.9020503@entic.net> <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> Message-ID: <48AED710.2060104@stroeder.com> Matej Vela wrote: > Anil writes: > >> I am trying to compile python ldap with SunStudio, I get this error. Any >> idea? > [...] >> "Modules/options.c", line 108: Error: Formal argument 1 of type >> ldapcontrol** in call to LDAPControl_List_DEL(ldapcontrol**) is being >> passed void*. > > The type checking seems to be a bit overzealous. Try changing line 108 > of Modules/options.c from > > LDAPControl_List_DEL(ptr); > > to > > LDAPControl_List_DEL((LDAPControl**) ptr); Matej, do you think we should change this in general? Ciao, Michael. From anilj at entic.net Fri Aug 22 17:17:32 2008 From: anilj at entic.net (Anil) Date: Fri, 22 Aug 2008 08:17:32 -0700 Subject: SunStudio compile In-Reply-To: <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> References: <48AED3B9.9020503@entic.net> <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> Message-ID: <48AED88C.7070903@entic.net> Thanks, that worked! I am able to compile it now, but if I enable sasl, it also fails: "Modules/LDAPObject.c", line 568: Warning: String literal converted to char* in formal argument format in call to _PyObject_CallMethod_SizeT(_object*, char*, char*, ...). "Modules/LDAPObject.c", line 614: Error: Cannot use void* to initialize sasl_interact*. "Modules/LDAPObject.c", line 615: Error: Cannot use void* to initialize _object*. "Modules/LDAPObject.c", line 689: Warning (Anachronism): Formal argument proc of type extern "C" int(*)(ldap*,unsigned,void*,void*) in call to ldap_sasl_interactive_bind_s(ldap*, const char*, const char*, ldapcontrol**, ldapcontrol**, unsigned, extern "C" int(*)(ldap*,unsigned,void*,void*), void*) is being passed int(*)(ldap*,unsigned,void*,void*). Sounds like the same thing. Matej Vela wrote: > Anil writes: > > >> I am trying to compile python ldap with SunStudio, I get this error. Any >> idea? >> > [...] > >> "Modules/options.c", line 108: Error: Formal argument 1 of type >> ldapcontrol** in call to LDAPControl_List_DEL(ldapcontrol**) is being >> passed void*. >> > > The type checking seems to be a bit overzealous. Try changing line 108 > of Modules/options.c from > > LDAPControl_List_DEL(ptr); > > to > > LDAPControl_List_DEL((LDAPControl**) ptr); > > Cheers, > > Matej > > From michael at stroeder.com Fri Aug 22 17:27:10 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 22 Aug 2008 17:27:10 +0200 Subject: SunStudio compile In-Reply-To: <48AED88C.7070903@entic.net> References: <48AED3B9.9020503@entic.net> <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> <48AED88C.7070903@entic.net> Message-ID: <48AEDACE.7080806@stroeder.com> Anil wrote: > Thanks, that worked! I am able to compile it now, but if I enable sasl, > it also fails: > > "Modules/LDAPObject.c", line 568: Warning: String literal converted to > char* in formal argument format in call to > _PyObject_CallMethod_SizeT(_object*, char*, char*, ...). > "Modules/LDAPObject.c", line 614: Error: Cannot use void* to initialize > sasl_interact*. > "Modules/LDAPObject.c", line 615: Error: Cannot use void* to initialize > _object*. > "Modules/LDAPObject.c", line 689: Warning (Anachronism): Formal argument > proc of type extern "C" int(*)(ldap*,unsigned,void*,void*) in call to > ldap_sasl_interactive_bind_s(ldap*, const char*, const char*, > ldapcontrol**, ldapcontrol**, unsigned, extern "C" > int(*)(ldap*,unsigned,void*,void*), void*) is being passed > int(*)(ldap*,unsigned,void*,void*). > > Sounds like the same thing. And could you fix it with the same approach Matej suggested? Ciao, Michael. From vela at debian.org Mon Aug 25 13:06:31 2008 From: vela at debian.org (Matej Vela) Date: Mon, 25 Aug 2008 13:06:31 +0200 Subject: SunStudio compile In-Reply-To: <48AED710.2060104@stroeder.com> ("Michael =?iso-8859-1?Q?Str?= =?iso-8859-1?Q?=F6der=22's?= message of "Fri\, 22 Aug 2008 17\:11\:12 +0200") References: <48AED3B9.9020503@entic.net> <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> <48AED710.2060104@stroeder.com> Message-ID: <87prnxqrpk.fsf@zelendur.carpriv.carnet.hr> Michael Str?der writes: > Matej Vela wrote: >> The type checking seems to be a bit overzealous. Try changing line 108 >> of Modules/options.c from >> >> LDAPControl_List_DEL(ptr); >> >> to >> >> LDAPControl_List_DEL((LDAPControl**) ptr); > > Matej, do you think we should change this in general? Yes, can't hurt (though most compilers are fine with both). Cheers, Matej From vela at debian.org Mon Aug 25 13:09:44 2008 From: vela at debian.org (Matej Vela) Date: Mon, 25 Aug 2008 13:09:44 +0200 Subject: SunStudio compile In-Reply-To: <48AED88C.7070903@entic.net> (Anil's message of "Fri\, 22 Aug 2008 08\:17\:32 -0700") References: <48AED3B9.9020503@entic.net> <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> <48AED88C.7070903@entic.net> Message-ID: <87bpzhqrk7.fsf@zelendur.carpriv.carnet.hr> Anil writes: > Thanks, that worked! I am able to compile it now, but if I enable sasl, > it also fails: > > "Modules/LDAPObject.c", line 568: Warning: String literal converted to > char* in formal argument format in call to > _PyObject_CallMethod_SizeT(_object*, char*, char*, ...). > "Modules/LDAPObject.c", line 614: Error: Cannot use void* to initialize > sasl_interact*. > "Modules/LDAPObject.c", line 615: Error: Cannot use void* to initialize > _object*. > "Modules/LDAPObject.c", line 689: Warning (Anachronism): Formal argument > proc of type extern "C" int(*)(ldap*,unsigned,void*,void*) in call to > ldap_sasl_interactive_bind_s(ldap*, const char*, const char*, > ldapcontrol**, ldapcontrol**, unsigned, extern "C" > int(*)(ldap*,unsigned,void*,void*), void*) is being passed > int(*)(ldap*,unsigned,void*,void*). > > Sounds like the same thing. Yup. If you haven't already, try replacing lines 614 and 615 sasl_interact_t *interact = in; PyObject *SASLObject = defaults; with sasl_interact_t *interact = (sasl_interact_t *) in; PyObject *SASLObject = (PyObject *) defaults; (Sorry for the late reply.) Cheers, Matej From vela at debian.org Mon Aug 25 13:26:13 2008 From: vela at debian.org (Matej Vela) Date: Mon, 25 Aug 2008 13:26:13 +0200 Subject: SunStudio compile In-Reply-To: <48B29606.8060700@stroeder.com> ("Michael =?iso-8859-1?Q?Str?= =?iso-8859-1?Q?=F6der=22's?= message of "Mon\, 25 Aug 2008 13\:22\:46 +0200") References: <48AED3B9.9020503@entic.net> <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> <48AED88C.7070903@entic.net> <87bpzhqrk7.fsf@zelendur.carpriv.carnet.hr> <48B29606.8060700@stroeder.com> Message-ID: <871w0dpc8a.fsf@zelendur.carpriv.carnet.hr> Michael Str?der writes: > I will commit this change. Thanks. > Please also examine > > http://python-ldap.cvs.sourceforge.net/python-ldap/python-ldap/Modules/LDAPObject.c?r1=1.79&r2=1.80 > > http://python-ldap.cvs.sourceforge.net/python-ldap/python-ldap/Modules/options.c?r1=1.19&r2=1.20 Both look good. Cheers, Matej From michael at stroeder.com Mon Aug 25 13:22:46 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 25 Aug 2008 13:22:46 +0200 Subject: SunStudio compile In-Reply-To: <87bpzhqrk7.fsf@zelendur.carpriv.carnet.hr> References: <48AED3B9.9020503@entic.net> <87abf56q9d.fsf@zelendur.carpriv.carnet.hr> <48AED88C.7070903@entic.net> <87bpzhqrk7.fsf@zelendur.carpriv.carnet.hr> Message-ID: <48B29606.8060700@stroeder.com> Matej Vela wrote: > Yup. If you haven't already, try replacing lines 614 and 615 > > sasl_interact_t *interact = in; > PyObject *SASLObject = defaults; > > with > > sasl_interact_t *interact = (sasl_interact_t *) in; > PyObject *SASLObject = (PyObject *) defaults; I will commit this change. Please also examine http://python-ldap.cvs.sourceforge.net/python-ldap/python-ldap/Modules/LDAPObject.c?r1=1.79&r2=1.80 http://python-ldap.cvs.sourceforge.net/python-ldap/python-ldap/Modules/options.c?r1=1.19&r2=1.20 Ciao, Michael. From mattxbart at gmail.com Tue Aug 26 02:12:13 2008 From: mattxbart at gmail.com (Matt Bartolome) Date: Mon, 25 Aug 2008 17:12:13 -0700 Subject: