From melander at dfn-cert.de Thu Apr 2 12:52:34 2009 From: melander at dfn-cert.de (Fredrik Melander) Date: Thu, 02 Apr 2009 12:52:34 +0200 Subject: Recursive ldap lookups Message-ID: <49D498F2.2000900@dfn-cert.de> Hi, list! I was wondering if/how I can make recursive lookups in my ldap-tree (corresponding to the -C option of ldapsearch), i.e. my ldap-server doesn't have the information I'm asking for, but happens to know which other ldap searver that has it, and thus forwards my request to that server. Thanks in advance! Regards, Fredrik -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5927 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Thu Apr 2 13:57:07 2009 From: michael at stroeder.com (=?ISO-8859-15?Q?Michael_Str=F6der?=) Date: Thu, 02 Apr 2009 13:57:07 +0200 Subject: Recursive ldap lookups In-Reply-To: <49D498F2.2000900@dfn-cert.de> References: <49D498F2.2000900@dfn-cert.de> Message-ID: <49D4A813.4040704@stroeder.com> Fredrik Melander wrote: > I was wondering if/how I can make recursive lookups in my ldap-tree > (corresponding to the -C option of ldapsearch), Which ldapsearch tool are you talking about? OpenLDAP's command-line tool ldapsearch does not have an option -C. Do you have several implementations of ldapsearch on your system? > i.e. my ldap-server doesn't have the information I'm asking for, but > happens to know which other ldap searver that has it, and thus > forwards my request to that server. Are you talking about client-chasing of LDAPv3 referrals? Yes, you can do it by processing the LDAP URLs returned in search continuations yourself. You have to check the result type to be ldap.RES_SEARCH_REFERENCE. You can then use module 'ldapurl' to parse the referral URL in the result. Note that the concept of client-chasing referral chasing is seriously broken since the LDAPv3 standard does not specify which credentials to use when connecting to the server specified in the referral URL. My web2ldap therefore raises a bind form to interactively ask the user what to do in this case. So I'd rather recommend to configure your LDAP server to chase the referral with well-defined credentials if it supports chaining or however it's called in your LDAP server (which one?). Also note that there are some security implications if you allow your users to maintain referral entries on your LDAP server (buzzword: user self-service). Ciao, Michael. From roland.hedberg at adm.umu.se Mon Apr 6 08:34:21 2009 From: roland.hedberg at adm.umu.se (Roland Hedberg) Date: Mon, 6 Apr 2009 08:34:21 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? Message-ID: Hi! My goal: to 'bundle' pyton-ldap as part of a service distribution. The necessary software for this distribution is a among other a set of Python packages like python-ldap, Twisted and rdflib and a a couple of packages I've developed in python myself, but to get the full service functionality I will have to include a graph database written in Java and possibly also an Apache server. easy_install seems to me to be limited to handle distributions of python packages and to handle their dependences on other python packages, but this is far from what I need. So, I'm looking at buildout from Zope. More specifically I'm contemplating writing a buildout recipe for installing python-ldap. Running such a recipe would not only result in fetching python-ldap by ftp or http from a site but could also include doing configuration before installation as well as after. Anyone done anything like this ? One problem I've already found is that there doesn't seem to exist a simple stable FTP/HTTP URL that points to the latest distribution. --Roland From michael at stroeder.com Mon Apr 6 09:37:57 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 06 Apr 2009 09:37:57 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: References: Message-ID: <49D9B155.3040002@stroeder.com> Roland Hedberg wrote: > One problem I've already found is that there doesn't seem to exist a > simple stable FTP/HTTP URL that points to the latest distribution. Do you need a URL which is always the same but points to the latest tar.gz file? Ciao, Michael. From roland.hedberg at adm.umu.se Mon Apr 6 11:19:48 2009 From: roland.hedberg at adm.umu.se (Roland