From andre.basel at gmail.com Sun Oct 5 22:36:01 2008 From: andre.basel at gmail.com (Andre Basel) Date: Mon, 6 Oct 2008 09:36:01 +1300 Subject: configure: error: BDB/HDB: BerkeleyDB not available Message-ID: <3aeacc480810051336q4b5b7412v8ad62d6c7c37bb6a@mail.gmail.com> When trying to install OpenLDAP , I get the above error. How do I install BerkeleyDB, or make it available? -- Andr? (h) +64 9 444 3228 (w) +64 9 488 3755 (c) +64 27 335 0955 www.baselmania.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Oct 6 00:04:47 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 06 Oct 2008 00:04:47 +0200 Subject: configure: error: BDB/HDB: BerkeleyDB not available In-Reply-To: <3aeacc480810051336q4b5b7412v8ad62d6c7c37bb6a@mail.gmail.com> References: <3aeacc480810051336q4b5b7412v8ad62d6c7c37bb6a@mail.gmail.com> Message-ID: <48E939FF.5090300@stroeder.com> Andre Basel wrote: > When trying to install OpenLDAP , I get the above error. > > How do I install BerkeleyDB, or make it available? It's more appropriate to ask questions about how to install OpenLDAP on the openldap-software mailing list: http://www.openldap.org/lists/ FWIW: If you just need the OpenLDAP client libs as a prerequisite for building python-ldap you might wanna build with configure --disable-slapd make Ciao, Michael. From michael at stroeder.com Fri Nov 7 15:24:57 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 07 Nov 2008 15:24:57 +0100 Subject: Thoughts on python-ldap 3.0 Message-ID: <49144FB9.5080505@stroeder.com> HI! Given that Python 3.0 makes good progress it's worth to think about how to provide a LDAP module for Python 3.0. Glancing over PEP 3000 it's pretty obvious that python-ldap could be changed more than just adding a few compability patches needed for 2.5 or 2.6 since Python 3.0 seems to be a pretty different thing and applications also won't run without significant changes. So I'm currently thinking about whether it's worth to take 3.0 as a trigger to completely rewrite python-ldap probably leading to an incompatible module API. Some ideas: - move away from SourceForge - new SVN-based repository - wrap libldap (and libber?) with built-in ctypes - compability layers for mozldap, OpenLDAP and winldap? - partial rewrite of ldap.schema with some API changes - class library for LDAP syntaxes and matching rules - Unicode support maybe with schema-aware LDAP operations Definitely volunteers are needed for the ctypes parts! Let me know what *you* like to see in python-ldap 3.0. Ciao, Michael. From michael at stroeder.com Fri Nov 7 18:27:18 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 07 Nov 2008 18:27:18 +0100 Subject: Thoughts on python-ldap 3.0 In-Reply-To: <49144FB9.5080505@stroeder.com> References: <49144FB9.5080505@stroeder.com> Message-ID: <49147A76.6000809@stroeder.com> Michael Str?der wrote: > Some ideas: Forgot one point: I'd prefer python-ldap to be part of the Python standard lib in the long run. New code would make it possible to meet the licensing prerequisites of the PSF for this from the very beginning. Ciao, Michael. From geert at boskant.nl Sat Nov 22 00:18:54 2008 From: geert at boskant.nl (Geert Jansen) Date: Fri, 21 Nov 2008 18:18:54 -0500 Subject: [PATCH] support for LDAP_OPT_X_NOCANON Message-ID: <648242720811211518k726c54b9y1c8357255477ae5a@mail.gmail.com> [re-send in plain text. apologies for posting in html] Hi, OpenLDAP CVS has just added support for a new LDAP option LDAP_OPT_X_NOCANON. This option turns off host canonicalization based on reverse DNS in OpenLDAP. The attached patch makes this option available in python-ldap. One use case for this option is environments where you don't need reverse DNS for canonicalization, or where you have server-side canonicalization. This works great in Windows environments, especially so because there reverse DNS is often wrong. If you combine this LDAP option with the setting "rdns = no" in your /etc/krb5.conf, you are now able to use SASL/GSSAPI to authenticate to an LDAP server that has no or no proper reverse DNS. Regards, Geert -------------- next part -------------- A non-text attachment was scrubbed... Name: python-ldap-2.3.5-canon.patch Type: application/octet-stream Size: 850 bytes Desc: not available URL: From plone at alopes.com Tue Dec 9 12:29:38 2008 From: plone at alopes.com (Alberto Lopes) Date: Tue, 9 Dec 2008 08:29:38 -0300 Subject: Certificate checking on LDAP over SSL