problem using python-ldap under fcgi Message-ID: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> Hi, I've got a little problem and I'm not sure how to track down the error I'm getting. My web server is spitting back a 504 gateway timeout which isn't helpful at all so I'm hoping someone here can point me in the right direction. When I attempt to: l = ldap.initialize(settings.AD_LDAP_URL) l.simple_bind_s(binddn,password) l.unbind_s() I get the gateway timeout but this works perfectly fine in the python interpreter. I'm running django as an fcgi preforked socket and pointing my nginx fcgi server to it. All web requests work fine until I hit the l.simple_bind_s() function so I'm having a heck of a time finding out what the actual error is. The only other output I've been able to produce is: *** glibc detected *** python: free(): invalid pointer: 0x08e9b1ec *** this is when I don't background the fcgi process. I'm fully aware that this may have nothing to do with python-ldap but just hoping someone here may have a clue for me. python 2.5.2 python-ldap 2.3.5 ubuntu 7.10 my fcgi socket is spawned like so (if it helps): python /var/django/gis/manage.py runfcgi --settings=intranet_settings method=prefork \ pidfile=/tmp/fcgi.pid \ socket=/tmp/fcgi.sock Thanks, Matt From michael at stroeder.com Tue Aug 26 09:39:06 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 26 Aug 2008 09:39:06 +0200 Subject: problem using python-ldap under fcgi In-Reply-To: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> References: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> Message-ID: <48B3B31A.6000600@stroeder.com> Matt Bartolome wrote: > I've got a little problem and I'm not sure how to track down the error > I'm getting. My web server is spitting back a 504 gateway timeout > which isn't helpful at all so I'm hoping someone here can point me in > the right direction. > > When I attempt to: > > l = ldap.initialize(settings.AD_LDAP_URL) > l.simple_bind_s(binddn,password) > l.unbind_s() > > I get the gateway timeout but this works perfectly fine in the python > interpreter. I'm running django as an fcgi preforked socket and > pointing my nginx fcgi server to it. As my web2ldap - based on python-ldap - runs as a FastCGI server this seems to work. But web2ldap is multi-threaded and does not fork when running as FastCGI process because of keeping the LDAP connections persistent. > All web requests work fine until > I hit the l.simple_bind_s() function so I'm having a heck of a time > finding out what the actual error is. The only other output I've been > able to produce is: > > *** glibc detected *** python: free(): invalid pointer: 0x08e9b1ec *** > > this is when I don't background the fcgi process. No clue especially since I don't know the Django stuff. Ciao, Michael. From mattxbart at gmail.com Wed Aug 27 06:32:47 2008 From: mattxbart at gmail.com (Matt Bartolome) Date: Tue, 26 Aug 2008 21:32:47 -0700 Subject: problem using python-ldap under fcgi In-Reply-To: <48B3B31A.6000600@stroeder.com> References: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> <48B3B31A.6000600@stroeder.com> Message-ID: <633d34560808262132j7aa51694pf438d1b4b62b2120@mail.gmail.com> Hey Michael. Thank you for your response. I modified LDAPObject.c and ldapcontrol.c to use the solution described here: https://bugs.launchpad.net/ubuntu/+source/python-cdb/+bug/157251 Looks like it is something specific to glibc in ubuntu and the "recommended" use of PyObject_Del instead of PyMem_DEL. I've attached a patch showing the modifications for anyone else ripping their hair out. The glibc python free() error is now gone. Now I can focus on my actual problem which I think has to do with my python-ldap calls being blocked under fcgi. I tried compiling openldap --without-threads thinking that it might magically work but no dice. regards, -Matt On Tue, Aug 26, 2008 at 12:39 AM, Michael Str?der wrote: > Matt Bartolome wrote: >> I've got a little problem and I'm not sure how to track down the error >> I'm getting. My web server is spitting back a 504 gateway timeout >> which isn't helpful at all so I'm hoping someone here can point me in >> the right direction. >> >> When I attempt to: >> >> l = ldap.initialize(settings.AD_LDAP_URL) >> l.simple_bind_s(binddn,password) >> l.unbind_s() >> >> I get the gateway timeout but this works perfectly fine in the python >> interpreter. I'm running django as an fcgi preforked socket and >> pointing my nginx fcgi server to it. > > As my web2ldap - based on python-ldap - runs as a FastCGI server this > seems to work. But web2ldap is multi-threaded and does not fork when > running as FastCGI process because of keeping the LDAP connections > persistent. > >> All web requests work fine until >> I hit the l.simple_bind_s() function so I'm having a heck of a time >> finding out what the actual error is. The only other output I've been >> able to produce is: >> >> *** glibc detected *** python: free(): invalid pointer: 0x08e9b1ec *** >> >> this is when I don't background the fcgi process. > > No clue especially since I don't know the Django stuff. > > Ciao, Michael. > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Python-LDAP-dev mailing list > Python-LDAP-dev at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev > -------------- next part -------------- A non-text attachment was scrubbed... Name: modules.patch Type: application/octet-stream Size: 7741 bytes Desc: not available URL: From michael at stroeder.com Wed Aug 27 09:26:24 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 27 Aug 2008 09:26:24 +0200 Subject: problem using python-ldap under fcgi In-Reply-To: <633d34560808262132j7aa51694pf438d1b4b62b2120@mail.gmail.com> References: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> <48B3B31A.6000600@stroeder.com> <633d34560808262132j7aa51694pf438d1b4b62b2120@mail.gmail.com> Message-ID: <48B501A0.5060004@stroeder.com> Matt Bartolome wrote: > Hey Michael. Thank you for your response. I modified LDAPObject.c and > ldapcontrol.c to use the solution described here: > > https://bugs.launchpad.net/ubuntu/+source/python-cdb/+bug/157251 > > Looks like it is something specific to glibc in ubuntu and the > "recommended" use of PyObject_Del instead of PyMem_DEL. I've attached > a patch showing the modifications for anyone else ripping their hair > out. The glibc python free() error is now gone. If this is really a more general issue I'd like to see this fixed. So I tried your patch. But it seg faults on my openSUSE 11.0 system. I noticed some warnings during build (see below). Ciao, Michael. --------------------------- snip --------------------------- [..] Modules/LDAPObject.c: In function ?Tuple_to_LDAPMod?: Modules/LDAPObject.c:126: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/LDAPObject.c:134: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/LDAPObject.c:143: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/LDAPObject.c:146: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/LDAPObject.c:154: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/LDAPObject.c:158: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/LDAPObject.c: In function ?List_to_LDAPMods?: Modules/LDAPObject.c:226: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/LDAPObject.c: In function ?attrs_from_List?: Modules/LDAPObject.c:273: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -fPIC -DHAVE_LIBLDAP_R -DHAVE_SASL -DHAVE_TLS -DLDAPMODULE_VERSION=2.3.6 -IModules -I/opt/openldap-HEAD/include -I/opt/sasl/include/sasl -I/usr/include/sasl -I/usr/include/python2.6 -c Modules/ldapcontrol.c -o build/temp.linux-i686-2.6/Modules/ldapcontrol.o -g Modules/ldapcontrol.c: In function ?Tuple_to_LDAPControl?: Modules/ldapcontrol.c:83: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/ldapcontrol.c:92: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast Modules/ldapcontrol.c: In function ?List_to_LDAPControls?: Modules/ldapcontrol.c:139: warning: passing argument 1 of ?