Hedberg) Date: Mon, 6 Apr 2009 11:19:48 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: <49D9B155.3040002@stroeder.com> References: <49D9B155.3040002@stroeder.com> Message-ID: <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> On Apr 6, 2009, at 9:37, Michael Str?der wrote: > Roland Hedberg wrote: >> One problem I've already found is that there doesn't seem to exist a >> simple stable FTP/HTTP URL that points to the latest distribution. > > Do you need a URL which is always the same but points to the latest > tar.gz file? I'd prefer to be able to pick the version I want. It's not always wise to go with the latest. --Roland From michael at stroeder.com Mon Apr 6 14:10:19 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 06 Apr 2009 14:10:19 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> References: <49D9B155.3040002@stroeder.com> <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> Message-ID: <49D9F12B.2080305@stroeder.com> Roland Hedberg wrote: > > On Apr 6, 2009, at 9:37, Michael Str?der wrote: > >> Roland Hedberg wrote: >>> One problem I've already found is that there doesn't seem to exist a >>> simple stable FTP/HTTP URL that points to the latest distribution. >> >> Do you need a URL which is always the same but points to the latest >> tar.gz file? > > I'd prefer to be able to pick the version I want. Hmm, at the moment I hide older releases from the download area. Also there is the idea to move away from Sourceforge anyway in the long run. > It's not always wise to go with the latest. At the moment it is (within the 2.3 series). Still I'd recommend to stick with setuptools and integrate this with your own installation procedure. I'm maintaining python-ldap's PyPI record. It will always point to the right python-ldap distribution. Ciao, Michael. From jens at dataflake.org Mon Apr 6 14:22:34 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Mon, 6 Apr 2009 14:22:34 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: <49D9F12B.2080305@stroeder.com> References: <49D9B155.3040002@stroeder.com> <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> <49D9F12B.2080305@stroeder.com> Message-ID: <8814AA9E-CF0B-47B0-A8EF-C757B9E11BF0@dataflake.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 6, 2009, at 14:10 , Michael Str?der wrote: >> It's not always wise to go with the latest. > > At the moment it is (within the 2.3 series). Unfortunately that's not true. I've ben in many situations where I really needed older versions (like 2.0.8 or 2.1.x), but it was a real drag to find them. It certainly was not possible to get them off PyPI, which is (at least for me) the easiest way to integrate any Python package. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknZ9AoACgkQRAx5nvEhZLKhmACfVXGygOtyWPRbkWePdUja6i/U cEIAoIBnoBJINi4M2moE7dkKMqya/8L8 =hT4Y -----END PGP SIGNATURE----- From michael at stroeder.com Mon Apr 6 14:55:10 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 06 Apr 2009 14:55:10 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: <8814AA9E-CF0B-47B0-A8EF-C757B9E11BF0@dataflake.org> References: <49D9B155.3040002@stroeder.com> <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> <49D9F12B.2080305@stroeder.com> <8814AA9E-CF0B-47B0-A8EF-C757B9E11BF0@dataflake.org> Message-ID: <49D9FBAE.5060101@stroeder.com> Jens Vagelpohl wrote: > > On Apr 6, 2009, at 14:10 , Michael Str?der wrote: > >>> It's not always wise to go with the latest. >> At the moment it is (within the 2.3 series). > > Unfortunately that's not true. I've ben in many situations where I > really needed older versions (like 2.0.8 or 2.1.x), Can you please tell us why? Ciao, Michael. From jens at dataflake.org Mon Apr 6 15:06:54 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Mon, 6 Apr 2009 15:06:54 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: <49D9FBAE.5060101@stroeder.com> References: <49D9B155.3040002@stroeder.com> <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> <49D9F12B.2080305@stroeder.com> <8814AA9E-CF0B-47B0-A8EF-C757B9E11BF0@dataflake.org> <49D9FBAE.5060101@stroeder.