connection Message-ID: Dear friends, I am using python-ldap indirectly, as a dependency for the LDAPUserFolder product for Zope. >From what I understood from the LDAPUserFolder code, it delegates the SSL negotiation to the python-ldap library. The problem is that when I try to make an LDAP connection over SSL (to a MS-AD server), I get a "invalid certificate" message. How can I pass the CAcertificate to the python-ldap layer in order to have it accepting the server certificate? I am using python-ldap in Windows, using the the OpenSSL and OpenLDAP DLLs that I got from http://python-ldap.sourceforge.net/download.shtml. Please help me. Best regards, Alberto -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Tue Dec 9 12:54:32 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 09 Dec 2008 12:54:32 +0100 Subject: Certificate checking on LDAP over SSL connection In-Reply-To: References: Message-ID: <493E5C78.4020807@stroeder.com> Alberto Lopes wrote: > > From what I understood from the LDAPUserFolder code, it delegates the > SSL negotiation to the python-ldap library. And further down the delegation path: python-ldap -> OpenLDAP lib -> OpenSSL lib > How can I pass the > CAcertificate to the python-ldap layer in order to have it accepting the > server certificate? See Demo/initialize.py in python-ldap's source distribution. ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') or ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt') In older versions of the OpenLDAP libs you can only set these options globally. Not sure about 2.4.8. I have no clue whether LDAPUserFolder makes it possible to set these options though. Ciao, Michael. From plone at alopes.com Tue Dec 9 19:29:20 2008 From: plone at alopes.com (Alberto Lopes) Date: Tue, 9 Dec 2008 16:29:20 -0200 Subject: Certificate checking on LDAP over SSL connection In-Reply-To: <493E5C78.4020807@stroeder.com> References: <493E5C78.4020807@stroeder.com> Message-ID: Dear Michael, Thank you for your answer. Now, I'm working on making the zope python interpreter to be able to connect to the LDAP server (over SSL), using the example in Demo/initizalize.py. However I got stuck in a different problem. When trying to connect, I followed this sequence of commands (changing the /path/to/my/CAcert and : sequences): import sys,ldap ldap.set_option(ldap.OPT_DEBUG_LEVEL,255) ldapmodule_trace_level = 1 ldapmodule_trace_file = sys.stderr ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert') l = ldap.initialize('ldaps://:',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file) l.protocol_version=ldap.VERSION3 l.bind_s('','',ldap.AUTH_SIMPLE) Here, I got the following message: ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer certificate', 'desc' : "Can't contact LDAP server"} Point is, the LDAP server certificate doesn't have the "Subject" field; instead, it uses the "Subject Alternate Name" field in the V3 Extensions. Can anyone help me? Best regards, Alberto On Tue, Dec 9, 2008 at 9:54 AM, Michael Str?der wrote: > Alberto Lopes wrote: > > > > From what I understood from the LDAPUserFolder code, it delegates the > > SSL negotiation to the python-ldap library. > > And further down the delegation path: > python-ldap -> OpenLDAP lib -> OpenSSL lib > > > How can I pass the > > CAcertificate to the python-ldap layer in order to have it accepting the > > server certificate? > > See Demo/initialize.py in python-ldap's source distribution. > > > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') > > or > > ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt') > > In older versions of the OpenLDAP libs you can only set these options > globally. Not sure about 2.4.8. > > I have no clue whether LDAPUserFolder makes it possible to set these > options though. > > Ciao, Michael. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From plone at alopes.com Tue Dec 9 20:44:49 2008 From: plone at alopes.com (Alberto Lopes) Date: Tue, 9 Dec 2008 17:44:49 -0200 Subject: Certificate checking on LDAP over SSL connection In-Reply-To: <493EC3BE.80607@stroeder.com> References: <493E5C78.4020807@stroeder.com> <493EC3BE.80607@stroeder.com> Message-ID: Michael, Here is what I got after the openssl s_client -connect : -CAfile /path/to/my/CAcert command: CONNECTED(00000784) --- Certificate chain 0 s: i:/DC=srf/CN=AC DN --- Server certificate -----BEGIN CERTIFICATE----- MIIFjjCCBHagAwIBAgIKb11m+wAAAAACNzANBgkqhkiG9w0BAQUFADAzMRMwEQYK CZImiZPyLGQBGRYDc3JmMRwwGgYDVQQDExNSRkIgRW50ZXJwcmlzZSBDQTAyMB4X DTA4MTIwODEzNTUzOVoXDTA5MTIwODEzNTUzOVowADCBnzANBgkqhkiG9w0BAQEF CERTIFICATE VOIDED FOR SECURITY REASONS 4cT9LQqwIZImw43pkJOBb4SpAWgtRFp593ydbecZ3Kp8bGq7nLm5fhTazF0tuH7j mXj1Y2rkoucgDBDPTDRfIodpbmwiv85KdxVLjYbMwC6UZkJAnbyyZsJMnEV7gvIU aB8SRTjVy3I2L9qs+PE6VmFEj77s9GJ/uK6sQKe5r9wMhfumB9hhvINdiAZHjDrL BonD2E6tujKEZFK/Rpy2bB4xACM/Bo2Y9/w8ubsfaREvcA== -----END CERTIFICATE----- subject= issuer=/DC=srf/CN=AC DN --- Acceptable client certificate CA names ... LIST OF DNs deleted from screen capture for security reasons ... --- SSL handshake has read 5964 bytes and written 318 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 180E00000D77AF6764CDEA8AD607E28BB8EF02028EBFB4F2C2C2CBEA354788FD Session-ID-ctx: Master-Key: 51434AA335DE806D5AC923D057A0A2C865B1D4FDCEB0CF6B3C7B148EA3187E0565B7559B10817BF81A93F79B1E34101E Key-Arg : None Start Time: 1228851254 Timeout : 300 (sec) Verify return code: 0 (ok) --- >From the "subject=" line, one could see that the server certificate is subjectless. Do you think that's the reason why I couldnt' connect via python-ldap? Thanks, Alberto -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Tue Dec 9 20:15:10 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 09 Dec 2008 20:15:10 +0100 Subject: Certificate checking on LDAP over SSL connection In-Reply-To: References: <493E5C78.4020807@stroeder.com> Message-ID: <493EC3BE.80607@stroeder.com> Alberto Lopes wrote: > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert') > l = ldap.initialize('ldaps://:',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file) > > l.protocol_version=ldap.VERSION3 > l.bind_s('','',ldap.AUTH_SIMPLE) > > Here, I got the following message: > ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer > certificate', 'desc' : "Can't contact LDAP server"} This is rather an OpenSSL issue maybe depending on the OpenSSL version used to build OpenLDAP libs. I'd test that with openssl s_client first: openssl s_client -connect : -CAfile /path/to/my/CAcert > Point is, the LDAP server certificate doesn't have the "Subject" field; > instead, it uses the "Subject Alternate Name" field in the V3 Extensions. Well, a cert MUST have a subject DN. It might be the case that it does not have a CN attribute. IMHO it should. Ciao, Michael. From michael at stroeder.com Wed Dec 10 09:03:24 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 10 Dec 2008 09:03:24 +0100 Subject: Certificate checking on LDAP over SSL connection In-Reply-To: References: <493E5C78.4020807@stroeder.com> <493EC3BE.80607@stroeder.com> Message-ID: <493F77CC.60103@stroeder.com> Alberto Lopes wrote: > subject= > issuer=/DC=srf/CN=AC DN > [..] > From the "subject=" line, one could see that the server certificate is > subjectless. Why do you use such a invalid cert? Fix this. > Do you think that's the reason why I couldnt' connect via python-ldap? Yes. Ciao, Michael. From michael at stroeder.com Tue Dec 16 17:26:56 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 16 Dec 2008 17:26:56 +0100 Subject: Certificate checking on LDAP over SSL connection In-Reply-To: References: <493E5C78.4020807@stroeder.com> <493EC3BE.80607@stroeder.com> <493F77CC.60103@stroeder.com> Message-ID: <4947D6D0.1050803@stroeder.com> Alberto Lopes wrote: > > I dunno if this message was best sent directly to you or posted on the > list; if so, please feel free to forward it. Please post to python-ldap-dev at lists.sourceforge.net (Cc:-ed). > Apparentely the "SSL server certificate with blank subject field" > problem doesn't end in reissuing the certificate, with a filled subject > field. Hmm...without seeing the certs and/or error messages I can't tell. > In the blog post > http://blogs.technet.com/askds/archive/2008/09/16/third-party-application-fails-using-ldap-over-ssl.aspx, > the author quotes the RFC 3280 (Internet X.509 PKI spec), in which it is > stated that when the SAN field is marked as critical and is used to > express the only identity to the subject, the subject field must be empty. Frankly, there are lots of interop issues regarding PKIX. You don't want to know all of them. So I wouldn't mark SAN extension critical and add the hostname in the CN attribute of subject name. > So, strictly speaking, a certificate with blank subject field can be > conformant to the RFC. In that sense, I think that openssl