_PyObject_New? makes pointer from integer without a cast [..] From mattxbart at gmail.com Wed Aug 27 22:12:23 2008 From: mattxbart at gmail.com (Matt Bartolome) Date: Wed, 27 Aug 2008 13:12:23 -0700 Subject: problem using python-ldap under fcgi In-Reply-To: <48B501A0.5060004@stroeder.com> References: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> <48B3B31A.6000600@stroeder.com> <633d34560808262132j7aa51694pf438d1b4b62b2120@mail.gmail.com> <48B501A0.5060004@stroeder.com> Message-ID: <633d34560808271312h6d19d818pb91631f8c3dea949@mail.gmail.com> My apologies on the wild goose chase but after using valgrind on my fcgi process it is python cx_Oracle (would have never guessed that!) which triggers the segmentation fault when ldap.initialize() is called. Why it does this is beyond me but a simple alteration of my code makes the problem go away completely. I was creating a global oracle db cursor which I'm now creating inside the functions that use it. I'm not sure about the glib c error and patch now. Using the original release without modification works so I will leave it at that. Thanks, Matt On Wed, Aug 27, 2008 at 12:26 AM, Michael Str?der wrote: > Matt Bartolome wrote: >> >> Hey Michael. Thank you for your response. I modified LDAPObject.c and >> ldapcontrol.c to use the solution described here: >> >> https://bugs.launchpad.net/ubuntu/+source/python-cdb/+bug/157251 >> >> Looks like it is something specific to glibc in ubuntu and the >> "recommended" use of PyObject_Del instead of PyMem_DEL. I've attached >> a patch showing the modifications for anyone else ripping their hair >> out. The glibc python free() error is now gone. > > If this is really a more general issue I'd like to see this fixed. So I > tried your patch. But it seg faults on my openSUSE 11.0 system. I noticed > some warnings during build (see below). > > Ciao, Michael. > > --------------------------- snip --------------------------- > [..] > Modules/LDAPObject.c: In function 'Tuple_to_LDAPMod': > Modules/LDAPObject.c:126: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/LDAPObject.c:134: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/LDAPObject.c:143: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/LDAPObject.c:146: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/LDAPObject.c:154: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/LDAPObject.c:158: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/LDAPObject.c: In function 'List_to_LDAPMods': > Modules/LDAPObject.c:226: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/LDAPObject.c: In function 'attrs_from_List': > Modules/LDAPObject.c:273: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O3 -Wall > -Wstrict-prototypes -fPIC -DHAVE_LIBLDAP_R -DHAVE_SASL -DHAVE_TLS > -DLDAPMODULE_VERSION=2.3.6 -IModules -I/opt/openldap-HEAD/include > -I/opt/sasl/include/sasl -I/usr/include/sasl -I/usr/include/python2.6 -c > Modules/ldapcontrol.c -o build/temp.linux-i686-2.6/Modules/ldapcontrol.o -g > Modules/ldapcontrol.c: In function 'Tuple_to_LDAPControl': > Modules/ldapcontrol.c:83: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/ldapcontrol.c:92: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > Modules/ldapcontrol.c: In function 'List_to_LDAPControls': > Modules/ldapcontrol.c:139: warning: passing argument 1 of '_PyObject_New' > makes pointer from integer without a cast > [..] > From michael at stroeder.com Wed Aug 27 22:30:23 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 27 Aug 2008 22:30:23 +0200 Subject: problem using python-ldap under fcgi In-Reply-To: <633d34560808271312h6d19d818pb91631f8c3dea949@mail.gmail.com> References: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> <48B3B31A.6000600@stroeder.com> <633d34560808262132j7aa51694pf438d1b4b62b2120@mail.gmail.com> <48B501A0.5060004@stroeder.com> <633d34560808271312h6d19d818pb91631f8c3dea949@mail.gmail.com> Message-ID: <48B5B95F.9080202@stroeder.com> Matt Bartolome wrote: > My apologies on the wild goose chase but after using valgrind on my > fcgi process it is python cx_Oracle (would have never guessed that!) > which triggers the segmentation fault when ldap.initialize() is > called. Why it does this is beyond me but a simple alteration of my > code makes the problem go away completely. I was creating a global > oracle db cursor which I'm now creating inside the functions that use > it. > > I'm not sure about the glib c error and patch now. Using the original > release without modification works so I will leave it at that. Glad you figured out what the issue was. It's good if you don't run a patched version of python-ldap. In general and thanks to the contributors who provided patches in the past python-ldap seems fairly stable. But let's look at the blog entry which convinced you to try patching python-ldap (see http://www.notes.xythian.net/2007/10/24/python-cdb-032-52ubuntu2-with-python-25-causes-double-free-corruption-crash-on-dealloc/): "Some other searching suggests that python-cdb?s use of PyMem_DEL is no longer recommended." That's pretty unprecise, not even a single URL. But if somebody can add more detailed information to this it could be helpful to dive into this. IMO an admirable goal of python-ldap is not to fall back behind what's considered current best practice when writing extension modules for CPython. Ciao, Michael. From vela at debian.org Wed Aug 27 23:01:55 2008 From: vela at debian.org (Matej Vela) Date: Wed, 27 Aug 2008 23:01:55 +0200 Subject: problem using python-ldap under fcgi In-Reply-To: <48B5B95F.9080202@stroeder.com> ("Michael =?iso-8859-1?Q?Str?= =?iso-8859-1?Q?=F6der=22's?= message of "Wed\, 27 Aug 2008 22\:30\:23 +0200") References: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> <48B3B31A.6000600@stroeder.com> <633d34560808262132j7aa51694pf438d1b4b62b2120@mail.gmail.com> <48B501A0.5060004@stroeder.com> <633d34560808271312h6d19d818pb91631f8c3dea949@mail.gmail.com> <48B5B95F.9080202@stroeder.com> Message-ID: <87ej4a9np8.fsf@zelendur.carpriv.carnet.hr> Michael Str?der writes: > But let's look at the blog entry which convinced you to try patching > python-ldap (see > http://www.notes.xythian.net/2007/10/24/python-cdb-032-52ubuntu2-with-python-25-causes-double-free-corruption-crash-on-dealloc/): > > "Some other searching suggests that python-cdb?s use of PyMem_DEL is no > longer recommended." > > That's pretty unprecise, not even a single URL. > > But if somebody can add more detailed information to this it could be > helpful to dive into this. IMO an admirable goal of python-ldap is not > to fall back behind what's considered current best practice when writing > extension modules for CPython. I think the blog writer was bitten by . In Python 2.5, PyMem_DEL and PyObject_Del are no longer interchangeable; memory allocated by PyMem_NEW needs to be deallocated by PyMem_DEL, and likewise for PyObject_New and PyObject_Del. A similar (automated) report was filed for python-ldap, and I've verified that it doesn't apply -- . Cheers, Matej From mattxbart at gmail.com Wed Aug 27 23:14:46 2008 From: mattxbart at gmail.com (Matt Bartolome) Date: Wed, 27 Aug 2008 14:14:46 -0700 Subject: problem using python-ldap under fcgi In-Reply-To: <48B5B95F.9080202@stroeder.com> References: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> <48B3B31A.6000600@stroeder.com> <633d34560808262132j7aa51694pf438d1b4b62b2120@mail.gmail.com> <48B501A0.5060004@stroeder.com> <633d34560808271312h6d19d818pb91631f8c3dea949@mail.gmail.com> <48B5B95F.9080202@stroeder.com> Message-ID: <633d34560808271414k5ade7936rae13837a04a09722@mail.gmail.com> On Wed, Aug 27, 2008 at 1:30 PM, Michael Str?der wrote: > Matt Bartolome wrote: >> My apologies on the wild goose chase but after using valgrind on my >> fcgi process it is python cx_Oracle (would have never guessed that!) >> which triggers the segmentation fault when ldap.initialize() is >> called. Why it does this is beyond me but a simple alteration of my >> code makes the problem go away completely. I was creating a global >> oracle db