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 6, 2009, at 14:55 , Michael Str?der wrote: > Jens Vagelpohl wrote: >> >> On Apr 6, 2009, at 14:10 , Michael Str?der wrote: >> >>>> It's not always wise to go with the latest. >>> At the moment it is (within the 2.3 series). >> >> Unfortunately that's not true. I've ben in many situations where I >> really needed older versions (like 2.0.8 or 2.1.x), > > Can you please tell us why? Simple example: A server with an old version of OpenLDAP on it, like 2.2.x, which I don't control and cannot upgrade. For the customers' needs it's perfectly fine to just go with an older version of python- ldap. Sometimes I've had to resort to building OpenLDAP separately, just to use python-ldap, and just because I wanted to use the python-ldap egg and the only eggs available are 2.3.x. Seems a bit silly, don't you think? I'm not asking you to spend extra time and put old versions onto PyPI now. What I would like to see is a policy of making sure once a release is on PyPI it's not removed, ever. That way automated buildouts can rely on finding the versions they have configured in. And if you wanted to share PyPI admin duties I'd be happy to find older versions and upload them to PyPI as well. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknZ/m4ACgkQRAx5nvEhZLKWCQCfb1YUkDMBrkBUShgtVyBM5F5F 70YAoKbrtlIhR/X/AWCyDWaY+F5uTMM+ =amn5 -----END PGP SIGNATURE----- From jens at dataflake.org Mon Apr 6 15:10:07 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Mon, 6 Apr 2009 15:10:07 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: References: <49D9B155.3040002@stroeder.com> <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> <49D9F12B.2080305@stroeder.com> <8814AA9E-CF0B-47B0-A8EF-C757B9E11BF0@dataflake.org> <49D9FBAE.5060101@stroeder.com> Message-ID: <9D3FA3B8-FA63-4877-8CD7-94CC6BAF147D@dataflake.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 P.S.: To avoid any confusion, I'm not arguing for official support for old versions. Just an easy way (like PyPI) to get hold of them. SourceForge is, in my very personal opinion, garbage. You never know which mirror holds what. You never know if a URL you had one moment will work the next. On PyPI, URLs work unless someone takes the explicit step of deleting a package. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknZ/y8ACgkQRAx5nvEhZLK/rwCfaaew7Qw7ufA4tVRciQj0LDuV +qYAnRcAyAsba6pGfAuY2cN5UhFsYz7S =efE6 -----END PGP SIGNATURE----- From michael at stroeder.com Mon Apr 6 16:21:07 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 06 Apr 2009 16:21:07 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: References: <49D9B155.3040002@stroeder.com> <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> <49D9F12B.2080305@stroeder.com> <8814AA9E-CF0B-47B0-A8EF-C757B9E11BF0@dataflake.org> <49D9FBAE.5060101@stroeder.com> Message-ID: <49DA0FD3.5060308@stroeder.com> Jens Vagelpohl wrote: > On Apr 6, 2009, at 14:55 , Michael Str?der wrote: >> Jens Vagelpohl wrote: >>> On Apr 6, 2009, at 14:10 , Michael Str?der wrote: >>> >>>>> It's not always wise to go with the latest. >>>> At the moment it is (within the 2.3 series). >>> Unfortunately that's not true. I've ben in many situations where I >>> really needed older versions (like 2.0.8 or 2.1.x), >> Can you please tell us why? > > Simple example: A server with an old version of OpenLDAP on it, like > 2.2.x, which I don't control and cannot upgrade. I suspected something like this. ;-) > For the customers' needs it's perfectly fine to just go with an older > version of python- ldap. As long as there aren't any security holes in older versions of python-ldap and/or libldap. Nobody will fix them. > Sometimes I've had to resort to building OpenLDAP separately, just to > use python-ldap, and just because I wanted to use the python-ldap egg > and the only eggs available are 2.3.x. Seems a bit silly, don't you > think? No, personally I don't think so. Given that even OpenLDAP 2.3 is almost out-of-service it's wiser to go with a more recent version. > I'm not asking you to spend extra time and put old versions onto PyPI > now. What I would like to see is a policy of making sure once a > release is on PyPI it's not removed, ever. That way automated > buildouts can rely on finding the versions they have configured in. Hmm, will think about it. If someone has a urgent need I could provide older releases. > And if you wanted to share PyPI admin duties I'd be happy to find > older versions and upload them to PyPI as well. Noted. Thanks. Ciao, Michael. From jens at dataflake.org Mon Apr 6 16:28:59 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Mon, 6 Apr 2009 16:28:59 +0200 Subject: Anyone packaged python-ldap as part of a bigger package ? In-Reply-To: <49DA0FD3.5060308@stroeder.com> References: <49D9B155.3040002@stroeder.com> <29141D83-791F-4748-B0ED-B44E877E494A@adm.umu.se> <49D9F12B.2080305@stroeder.com> <8814AA9E-CF0B-47B0-A8EF-C757B9E11BF0@dataflake.org> <49D9FBAE.5060101@stroeder.com> <49DA0FD3.5060308@stroeder.