is already > conformant, since the "openssl -c" command doesn't give me an error > message. But maybe openLDAP or python-ldap is not conformant, for giving > me the error message I talked about in my first message. Does it work with the OpenLDAP command-line tools? If openssl s_client just works fine and the OpenLDAP command-line tool ldapsearch does not it would be good to raise this on the openldap-software mailing list. python-ldap itself does not do anything special. It just passes all paramaters to the OpenLDAP lib. Ciao, Michael. From yves at zioup.com Wed Dec 17 07:06:28 2008 From: yves at zioup.com (Yves Dorfsman) Date: Tue, 16 Dec 2008 23:06:28 -0700 Subject: minor errors in the docstring of dsml.py Message-ID: <494896E4.3050403@zioup.com> There are minor errors in the doc string of dsm.py, such as: | input_file | File-object to read the LDIF input from Which obviously has been copied from the ldif.py. What's the best way to correct it ? Can sombody with the right permissions change it, or submitting a patch file ? -- Yves. http://www.sollers.ca/blog From yves at zioup.com Wed Dec 17 07:10:24 2008 From: yves at zioup.com (Yves Dorfsman) Date: Tue, 16 Dec 2008 23:10:24 -0700 Subject: DSMLParser example Message-ID: <494897D0.80802@zioup.com> Is there a simple example for dsml.DSMLParser() somewhere ? I am trying to use it, but getting errors. The documentation does not explain what "ContentHandlerClass" is supposed to be. I have tried: x = dsml.DSMLParser(input_file, dsml.DSMLv1Handler) But eventually it fails with an HTTP 404 error... Thanks. -- Yves. http://www.sollers.ca/blog/2008/swappiness http://www.sollers.ca/blog/2008/swappiness/.fr From michael at stroeder.com Wed Dec 17 11:12:43 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 17 Dec 2008 11:12:43 +0100 Subject: minor errors in the docstring of dsml.py In-Reply-To: <494896E4.3050403@zioup.com> References: <494896E4.3050403@zioup.com> Message-ID: <4948D09B.9030109@stroeder.com> Yves Dorfsman wrote: > There are minor errors in the doc string of dsm.py, such as: > > | input_file > | File-object to read the LDIF input from > > Which obviously has been copied from the ldif.py. Uuumh, thanks. Checked in corrected version in CVS HEAD. Ciao, Michael. From michael at stroeder.com Wed Dec 17 11:16:14 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 17 Dec 2008 11:16:14 +0100 Subject: DSMLParser example In-Reply-To: <494897D0.80802@zioup.com> References: <494897D0.80802@zioup.com> Message-ID: <4948D16E.7070401@stroeder.com> Yves Dorfsman wrote: > Is there a simple example for dsml.DSMLParser() somewhere ? No, this module is rather unmaintained. IIRC it mainly works like module ldif: You should sub-class dsml.DSMLParser implementing a custom method .handle(). Note that it only supports DMSLv1 which is not what you want today. > I have tried: > x = dsml.DSMLParser(input_file, dsml.DSMLv1Handler) > > But eventually it fails with an HTTP 404 error... ??? Ciao, Michael. From yves at zioup.com Wed Dec 17 15:36:19 2008 From: yves at zioup.com (Yves Dorfsman) Date: Wed, 17 Dec 2008 07:36:19 -0700 Subject: DSMLParser example In-Reply-To: <4948D16E.7070401@stroeder.com> References: <494897D0.80802@zioup.com> <4948D16E.7070401@stroeder.com> Message-ID: <49490E63.40905@zioup.com> Michael Str?der wrote: > Yves Dorfsman wrote: >> Is there a simple example for dsml.DSMLParser() somewhere ? > > No, this module is rather unmaintained. > > IIRC it mainly works like module ldif: You should sub-class > dsml.DSMLParser implementing a custom method .handle(). Note that it > only supports DMSLv1 which is not what you want today. I did subclass it, the Writer works (I manage to convert from ldfi to dsml), but I never get to use the handler method, because it fails when I try to parse(). > >> I have tried: >> x = dsml.DSMLParser(input_file, dsml.DSMLv1Handler) >> >> But eventually it fails with an HTTP 404 error... > > ??? Yes I was confused too. The documentation does not indicate what the ContentHandler should be... is dsml.DSMLv1Handler the right thing to put there ? File "./ieLDAP.py", line 106, in main parser.parse() File "/usr/lib/python2.5/site-packages/dsml.py", line 300, in parse self._parser.parse(self._input_file) File "/usr/lib/python2.5/site-packages/_xmlplus/sax/expatreader.py", line 109, in parse xmlreader.IncrementalParser.parse(self, source) File "/usr/lib/python2.5/site-packages/_xmlplus/sax/xmlreader.py", line 123, in parse self.feed(buffer) File "/usr/lib/python2.5/site-packages/_xmlplus/sax/expatreader.py", line 216, in feed self._parser.Parse(data, isFinal) File "/usr/lib/python2.5/site-packages/_xmlplus/sax/expatreader.py", line 395, in external_entity_ref "") File "/usr/lib/python2.5/site-packages/_xmlplus/sax/saxutils.py", line 524, in prepare_input_source f = urllib2.urlopen(source.getSystemId()) File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen return _opener.open(url, data) File "/usr/lib/python2.5/urllib2.py", line 387, in open response = meth(req, response) File "/usr/lib/python2.5/urllib2.py", line 498, in http_response 'http', request, response, code, msg, hdrs) File "/usr/lib/python2.5/urllib2.py", line 425, in error return self._call_chain(*args) File "/usr/lib/python2.5/urllib2.py", line 360, in _call_chain result = func(*args) File "/usr/lib/python2.5/urllib2.py", line 506, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) urllib2.HTTPError: HTTP Error 404: Not Found -- Yves. http://www.sollers.ca/blog From michael at stroeder.com Wed Dec 17 15:55:59 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 17 Dec 2008 15:55:59 +0100 Subject: DSMLParser example In-Reply-To: <49490E63.40905@zioup.com> References: <494897D0.80802@zioup.com> <4948D16E.7070401@stroeder.com> <49490E63.40905@zioup.com> Message-ID: <494912FF.7050208@stroeder.com> Yves Dorfsman wrote: > Michael Str?der wrote: >> Yves Dorfsman wrote: >>> But eventually it fails with an HTTP 404 error... >> ??? > > Yes I was confused too. > [..] > File "/usr/lib/python2.5/urllib2.py", line 506, in http_error_default > raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) > urllib2.HTTPError: HTTP Error 404: Not Found Maybe the underlying modules try to download a DTD via HTTP for DSMLv1 which is no longer available at the OASIS site? Frankly I'd recommend not to bother with DSMLv1 since OASIS does not support it anymore. Ciao, Michael. From yves at zioup.com Thu Dec 18 06:27:52 2008 From: yves at zioup.com (Yves Dorfsman) Date: Wed, 17 Dec 2008 22:27:52 -0700 Subject: DSMLParser example In-Reply-To: <4948D16E.7070401@stroeder.com> References: <494897D0.80802@zioup.com> <4948D16E.7070401@stroeder.com> Message-ID: <4949DF58.3070306@zioup.com> Michael: Can you confirm this is the way it was supposed to be used, I mean, is this class the sort of argument that should be used for ContentHandler ? > Yves Dorfsman wrote: > >> I have tried: >> x = dsml.DSMLParser(input_file, dsml.DSMLv1Handler) I have noted your observation about dsml v1, and will look at the new version, and see how far I get into implementing that. -- Yves. From yves at zioup.com Thu Dec 18 06:53:16 2008 From: yves at zioup.com (Yves Dorfsman) Date: Wed, 17 Dec 2008 22:53:16 -0700 Subject: LDIF version Message-ID: <4949E54C.9090307@zioup.com> I'd like to propose: 1) adding the ldif.LDIFWriter.writeFooter(self) method which would simply write: version: x with x the version number of the LDIF format (1 for now). 2) Add a variable 'version' to the ldif.LDIFParser, ldif.LDIFWriter classes as well as an option in the constructor of the ldif.LDIFWriter: __init__(self, output_file, base64_attrs=None, cols=76, line_sep='\n', version=1) This should be a trivial change, but I can submit patches if needed. -- Yves. From michael at stroeder.com Thu Dec 18 10:30:14 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 18 Dec 2008 10:30:14 +0100 Subject: DSMLParser example In-Reply-To: <4949DF58.3070306@zioup.com> References: <494897D0.80802@zioup.com> <4948D16E.7070401@stroeder.com> <4949DF58.3070306@zioup.com> Message-ID: <494A1826.4070304@stroeder.com> Yves Dorfsman wrote: > Michael: Can you confirm this is the way it was supposed to be used, I mean, > is this class the sort of argument that should be used for ContentHandler ? > >> Yves Dorfsman wrote: >> >>> I have tried: >>> x = dsml.DSMLParser(input_file, dsml.DSMLv1Handler) > > I have noted your observation about dsml v1, and will look at the new > version, and see how far I get into implementing that. AFAIK DSMLv2 is not a simple data format anymore. The point is that you have to implement hooks for the LDAP operations. Similar problem with the yet unimplemented support for change records in LDIF. The concept should be the same. There are patches by Roland pending to be examined for the LDIF module. Ciao, Michael.