cursor which I'm now creating inside the functions that use >> it. >> >> I'm not sure about the glib c error and patch now. Using the original >> release without modification works so I will leave it at that. > > Glad you figured out what the issue was. It's good if you don't run a > patched version of python-ldap. In general and thanks to the > contributors who provided patches in the past python-ldap seems fairly > stable. I'll take a stab at this. I'll give you fair warning though that I don't know much about C. It looks like the modifications would be fairly straight forward though given I can find the recommended usage and documentation. I left off at the type cast build warnings so I just need to figure that in plus make sure it is backwards compatible (I saw an example showing how to do that). > > But let's look at the blog entry which convinced you to try patching > python-ldap (see > http://www.notes.xythian.net/2007/10/24/python-cdb-032-52ubuntu2-with-python-25-causes-double-free-corruption-crash-on-dealloc/): > > "Some other searching suggests that python-cdb's use of PyMem_DEL is no > longer recommended." > > That's pretty unprecise, not even a single URL. > > But if somebody can add more detailed information to this it could be > helpful to dive into this. IMO an admirable goal of python-ldap is not > to fall back behind what's considered current best practice when writing > extension modules for CPython. > > Ciao, Michael. > > From michael at stroeder.com Wed Aug 27 23:22:27 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 27 Aug 2008 23:22:27 +0200 Subject: problem using python-ldap under fcgi In-Reply-To: <633d34560808271414k5ade7936rae13837a04a09722@mail.gmail.com> References: <633d34560808251712h2487d074jca14e2943bbfd6c3@mail.gmail.com> <48B3B31A.6000600@stroeder.com> <633d34560808262132j7aa51694pf438d1b4b62b2120@mail.gmail.com> <48B501A0.5060004@stroeder.com> <633d34560808271312h6d19d818pb91631f8c3dea949@mail.gmail.com> <48B5B95F.9080202@stroeder.com> <633d34560808271414k5ade7936rae13837a04a09722@mail.gmail.com> Message-ID: <48B5C593.3000606@stroeder.com> Matt Bartolome wrote: > I'll take a stab at this. I'll give you fair warning though that I > don't know much about C. It looks like the modifications would be > fairly straight forward though given I can find the recommended usage > and documentation. I left off at the type cast build warnings so I > just need to figure that in plus make sure it is backwards compatible > (I saw an example showing how to do that). Given Matej's answer and the fact that your problem is fixed it seems to me nothing has to be done. Ciao, Michael. From wiser0+python-ldap at gmail.com Sat Aug 30 00:53:30 2008 From: wiser0+python-ldap at gmail.com (Randy) Date: Fri, 29 Aug 2008 15:53:30 -0700 Subject: Creating Active Directory Objects Message-ID: <5753b1130808291553r3ba71593pa2d26f7bdccc77b6@mail.gmail.com> Mike (or anyone else who has successfully changed an Active Directory password using python-ldap over SSL), I have not found an update in the archives to your last message on this subject (below). Can you perhaps share some Python code showing how to add or change the password for an Active Directory user via LDAP over SSL? Thanks! - Randy Wiser > From: Mike Matz - 2007-11-09 13:36 > Thank you to all who responded to my queries. I have been able to > successfully create an account and set the password for an AD user on > my test server. For those who are interested here is the breakdown of > what I did. As I continue to debug and test I will post updates to > this topic. > Connected via SSL to the server. There is no need to manage > certificates on the client since I am not binding, only establishing > an LDAP connection. Certificate Services do need to be installed on > the server. In the future I plan to try to implement the sasl_bind > code that Michael mentioned. To create the account I performed an > ldap add and to set the password I performed a modify on the > unicodePwd attribute. This has appeared to work successfully. I am > able to authenticate as the newly created user, map a home directory, > etc. I will need to do further testing to ensure that this is a valid > method for creating an account. > Once again, thanks to all who provided input! > Regards, > Mike From michael at stroeder.com Sat Aug 30 10:45:12 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 30 Aug 2008 10:45:12 +0200 Subject: Creating Active Directory Objects In-Reply-To: <5753b1130808291553r3ba71593pa2d26f7bdccc77b6@mail.gmail.com> References: <5753b1130808291553r3ba71593pa2d26f7bdccc77b6@mail.gmail.com> Message-ID: <48B90898.5080603@stroeder.com> Randy wrote: > Mike (or anyone else who has successfully changed an Active Directory > password using python-ldap over SSL), > > I have not found an update in the archives to your last message on > this subject (below). Can you perhaps share some Python code showing > how to add or change the password for an Active Directory user via > LDAP over SSL? Recent web2ldap changes unicodePwd in AD. You could set trace_level=2 in etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap. For the SSL part see Demo/initialize.py in python-ldap's source distribution. Off course you have to check back with your admin whether SSL is enabled in your AD DCs and which CA cert to install on the client side. Ciao, Michael. From wiser0+python-ldap at gmail.com Wed Sep 3 00:27:47 2008 From: wiser0+python-ldap at gmail.com (wiser0+python-ldap at gmail.com) Date: Tue, 2 Sep 2008 15:27:47 -0700 Subject: Creating Active Directory Objects In-Reply-To: <48B90898.5080603@stroeder.com> References: <5753b1130808291553r3ba71593pa2d26f7bdccc77b6@mail.gmail.com> <48B90898.5080603@stroeder.com> Message-ID: <5753b1130809021527k339fa013x1b0961d866264b6b@mail.gmail.com> On 8/30/08, Michael Str?der wrote: > Randy wrote: >> Mike (or anyone else who has successfully changed an Active Directory >> password using python-ldap over SSL), >> >> I have not found an update in the archives to your last message on >> this subject (below). Can you perhaps share some Python code showing >> how to add or change the password for an Active Directory user via >> LDAP over SSL? > > Recent web2ldap changes unicodePwd in AD. You could set trace_level=2 in > etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap. > > For the SSL part see Demo/initialize.py in python-ldap's source > distribution. Off course you have to check back with your admin whether > SSL is enabled in your AD DCs and which CA cert to install on the client > side. > > Ciao, Michael. > Thanks for the quick reply Michael. I installed web2ldap 0.16.41, but have not been able to connect via SSL and Bind to my Active Directory test machine (running Microsoft's ADAM server on WinXP, which I have successfully connected/authenticated with over SSL using MS's ldp.exe utility). I am not completely sure I need to do a simple bind, in order to change a user password in Active Directory, when I have both the old and new passwords, given the other comments by Mike in this thread. Does web2ldap have a public SVN or CVS repository where I might view the changes that allow web2ldap to change the unicodePwd in AD, and hence get some hint as to where in the code this magic is happening? This task may be easy for someone with LDAP experience, but I have virtually no experience with LDAP (or AD either). Thanks again, - Randy From mmatz at wyoarea.org Wed Sep 3 15:45:19 2008 From: mmatz at wyoarea.org (Mike Matz) Date: Wed, 3 Sep 2008 09:45:19 -0400 Subject: Creating Active Directory Objects In-Reply-To: <5753b1130809021527k339fa013x1b0961d866264b6b@mail.gmail.com> References: <5753b1130808291553r3ba71593pa2d26f7bdccc77b6@mail.gmail.com><48B90898.5080603@stroeder.com> <5753b1130809021527k339fa013x1b0961d866264b6b@mail.gmail.com> Message-ID: <3F389953-2963-4292-B7AC-D0B07928B1C8@wyoarea.org> Hi Randy, My apologies for not getting back to you sooner. Here is a crude example of the code I used