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 6, 2009, at 16:21 , Michael Str?der wrote: > Jens Vagelpohl wrote: >> For the customers' needs it's perfectly fine to just go with an older >> version of python- ldap. > > As long as there aren't any security holes in older versions of > python-ldap and/or libldap. Nobody will fix them. I know all that. Think of a server that's on the LAN and not on the internet. No security issues expected, and there is no expectation that the old library will be secure. So really no worries whatsoever from that side. >> Sometimes I've had to resort to building OpenLDAP separately, just to >> use python-ldap, and just because I wanted to use the python-ldap egg >> and the only eggs available are 2.3.x. Seems a bit silly, don't you >> think? > > No, personally I don't think so. Given that even OpenLDAP 2.3 is > almost > out-of-service it's wiser to go with a more recent version. If you're maintaining older systems that have worked very well in the past and that don't have any benefit from later security/functionality enhancements (e.g. they don't need to be secured) then it becomes counterproductive to ask the customer to upgrade. Especially when there's no need to upgrade apart from "then I will have an easier time installing python-ldap". > Hmm, will think about it. If someone has a urgent need I could provide > older releases. That's not the issue, though :-) I know I can find them through Google, or by asking you. I'm only asking for an *easy* way of getting them that integrates well with automated buildouts - like eggs in a sane place such as PyPI. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknaEasACgkQRAx5nvEhZLJpcQCfYSswi8mSKsL3yZ15cnCajUQb LJQAn2KYt4OPUGh1Ihx3y9FgvfFNlbD7 =flwK -----END PGP SIGNATURE----- From jens at dataflake.org Mon Apr 6 17:26:15 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Mon, 6 Apr 2009 17:26:15 +0200 Subject: tarball vs. download URL Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While we're on the topic of packaging, I have one more request: Please upload the software (the tarball) to PyPI instead of using the Sourceforge URL as download URL. While setuptools itself can (at least most of the time) interact with SourceForge, software that replicates Egg servers is normally unable to do so. So if people set up a egg server mirror all those Sourceforge download URLs turn into pumpkins and those packages must be managed manually. Huge pain. So pretty please, don't use Sourceforge download URLs. Upload the tarball into PyPI. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknaHxcACgkQRAx5nvEhZLKxdQCfVoJJNnSlw+Agx/nXkWLRlPEO nqYAn12YEoUSZDdsvUL3FMPNvsT3vnZI =zCJB -----END PGP SIGNATURE----- From michael at stroeder.com Tue Apr 7 13:48:03 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 07 Apr 2009 13:48:03 +0200 Subject: tarball vs. download URL In-Reply-To: References: Message-ID: <49DB3D73.7030507@stroeder.com> Jens Vagelpohl wrote: > While we're on the topic of packaging, I have one more request: > > Please upload the software (the tarball) to PyPI instead of using the > Sourceforge URL as download URL. Does that look correct to you? http://pypi.python.org/pypi/python-ldap/2.3.6 Ciao, Michael. From jens at dataflake.org Tue Apr 7 14:02:56 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Tue, 7 Apr 2009 14:02:56 +0200 Subject: tarball vs. download URL In-Reply-To: <49DB3D73.7030507@stroeder.com> References: <49DB3D73.7030507@stroeder.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 7, 2009, at 13:48 , Michael Str?der wrote: > Jens Vagelpohl wrote: >> While we're on the topic of packaging, I have one more request: >> >> Please upload the software (the tarball) to PyPI instead of using the >> Sourceforge URL as download URL. > > Does that look correct to you? > > http://pypi.python.org/pypi/python-ldap/2.3.6 Yes, that's great, thanks a lot! :-) jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknbQPAACgkQRAx5nvEhZLJJuACdHtAr5NVNwrJ5OL7G4AsMTPmm lEcAoKAqDgk1Bpwzb2wwkluLRoA5uAa0 =cdtX -----END PGP SIGNATURE----- From michael at stroeder.com Tue Apr 7 15:43:31 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 07 Apr 2009 15:43:31 +0200 Subject: tarball vs. download URL In-Reply-To: References: <49DB3D73.7030507@stroeder.com> Message-ID: <49DB5883.2070002@stroeder.com> Jens Vagelpohl wrote: > > On Apr 7, 2009, at 13:48 , Michael Str?der wrote: > >> Jens Vagelpohl wrote: >>> While we're on the topic of packaging, I have one more request: >>> >>> Please upload the software (the tarball) to PyPI instead of using the >>> Sourceforge URL as download URL. >> Does that look correct to you? > >> http://pypi.python.org/pypi/python-ldap/2.3.6 > > Yes, that's great, thanks a lot! :-) And please remind me to do it for newer releases if I forgot it... ;-) Anyway in the long run python-ldap should move away from SF anyway. The new web UI is even worse... Ciao, Michael. From jens at dataflake.org Tue Apr 7 18:28:32 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Tue, 7 Apr 2009 18:28:32 +0200 Subject: tarball vs. download URL In-Reply-To: <49DB5883.2070002@stroeder.com> References: <49DB3D73.7030507@stroeder.com> <49DB5883.2070002@stroeder.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 7, 2009, at 15:43 , Michael Str?der wrote: > Jens Vagelpohl wrote: >> >> On Apr 7, 2009, at 13:48 , Michael Str?der wrote: >> >>> Does that look correct to you? >>> http://pypi.python.org/pypi/python-ldap/2.3.6 >> >> Yes, that's great, thanks a lot! :-) > > And please remind me to do it for newer releases if I forgot it... ;-) > > Anyway in the long run python-ldap should move away from SF anyway. > The > new web UI is even worse... Yes, absolutely. I can't stand SF. Personally, I haven't had the need to search for a service that offers something like SF, including version control and bug tracking. I either use my own systems, or those used by the Zope developer community. One candidate you could look at, if you have a minute, is Launchpad. They have all kinds of nice services, but there's one big drawback: They force you onto their own VCS (bzr). I have not looked at any other sites like Google Code. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknbfzAACgkQRAx5nvEhZLI5WgCfalzCItnqlPZhy/dDxRtAEIZT JXgAoJIrV3yiU6ukU91yL/Cjqpq7lE+U =A/R8 -----END PGP SIGNATURE----- From michael at stroeder.com Tue Apr 7 18:52:00 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 07 Apr 2009 18:52:00 +0200 Subject: Please test CVS HEAD on 64-bit platforms Message-ID: <49DB84B0.6000206@stroeder.com> Given another one of this famous Integer type errors [1] I'd like to encourage everyone to test python-ldap HEAD on 64-bit platforms. I'd also appreciate if people with more C knowledge could review the patches: http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Modules/functions.c?r1=1.21&r2=1.22 http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Modules/ldapcontrol.c?view=log We don't have a test suite though... Hmm, maybe you could play with web2ldap which at least makes use of a lot of functions within python-ldap. Ciao, Michael. [1] https://sourceforge.net/tracker/?func=detail&aid=2725356&group_id=2072&atid=102072 From michael at stroeder.com Tue Apr 7 19:03:31 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 07 Apr 2009 19:03:31 +0200 Subject: tarball vs. download URL In-Reply-To: References: <49DB3D73.7030507@stroeder.com> <49DB5883.2070002@stroeder.com> Message-ID: <49DB8763.3040708@stroeder.com> Jens Vagelpohl wrote: > > Personally, I haven't had the need to search for a service that offers > something like SF, including version control and bug tracking. I > either use my own systems, or those used by the Zope developer > community. I tend to either ask the folks at python.org what they could provide or set up a