to create/modify a password using Python LDAP. The trick to modifying the password is encoding in unicode. I am still trying to find my bookmark to a discussion board that explains how this works. Once I find it I will post it here as well. Unfortunately I have not had anytime over the past few months to work on my code so I do not have a whole lot more that I can give you at the moment. I plan to begin work again this fall and any changes or advancements I make I will be sure to post. If you find a better way to achieve AD account manipulation please let me know. Thanks, Mike import ldap import ldap.modlist as modlist server = "ldaps://jebediah.springfield.org:636" who = "administrator at springfield.org" cred = "password" path = "ou=Students,ou=Accounts,dc=springfield,dc=org" keyword = "simpson" dn = 'cn=jjones,ou=Accounts,dc=springfield,dc=org' attrs = {} attrs['objectclass'] = ['top', 'person', 'organizationalPerson','user'] attrs['cn'] = 'jjones' attrs['userPassword'] = 'jimbo' attrs['userPrincipalName'] = 'jjones' attrs['sAMAccountName'] = 'jjones' attrs['givenName'] = 'Jimbo' attrs['sn'] = 'Jones' attrs['DisplayName'] = 'Jimbo Jones' attrs['description'] = 'A brief description' attrs['userAccountControl'] = '512' password = "jimbo" password_attr = "unicodePwd" unicode1 = unicode("\"" + password + "\"", "iso-8859-1") unicode2 = unicode1.encode("utf-16-le") password_value = unicode2 mods = [(ldap.MOD_REPLACE, password_attr, [password_value])] ldif = modlist.addModlist(attrs) l = ldap.initialize(server) l.simple_bind_s(who, cred) l.add_s(dn, ldif) l.modify(dn, mods) l.unbind_s() On Sep 2, 2008, at 6:27 PM, wrote: > On 8/30/08, Michael Str?der wrote: >> Randy wrote: >>> Mike (or anyone else who has successfully changed an Active >>> Directory >>> password using python-ldap over SSL), >>> >>> I have not found an update in the archives to your last message on >>> this subject (below). Can you perhaps share some Python code >>> showing >>> how to add or change the password for an Active Directory user via >>> LDAP over SSL? >> >> Recent web2ldap changes unicodePwd in AD. You could set >> trace_level=2 in >> etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap. >> >> For the SSL part see Demo/initialize.py in python-ldap's source >> distribution. Off course you have to check back with your admin >> whether >> SSL is enabled in your AD DCs and which CA cert to install on the >> client >> side. >> >> Ciao, Michael. >> > > Thanks for the quick reply Michael. > > I installed web2ldap 0.16.41, but have not been able to connect via > SSL and Bind to my Active Directory test machine (running Microsoft's > ADAM server on WinXP, which I have successfully > connected/authenticated with over SSL using MS's ldp.exe utility). I > am not completely sure I need to do a simple bind, in order to change > a user password in Active Directory, when I have both the old and new > passwords, given the other comments by Mike in this thread. > > Does web2ldap have a public SVN or CVS repository where I might view > the changes that allow web2ldap to change the unicodePwd in AD, and > hence get some hint as to where in the code this magic is happening? > > This task may be easy for someone with LDAP experience, but I have > virtually no experience with LDAP (or AD either). > > Thanks again, > > - Randy > > From alex at davz.net Thu Sep 4 17:33:02 2008 From: alex at davz.net (Alex Davies) Date: Thu, 4 Sep 2008 17:33:02 +0200 Subject: Query on finding the members inside a nested group inside Active Directory Message-ID: <5fb622120809040833q156ec878k47e9ad6138f47665@mail.gmail.com> Hi Everyone, I am trying to query an AD Domain Controller for some information, and i'd like to do this without having to install the win32 and AD libraries for Python. I am using the following code to obtain a list of users inside a group (test). This works well, but i'd like to be able to add groups that contain users into the "test" group, and return them too. If I do this, the code below returns nothing at all - not even the names of the groups in the test group. Can anyone advise me how to do this? -- import ldap ldap.set_option(ldap.OPT_REFERRALS, 0) l = ldap.initialize("ldap://10.3.x.x") l.simple_bind_s('alexd at XXX.LOCAL', 'xxx') baseDN = "OU=Location, DC=xxx, DC=local" searchScope = ldap.SCOPE_SUBTREE retrieveAttributes = ['sn'] # Surename searchFilter = "(memberOf=CN=test,OU=Machines,OU=Linux Auth,DC=xxx,DC=local)" try: ldap_result_id = l.search(baseDN, searchScope, searchFilter, retrieveAttributes) result_set = [] while 1: result_type, result_data = l.result(ldap_result_id, 0) if (result_data == []): break else: if result_type == ldap.RES_SEARCH_ENTRY: print result_set except ldap.LDAPError, e: print e -- Any help gratefully received. Many thanks for your time! Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Sep 5 11:22:31 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 05 Sep 2008 11:22:31 +0200 Subject: Query on finding the members inside a nested group inside Active Directory In-Reply-To: <5fb622120809040833q156ec878k47e9ad6138f47665@mail.gmail.com> References: <5fb622120809040833q156ec878k47e9ad6138f47665@mail.gmail.com> Message-ID: <48C0FA57.4090407@stroeder.com> Alex Davies wrote: > > I am trying to query an AD Domain Controller for some information, and > i'd like to do this without having to install the win32 and AD libraries > for Python. So you want to use python-ldap on Win32. Ok. > I am using the following code to obtain a list of users inside a group > (test). This works well, but i'd like to be able to add groups that > contain users into the "test" group, and return them too. In general with LDAP you have to deal with nested groups at the client side. Especially with AD explictly requesting the attribute tokenGroups on a user's entry could be an option since AD then computes all the groups a user is member of including nested groups. Note that the attribute values are not DNs. See description here: http://msdn.microsoft.com/en-us/library/ms680275(VS.85).aspx > searchFilter = "(memberOf=CN=test,OU=Machines,OU=Linux > Auth,DC=xxx,DC=local)" I'm not sure whether memberOf only indicates the directory group membership. > ldap_result_id = l.search(baseDN, searchScope, searchFilter, > retrieveAttributes) I'd recommend to use the synchronous method l.search_s() first to avoid programming errors. This is handy when you don't expect large result sets. If you want to do stream processing of large result sets ldap.resiter is more handy. Ciao, Michael. From me at gustavonarea.net Sat Sep 6 18:16:21 2008 From: me at gustavonarea.net (Gustavo Narea) Date: Sat, 6 Sep 2008 18:16:21 +0200 Subject: Can you please add repoze.who.plugins.ldap? Message-ID: <200809061816.22036.me@gustavonarea.net> Hello, I'm going to release the first stable version of repoze.who.plugins.ldap very soon, which is a plugin for the repoze.who that enables LDAP authentication via python-ldap. So I wonder if you could add it to this listing http://python- ldap.sourceforge.net/apps.shtml ? Its URL is http://code.gustavonarea.net/repoze.who.plugins.ldap/ Thanks in advance. -- Gustavo Narea. http://gustavonarea.net/ Get rid of unethical constraints! Switch to Freedomware: http://softwareliberty.