separate thing. Another option I'd like would be to ask the OpenLDAP project to host python-ldap. At the moment there are not many contributions by other developers so I'd keep things simple anyway. > One candidate you could look at, if you have a minute, is Launchpad. > They have all kinds of nice services, but there's one big drawback: > They force you onto their own VCS (bzr). That's a show-stopper. I don't a want proprietary VCS. > I have not looked at any other sites like Google Code. I don't like to put things on Google either. Ciao, Michael. From jens at dataflake.org Tue Apr 7 19:06:34 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Tue, 7 Apr 2009 19:06:34 +0200 Subject: tarball vs. download URL In-Reply-To: <49DB8763.3040708@stroeder.com> References: <49DB3D73.7030507@stroeder.com> <49DB5883.2070002@stroeder.com> <49DB8763.3040708@stroeder.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 7, 2009, at 19:03 , Michael Str?der wrote: > Jens Vagelpohl wrote: >> One candidate you could look at, if you have a minute, is Launchpad. >> They have all kinds of nice services, but there's one big drawback: >> They force you onto their own VCS (bzr). > > That's a show-stopper. I don't a want proprietary VCS. > >> I have not looked at any other sites like Google Code. > > I don't like to put things on Google either. I fully agree on both points, I was just trying to list alternatives ;-) jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknbiBoACgkQRAx5nvEhZLJ8DgCgsm1fpYE7qXKzQ5uNnWhaFbi2 tTkAoKfisB74dNswnmQHYYJI0ZsIu+Qo =Xzo9 -----END PGP SIGNATURE----- From michael at stroeder.com Tue Apr 7 19:10:59 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 07 Apr 2009 19:10:59 +0200 Subject: tarball vs. download URL In-Reply-To: References: <49DB3D73.7030507@stroeder.com> <49DB5883.2070002@stroeder.com> <49DB8763.3040708@stroeder.com> Message-ID: <49DB8923.2030308@stroeder.com> Jens Vagelpohl wrote: > > On Apr 7, 2009, at 19:03 , Michael Str?der wrote: > >> Jens Vagelpohl wrote: >>> One candidate you could look at, if you have a minute, is Launchpad. >>> They have all kinds of nice services, but there's one big drawback: >>> They force you onto their own VCS (bzr). >> That's a show-stopper. I don't a want proprietary VCS. > >>> I have not looked at any other sites like Google Code. >> I don't like to put things on Google either. > > I fully agree on both points, I was just trying to list alternatives ;-) Thanks for raising the alternatives so we can preclude quickly them without further investigation.. ;-) Ciao, Michael. From sidnei at enfoldsystems.com Tue Apr 7 19:11:51 2009 From: sidnei at enfoldsystems.com (Sidnei da Silva) Date: Tue, 7 Apr 2009 14:11:51 -0300 Subject: tarball vs. download URL In-Reply-To: <49DB8763.3040708@stroeder.com> References: <49DB3D73.7030507@stroeder.com> <49DB5883.2070002@stroeder.com> <49DB8763.3040708@stroeder.com> Message-ID: 2009/4/7 Michael Str?der : >> One candidate you could look at, if you have a minute, is Launchpad. >> They have all kinds of nice services, but there's one big drawback: >> They force you onto their own VCS (bzr). > > That's a show-stopper. I don't a want proprietary VCS. bzr is not proprietary. It's a GNU project. -- Sidnei da Silva From jens at dataflake.org Tue Apr 7 19:11:41 2009 From: jens at dataflake.org (Jens Vagelpohl) Date: Tue, 7 Apr 2009 19:11:41 +0200 Subject: tarball vs. download URL In-Reply-To: References: <49DB3D73.7030507@stroeder.com> <49DB5883.2070002@stroeder.com> Message-ID: <008FE647-A91D-4E5D-8EB9-A61ED5ECFD6A@dataflake.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 7, 2009, at 18:38 , Sidnei da Silva wrote: > On Tue, Apr 7, 2009 at 1:28 PM, Jens Vagelpohl > wrote: >> Personally, I haven't had the need to search for a service that >> offers >> something like SF, including version control and bug tracking. I >> either use my own systems, or those used by the Zope developer >> community. >> >> One candidate you could look at, if you have a minute, is Launchpad. >> They have all kinds of nice services, but there's one big drawback: >> They force you onto their own VCS (bzr). I have not looked at any >> other sites like Google Code. > > That's not true. You are not required to use bzr, you can easily host > your code somewhere. When setting up a project you have the option to > specify a CVS or Subversion repo URL. Regular code imports from CVS > and SVN are supported too, and many Zope projects are being mirrored > in Launchpad's Code Hosting. Soon git will be supported for code > mirroring too. Code mirroring != code repository. I was listing examples which offer both code hosting and additional services. Separating it up doesn't seem desirable unless there's no other solution. jens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAknbiU0ACgkQRAx5nvEhZLKQdwCguFMIv5PBNV/wZXYRTugYUMXa lXQAn0sArkZlf/AttshRVT5bFiNPPkSI =U2ds -----END PGP SIGNATURE----- From waldemar.osuch at gmail.com Tue Apr 7 20:44:36 2009 From: waldemar.osuch at gmail.com (Waldemar Osuch) Date: Tue, 7 Apr 2009 12:44:36 -0600 Subject: tarball vs. download URL In-Reply-To: <49DB8763.3040708@stroeder.com> References: <49DB3D73.7030507@stroeder.com> <49DB5883.2070002@stroeder.com> <49DB8763.3040708@stroeder.com> Message-ID: <6fae95540904071144g362dd0eof9f01265dd8042ef@mail.gmail.com> 2009/4/7 Michael Str?der : > Jens Vagelpohl wrote: >> >> Personally, I haven't had the need to search for a service that offers >> something like SF, including version control and bug tracking. I >> either use my own systems, or those used by the Zope developer >> community. > > I tend to either ask the folks at python.org what they could provide or > set up a separate thing. Another option I'd like would be to ask the > OpenLDAP project to host python-ldap. At the moment there are not many > contributions by other developers so I'd keep things simple anyway. > >> One candidate you could look at, if you have a minute, is Launchpad. >> They have all kinds of nice services, but there's one big drawback: >> They force you onto their own VCS (bzr). > > That's a show-stopper. I don't a want proprietary VCS. FYI. Bazaar [http://bazaar-vcs.org/] is not a proprietary. It is licensed under GPL-2 and coded in Python, same as Mercurial. It's usage is dictated by the service, similar to others: Launchpad -> bzr Google -> svn BitBucket -> hg GitHub -> git Waldemar From michael at stroeder.com Thu Apr 9 15:12:19 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 09 Apr 2009 15:12:19 +0200 Subject: ANN: python-ldap-2.3.7 Message-ID: <49DDF433.1050705@stroeder.com> Find a new release of python-ldap: http://python-ldap.sourceforge.net/ python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAPURLs and LDAPv3 schema). Note that the download page has changed recently. You can now find the source distribution at PyPI: http://pypi.python.org/pypi/python-ldap/ Ciao, Michael. -- Michael Str?der E-Mail: michael at stroeder.com http://www.stroeder.com From michael at stroeder.com Thu Apr 9 20:29:32 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 09 Apr 2009 20:29:32 +0200 Subject: Limited the usage of SF services for python-ldap Message-ID: <49DE3E8C.6020509@stroeder.com> HI! Please note that from now on python-ldap releases and docs will not be made available trough SF's file release area anymore. SF's new web interface is even worse than the old one. The download pages are much too complicated for implementing automatic installation. The web page http://python-ldap.sourceforge.net/download.shtml already points to: http://pypi.python.org/pypi/python-ldap/ I think this is the appropriate place for providing python-ldap distribution files. I'd encourage others to upload their Win32 builds or whatever there. Let me know if you need access to python-ldap's PyPI entry. Also the docs are stored directly in the web space: http://python-ldap.sourceforge.net/docs.shtml I also disabled SF services for python-ldap's SF project entry which were not used anyway and only spammed ("News" and "Documentation"). More news on that to come. Ciao, Michael. From oliviersessink at gmail.com Thu Apr 9 22:39:53 2009 From: oliviersessink at gmail.com (Olivier Sessink) Date: Thu, 09 Apr 2009 22:39:53 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap Message-ID: <49DE5D19.3070602@gmail.com> Hi all, I'm trying to script a function that can retrieve if a user is member of a group in active directory. The previous script was a