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: From me at gustavonarea.net Mon Sep 8 20:03:03 2008 From: me at gustavonarea.net (Gustavo Narea) Date: Mon, 8 Sep 2008 20:03:03 +0200 Subject: How to get a user's OUs Message-ID: <200809082003.03707.me@gustavonarea.net> Hello, How can I retrieve the Organizational Units a user belongs to via python-ldap? I couldn't find this information in the docs, and search_s() doesn't seem to work for this. Thanks in advance. -- Gustavo Narea. http://gustavonarea.net/ Get rid of unethical constraints! Switch to Freedomware: http://softwareliberty.com/ From michael at stroeder.com Mon Sep 8 23:47:19 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 08 Sep 2008 23:47:19 +0200 Subject: How to get a user's OUs In-Reply-To: <200809082003.03707.me@gustavonarea.net> References: <200809082003.03707.me@gustavonarea.net> Message-ID: <48C59D67.5000508@stroeder.com> Gustavo Narea wrote: > > How can I retrieve the Organizational Units a user belongs to via python-ldap? This question is not very clear. Do you mean the attribute 'ou' of the user's entry or the ou-Container the user's entry is in? If you're working with AD it's probably the latter. Then it's the DN of the user's entry parent entry. Ciao, Michael. From me at gustavonarea.net Tue Sep 9 13:25:35 2008 From: me at gustavonarea.net (Gustavo Narea) Date: Tue, 9 Sep 2008 13:25:35 +0200 Subject: How to get a user's OUs In-Reply-To: <48C59D67.5000508@stroeder.com> References: <200809082003.03707.me@gustavonarea.net> <48C59D67.5000508@stroeder.com> Message-ID: <200809091325.35901.me@gustavonarea.net> Hello, On Monday September 8, 2008 23:47:19 you wrote: > This question is not very clear. Do you mean the attribute 'ou' of the > user's entry or the ou-Container the user's entry is in? If you're > working with AD it's probably the latter. Then it's the DN of the user's > entry parent entry. Thanks for your answer, and sorry for not being clear. Say I (dn: uid=gnarea,ou=directors,dc=example,dc=org) also belong to ou=sysadmins,dc=example,dc=org and ou=betatesters,dc=example,dc=org. How can I get the set of all the Organizational Units I belong to? I'm looking for something that if I give the "uid=gnarea,ou=directors,dc=example,dc=org" DN, it returns a tuple/list made up of the items: 'directors', 'sysadmins' and 'betatesters'. I need this because I'm using group-based authentication in my application. Thanks in advance. -- Gustavo Narea. http://gustavonarea.net/ Get rid of unethical constraints! Switch to Freedomware: http://softwareliberty.com/ From michael at stroeder.com Wed Sep 10 09:21:24 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 10 Sep 2008 09:21:24 +0200 Subject: How to get a user's OUs In-Reply-To: <200809091325.35901.me@gustavonarea.net> References: <200809082003.03707.me@gustavonarea.net> <48C59D67.5000508@stroeder.com> <200809091325.35901.me@gustavonarea.net> Message-ID: <48C77574.9010008@stroeder.com> Gustavo Narea wrote: > > On Monday September 8, 2008 23:47:19 you wrote: >> This question is not very clear. Do you mean the attribute 'ou' of the >> user's entry or the ou-Container the user's entry is in? If you're >> working with AD it's probably the latter. Then it's the DN of the user's >> entry parent entry. > > Thanks for your answer, and sorry for not being clear. > > Say I (dn: uid=gnarea,ou=directors,dc=example,dc=org) So this is on AD? > also belong to > ou=sysadmins,dc=example,dc=org and ou=betatesters,dc=example,dc=org. How can I > get the set of all the Organizational Units I belong to? What does "also belong to" mean? The user entry uid=gnarea,ou=directors,dc=example,dc=org being a member of a group entry? Note that groups are independent from AD's ou-structure. Regarding the ou-structure gnarea is simply in ou=directors,dc=example,dc=org. > I'm looking for something that if I give the > "uid=gnarea,ou=directors,dc=example,dc=org" DN, it returns a tuple/list made > up of the items: 'directors', 'sysadmins' and 'betatesters'. I don't know how your entries ou=sysadmins,dc=example,dc=org and ou=betatesters,dc=example,dc=org look like. > I need this because I'm using group-based authentication in my application. ^^^^^^^^^^^^^^ Authorization I guess. Please make yourself familiar with group entries and how they differ from ou entries (which are probably not what you want). Ciao, Michael. From me at gustavonarea.net Wed Sep 10 12:35:03 2008 From: me at gustavonarea.net (Gustavo Narea) Date: Wed, 10 Sep 2008 12:35:03 +0200 Subject: How to get a user's OUs In-Reply-To: <48C77574.9010008@stroeder.com> References: <200809082003.03707.me@gustavonarea.net> <200809091325.35901.me@gustavonarea.net> <48C77574.9010008@stroeder.com> Message-ID: <200809101235.03466.me@gustavonarea.net> Hello, On Wednesday September 10, 2008 09:21:24 Michael Str?der wrote: > > I need this because I'm using group-based authentication in my > > application. > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ^^^^^^^^^^^^^^ > Authorization I guess. Right, sorry. > Please make yourself familiar with group entries and how they differ > from ou entries (which are probably not what you want). Thanks, I will. Cheers! -- Gustavo Narea. http://gustavonarea.net/ Get rid of unethical constraints! Switch to Freedomware: http://softwareliberty.com/ From rich.megginson at gmail.com Wed Sep 10 22:59:08 2008 From: rich.megginson at gmail.com (Rich Megginson) Date: Wed, 10 Sep 2008 14:59:08 -0600 Subject: Problem using ldaps with two different CA cert files Message-ID: <48C8351C.7050009@gmail.com> The following code does not work in a couple of different places: import sys import ldap, ldap.ldapobject ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255) ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca1.pem') conn1 = ldap.ldapobject.LDAPObject('ldaps://server1.domain:636') #conn1.set_option(ldap.OPT_DEBUG_LEVEL, 255) # NOTE: 1 - setting conn specific cacertfile doesn't work - only the # module level setting seems to work #conn1.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca1.pem') conn1.simple_bind('mybinddn','password') print "conn1 set up correctly" conn1.unbind_s() # NOTE: 2 - although this appears to work i.e. get_option returns the new # one, the code never attempts to open /path/to/ca2.pem - I've validated this via strace ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca2.pem') print "cacert file =", ldap.get_option(ldap.OPT_X_TLS_CACERTFILE) ldap.set_option(ldap.OPT_DEBUG_LEVEL, 0) # this works conn2 = ldap.initialize('ldaps://server2.domain:636') #conn2.set_option(ldap.OPT_DEBUG_LEVEL, 255) # again, conn specific setting does not work conn2.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca2.pem') print "conn2 cacertfile=", conn2.get_option(ldap.OPT_X_TLS_CACERTFILE) conn2.simple_bind("binddn2","password2") # errors here - cannot verify peer server ssl cert print "conn2 set up correctly" Is it possible to use two different CA certs in a single python-ldap app? I've tried using both version 2.2.0 on rhel5 and version 2.3.1 on fedora 9 From michael at stroeder.com Thu Sep 11 10:09:02 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 11 Sep 2008 10:09:02 +0200 Subject: Problem using ldaps with two different CA cert files In-Reply-To: <48C8351C.7050009@gmail.com> References: <48C8351C.7050009@gmail.com> Message-ID: <48C8D21E.8010205@stroeder.com> Rich Megginson wrote: > Is it possible to use two different CA certs in a single python-ldap > app? There are two options: 1. Stuff all trusted CA certs into one "PEM" file and use ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/allcacerts.pem') 2. Copy all CA certs in a directory and use ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/path/to/cacerts') For faster look up with option . you should generate symbolic links like described here: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl ln -s my_ca.crt `openssl x509 -hash -noout -in my_ca.crt`.0 I think you can find pretty much docs about how OpenSSL handles multiple CA certs. BTW: With OpenLDAP 2.4 client libs you can also set ldap.OPT_X_TLS_CACERTDIR connection-specific. Ciao, Michael. From rich.megginson at gmail.com Thu Sep 11 16:22:25 2008 From: rich.megginson at gmail.com (Rich Megginson) Date: Thu, 11 Sep 2008 08:22:25 -0600 Subject: Problem using ldaps with two different CA cert files In-Reply-To: <48C8D21E.8010205@stroeder.com> References: <48C8351C.7050009@gmail.com> <48C8D21E.8010205@stroeder.com> Message-ID: <48C929A1.9050107@gmail.com> Michael Str?der wrote: > Rich Megginson wrote: > >> Is it possible to use two different CA certs in a single python-ldap >> app? >> > > There are two options: > > 1. Stuff all trusted CA certs into one "PEM" file and use > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/allcacerts.pem') > > 2. Copy all CA certs in a directory and use > ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/path/to/cacerts') > > For faster look up with option . you should generate symbolic links like > described here: > http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl > > ln -s my_ca.crt `openssl x509 -hash -noout -in my_ca.crt`.0 > > I think you can find pretty much docs about how OpenSSL handles multiple > CA certs. > Ok. Thanks Michael. I'll look into it. > BTW: With OpenLDAP 2.4 client libs you can also set > ldap.OPT_X_TLS_CACERTDIR connection-specific. > > Ciao, Michael. > > > From jonathan at 23andme.com Tue Sep 16 02:39:41 2008 From: jonathan at 23andme.com (Jonathan Hansen) Date: Mon, 15 Sep 2008 17:39:41 -0700 Subject: Change password Message-ID: <5DF8C4A5-B374-4F56-A9ED-B9D4B749367B@23andme.com> Does anyone have a working password change script for active directory server that will run on Linux? We try and run as little as possible on windows. I have found several but none actually run. I know I am committing list pho pa by asking this but I am an IT guy not a programmer so although am working on it do not yet have the skill to sort out stuff like this. My attempt at a script authenticated fine but then when I tried to do a search or anything else claimed it was not able to talk to the server it had just authenticated against *sighs* I hate microsoft. Thanks, Jonathan PS: my error in case anyone wants to help with that instead: => result: (97, [], 1, []) Bind result: (97, []) Running search: (objectClass=user)(mail=*) *** ldap://my.ldap.server:389 - SimpleLDAPObject.search_ext (('cn=Users,my.dc', 2, '(objectClass=user)(mail=*)', ['*'], 0, None, None, -1, 0),{}) => result: 2 *** ldap://my.ldap.server:389 - SimpleLDAPObject.result3 ((2, 1, -1),{}) => LDAPError - SERVER_DOWN: {'info': '', 'desc': "Can't contact LDAP server"} Can't contact LDAP server From michael at stroeder.com Tue Sep 16 08:14:17 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 16 Sep 2008 08:14:17 +0200 Subject: Change password In-Reply-To: <5DF8C4A5-B374-4F56-A9ED-B9D4B749367B@23andme.com> References: <5DF8C4A5-B374-4F56-A9ED-B9D4B749367B@23andme.com> Message-ID: <48CF4EB9.5060003@stroeder.com> Jonathan Hansen wrote: > Does anyone have a working password change script for active directory > server that will run on Linux? My web2ldap implements it. But it's not a small script. Depending on your use-case you might consider deploying web2ldap though. At least for learning how the data looks like it would be useful. I see three issues here: > *** ldap://my.ldap.server:389 - SimpleLDAPObject.search_ext > (('cn=Users,my.dc', 2, '(objectClass=user)(mail=*)', ['*'], 0, None, ^^^^^ 1. This is not a valid DN. With AD it should rather look like cn=Users,dc=my,dc=domain > *** ldap://my.ldap.server:389 - SimpleLDAPObject.result3 ((2, 1, -1),{}) > => LDAPError - SERVER_DOWN: {'info': '', 'desc': "Can't contact LDAP > server"} 2. This error code means the LDAP server wasn't reachable at all. 3. Also note that for chaning the AD password (attribute unicodePwd) you have to use SSL. So your connection URI has to look like this: ldaps://my.ldap.server:636 See Demo/initialize.py how to set the SSL/TLS-related options. Ciao, Michael. From junyer at gmail.com Fri Sep 19 08:21:00 2008 From: junyer at gmail.com (Paul Wankadia) Date: Fri, 19 Sep 2008 16:21:00 +1000 Subject: ldap.modlist.modifyModlist() Message-ID: <510ca9b40809182321v7d5193e1i4ef143e0d9ea152b@mail.gmail.com> Hi, Michael. The current implementation of modifyModlist() clashed with some ACLs because it touches too many values. :/ Here's a replacement that I hacked together: def ModifyList(old_attrs, new_attrs): modify = [] old_keys = set(old_attrs) new_keys = set(new_attrs) for attr in old_keys - new_keys: modify.append((ldap.MOD_DELETE, attr, None)) for attr in new_keys - old_keys: modify.append((ldap.MOD_ADD, attr, new_attrs[attr])) for attr in old_keys & new_keys: old_values = set(old_attrs[attr]) new_values = set(new_attrs[attr]) if len(old_values) == 1 and len(new_values) == 1: if old_values != new_values: modify.append((ldap.MOD_REPLACE, attr, list(new_values))) else: delta = old_values - new_values if delta: modify.append((ldap.MOD_DELETE, attr, list(delta))) delta = new_values - old_values if delta: modify.append((ldap.MOD_ADD, attr, list(delta))) return modify Would you be averse to reimplementing modifyModlist() in a similar way? Thanks for your consideration. From michael at stroeder.com Fri Sep 19 10:12:31 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 19 Sep 2008 10:12:31 +0200 Subject: ldap.modlist.modifyModlist() In-Reply-To: <510ca9b40809182321v7d5193e1i4ef143e0d9ea152b@mail.gmail.com> References: <510ca9b40809182321v7d5193e1i4ef143e0d9ea152b@mail.gmail.com> Message-ID: <48D35EEF.3070901@stroeder.com> Paul Wankadia wrote: > The current implementation of modifyModlist() clashed with some ACLs > because it touches too many values. :/ I don't fully understand. Do you have ACLs based on certain attribute values? It would be probably a good idea to mention these issues in the docs. > Here's a replacement that I hacked together: > > if old_values != new_values: > modify.append((ldap.MOD_REPLACE, attr, list(new_values))) The problem with MOD_REPLACE or with only deleting/adding certain attribute values is that it needs EQUALITY matching rules to be implemented at the server-side for all syntaxes of attributes to be modified. That's not the case for e.g. jpegPhoto (or even attribute postalAddress on some servers). In web2ldap I have a modified function modifyModlist() which examines the subschema for determining whether the attribute type has an EQUALITY matching rules assigned and whether this particular matching rule is really listed in the subschema. => So for general use I won't accept your version since it will choke in many more cases. Ciao, Michael. From junyer at gmail.com Fri Sep 19 16:31:31 2008 From: junyer at gmail.com (Paul Wankadia) Date: Sat, 20 Sep 2008 00:31:31 +1000 Subject: ldap.modlist.modifyModlist() In-Reply-To: <48D35EEF.3070901@stroeder.com> References: <510ca9b40809182321v7d5193e1i4ef143e0d9ea152b@mail.gmail.com> <48D35EEF.3070901@stroeder.com> Message-ID: <510ca9b40809190731m733bc9eeibf0a1ccb89680034@mail.gmail.com> On Fri, Sep 19, 2008 at 6:12 PM, Michael Str?der wrote: >> The current implementation of modifyModlist() clashed with some ACLs >> because it touches too many values. :/ > > I don't fully understand. Do you have ACLs based on certain attribute > values? It would be probably a good idea to mention these issues in the > docs. Access to objectClass is restricted, for example, so it's necessary to be surgical. >> if old_values != new_values: >> modify.append((ldap.MOD_REPLACE, attr, list(new_values))) > > The problem with MOD_REPLACE or with only deleting/adding certain > attribute values is that it needs EQUALITY matching rules to be > implemented at the server-side for all syntaxes of attributes to be > modified. That's not the case for e.g. jpegPhoto (or even attribute > postalAddress on some servers). Do you happen to know whether OpenLDAP has any problems in this regard? > In web2ldap I have a modified function modifyModlist() which examines > the subschema for determining whether the attribute type has an EQUALITY > matching rules assigned and whether this particular matching rule is > really listed in the subschema. What does it do then? > => So for general use I won't accept your version since it will choke in > many more cases. I understand. From michael at stroeder.com Fri Sep 19 17:00:25 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 19 Sep 2008 17:00:25 +0200 Subject: ldap.modlist.modifyModlist() In-Reply-To: <510ca9b40809190731m733bc9eeibf0a1ccb89680034@mail.gmail.com> References: <510ca9b40809182321v7d5193e1i4ef143e0d9ea152b@mail.gmail.com> <48D35EEF.3070901@stroeder.com> <510ca9b40809190731m733bc9eeibf0a1ccb89680034@mail.gmail.com> Message-ID: <48D3BE89.4070306@stroeder.com> Paul Wankadia wrote: > On Fri, Sep 19, 2008 at 6:12 PM, Michael Str?der wrote: > >>> The current implementation of modifyModlist() clashed with some ACLs >>> because it touches too many values. :/ >> I don't fully understand. Do you have ACLs based on certain attribute >> values? It would be probably a good idea to mention these issues in the >> docs. > > Access to objectClass is restricted, for example, so it's necessary to > be surgical. Is access to attribute 'objectClass' restricted as a whole? Or do you have ACLs based on certain attribute values (object class names in this case)? Only the latter case seems to be a problem to me. >>> if old_values != new_values: >>> modify.append((ldap.MOD_REPLACE, attr, list(new_values))) >> The problem with MOD_REPLACE or with only deleting/adding certain >> attribute values is that it needs EQUALITY matching rules to be >> implemented at the server-side for all syntaxes of attributes to be >> modified. That's not the case for e.g. jpegPhoto (or even attribute >> postalAddress on some servers). > > Do you happen to know whether OpenLDAP has any problems in this regard? Actually I started with an implementation of modifyModlist() in web2ldap which did almost exactly what you propose. But in general it turned out not to be usable. It always depends on the attributes you're dealing with. Check the subschema on your server. >> In web2ldap I have a modified function modifyModlist() which examines >> the subschema for determining whether the attribute type has an EQUALITY >> matching rules assigned and whether this particular matching rule is >> really listed in the subschema. > > What does it do then? It falls back to applying MOD_DELETE/MOD_ADD to the whole attribute. Ciao, Michael. From junyer at gmail.com Sun Sep 21 08:25:37 2008 From: junyer at gmail.com (Paul Wankadia) Date: Sun, 21 Sep 2008 16:25:37 +1000 Subject: ldap.modlist.modifyModlist() In-Reply-To: <48D3BE89.4070306@stroeder.com> References: <510ca9b40809182321v7d5193e1i4ef143e0d9ea152b@mail.gmail.com> <48D35EEF.3070901@stroeder.com> <510ca9b40809190731m733bc9eeibf0a1ccb89680034@mail.gmail.com> <48D3BE89.4070306@stroeder.com> Message-ID: <510ca9b40809202325v333e6e7bh25000671eade103e@mail.gmail.com> On Sat, Sep 20, 2008 at 1:00 AM, Michael Str?der wrote: >> Access to objectClass is restricted, for example, so it's necessary to >> be surgical. > > Is access to attribute 'objectClass' restricted as a whole? Or do you > have ACLs based on certain attribute values (object class names in this > case)? Only the latter case seems to be a problem to me. It is indeed the latter. >> Do you happen to know whether OpenLDAP has any problems in this regard? > > Actually I started with an implementation of modifyModlist() in web2ldap > which did almost exactly what you propose. But in general it turned out > not to be usable. It always depends on the attributes you're dealing > with. Check the subschema on your server. I will do so. Thanks for your time. From michael at stroeder.com Tue Sep 23 15:35:05 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 23 Sep 2008 15:35:05 +0200 Subject: ldap.modlist.modifyModlist() (resent to list) In-Reply-To: <510ca9b40809190731m733bc9eeibf0a1ccb89680034@mail.gmail.com> References: <510ca9b40809182321v7d5193e1i4ef143e0d9ea152b@mail.gmail.com> <48D35EEF.3070901@stroeder.com> <510ca9b40809190731m733bc9eeibf0a1ccb89680034@mail.gmail.com> Message-ID: <48D8F089.9000606@stroeder.com> Paul Wankadia wrote: > On Fri, Sep 19, 2008 at 6:12 PM, Michael Str?der wrote: > >>> The current implementation of modifyModlist() clashed with some ACLs >>> because it touches too many values. :/ >> I don't fully understand. Do you have ACLs based on certain attribute >> values? It would be probably a good idea to mention these issues in the >> docs. > > Access to objectClass is restricted, for example, so it's necessary to > be surgical. Is access to attribute 'objectClass' restricted as a whole? Or do you have ACLs based on certain attribute values (object class names in this case)? Only the latter case seems to be a problem to me. >>> if old_values != new_values: >>> modify.append((ldap.MOD_REPLACE, attr, list(new_values))) >> The problem with MOD_REPLACE or with only deleting/adding certain >> attribute values is that it needs EQUALITY matching rules to be >> implemented at the server-side for all syntaxes of attributes to be >> modified. That's not the case for e.g. jpegPhoto (or even attribute >> postalAddress on some servers). > > Do you happen to know whether OpenLDAP has any problems in this regard? Actually I started with an implementation of modifyModlist() in web2ldap which did almost exactly what you propose. But in general it turned out not to be usable. It always depends on the attributes you're dealing with. Check the subschema on your server. >> In web2ldap I have a modified function modifyModlist() which examines >> the subschema for determining whether the attribute type has an EQUALITY >> matching rules assigned and whether this particular matching rule is >> really listed in the subschema. > > What does it do then? It falls back to applying MOD_DELETE/MOD_ADD to the whole attribute. Ciao, Michael. From metebilgin48 at gmail.com Fri Sep 26 12:47:18 2008 From: metebilgin48 at gmail.com (mete bilgin) Date: Fri, 26 Sep 2008 13:47:18 +0300 Subject: python-ldap wrong auth. after server down Message-ID: Hi all, i'm trying to connect ldap into python. when i give it to true username and password, nothing going wrong...But i try to wrong password ,the server shutdown...How can i pass that. ps: ldap_server=ldap.open('localhost') ldap_server.protocol_version = ldap.VERSION3 try: ldap_server.simple_bind_s(word,password) return 'bind yap?ld?' ldap_server.unbind() except ldap.LDAPError, e: return e -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Sep 26 12:53:39 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Fri, 26 Sep 2008 12:53:39 +0200 Subject: python-ldap wrong auth. after server down In-Reply-To: References: Message-ID: <48DCBF33.3010503@stroeder.com> mete bilgin wrote: > i'm trying to connect ldap into python. when i give it to true username > and password, nothing going wrong...But i try to wrong password ,the > server shutdown...How can i pass that. What does "the server shutdown" mean exactly. Is it stopped? > ps: > ldap_server=ldap.open('localhost') > ldap_server.protocol_version = ldap.VERSION3 > try: > ldap_server.simple_bind_s(word,password) > return 'bind yap?ld?' > ldap_server.unbind() > except ldap.LDAPError, e: > return e Frankly you did not provide enough information. I'd set client-side logging options in python-ldap (see Demo/initialize.py) and examine the server logs. Which server vendor and version is that? Ciao, Michael. From michael at stroeder.com Fri Sep 26 14:15:08 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Fri, 26 Sep 2008 14:15:08 +0200 Subject: python-ldap wrong auth. after server down In-Reply-To: References: <48DCBF33.3010503@stroeder.com> Message-ID: <48DCD24C.1090007@stroeder.com> Please don't e-mail me personally. Stay on the mailing list! mete bilgin wrote: > 2008/9/26 Michael Str?der > > > mete bilgin wrote: > > i'm trying to connect ldap into python. when i give it to true > username > > and password, nothing going wrong...But i try to wrong password ,the > > server shutdown...How can i pass that. > > What does "the server shutdown" mean exactly. Is it stopped? > > yes it's stopped > [..] > Sep 26 14:12:27 localhost klogd: slapd[24032]: segfault at 1f ip > b7c61790 sp b6cf9a40 error 4 in libdb-4.6.so > [b7bcc000+13a000] This looks like a bug in OpenLDAP. It has nothing to with python-ldap. I already saw this myself yesterday when doing SASL/EXTERNAL bind. It's on my to-do-list to track this down and report to OpenLDAP's ITS if I find some spare time. You could help if you clarify this on openldap-software mailing and file an ITS. Ciao, Michael.