shell script with a ldapsearch call for every user. You can image that took long on a thousand users. So I'm rewriting the script for python. However, I cannot get the kerberos authentication right. ld = ldap.initialize('activedirectory-dns') ld.sasl_interactive_bind_s('', ldap.sasl.gssapi('user at REALM')) ld.search_s(self.base, ldap.SCOPE_SUBTREE, '(CN=groupname)', ['Member']) I get an error that I don't have the right credentials. However it works with ldapsearch, so the Kerberos ticket is valid and correct for this query.. Anybody a tip how to continue? Or an example script that uses Kerberos? thanks, Olivier From michael at stroeder.com Thu Apr 9 23:30:33 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 09 Apr 2009 23:30:33 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <49DE5D19.3070602@gmail.com> References: <49DE5D19.3070602@gmail.com> Message-ID: <49DE68F9.9000505@stroeder.com> Olivier Sessink wrote: > > So I'm rewriting the script for python. However, I cannot get the > kerberos authentication right. > > ld = ldap.initialize('activedirectory-dns') > ld.sasl_interactive_bind_s('', ldap.sasl.gssapi('user at REALM')) > ld.search_s(self.base, ldap.SCOPE_SUBTREE, '(CN=groupname)', ['Member']) > > I get an error that I don't have the right credentials. > > However it works with ldapsearch, so the Kerberos ticket is valid and > correct for this query.. I cannot see how your parameters are. Note that SASL-Bind with GSSAPI is quite picky about using the right DNS names. Especially it should be something like ld = ldap.initialize('ldap://dc1.dom2.adtest.domain') with dc1.dom2.adtest.domain being one of the names listed with service prefix ldap/ in servicePrincipalName on the domain controller. > Or an example script that uses Kerberos? Demo/sasl_bind.py Ciao, Michael. From zhbmaillistonly at gmail.com Fri Apr 10 04:44:18 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Fri, 10 Apr 2009 10:44:18 +0800 Subject: Limited the usage of SF services for python-ldap In-Reply-To: <49DE3E8C.6020509@stroeder.com> References: <49DE3E8C.6020509@stroeder.com> Message-ID: <49DEB282.2070504@gmail.com> Michael Str?der wrote: > HI! > > Please note that from now on python-ldap releases and docs will not be > made available trough SF's file release area anymore. SF's new web > interface is even worse than the old one. The download pages are much > too complicated for implementing automatic installation. > > The web page > http://python-ldap.sourceforge.net/download.shtml > already points to: > http://pypi.python.org/pypi/python-ldap/ > > I think this is the appropriate place for providing python-ldap > distribution files. I'd encourage others to upload their Win32 builds or > whatever there. Let me know if you need access to python-ldap's PyPI entry. > > Also the docs are stored directly in the web space: > http://python-ldap.sourceforge.net/docs.shtml > > I also disabled SF services for python-ldap's SF project entry which > were not used anyway and only spammed ("News" and "Documentation"). > > More news on that to come. > > Ciao, Michael. Try google code project hosting? http://code.google.com/ -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL/CentOS 5.x: http://code.google.com/p/iredmail/ From oliviersessink at gmail.com Fri Apr 10 11:24:49 2009 From: oliviersessink at gmail.com (Olivier Sessink) Date: Fri, 10 Apr 2009 11:24:49 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> References: <49DE5D19.3070602@gmail.com> <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> Message-ID: <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> 2009/4/10 Geert Jansen : > As a related solution, you could have a look at python-ad [1]. > Python-AD is built on top of python-ldap and provides lots of > functionality that you normally need to connect to AD built in. For > example, service discovery, credential management and multi-domain > functionality. There's a few examples on the site, including how to > use Kerberos credentials with AD. I noticed that there is some C code related to Kerberos in python-ad. Is this code required to initialize a kerberos authentication, or is this just to change passwords and things like that? thanks, Olivier From michael at stroeder.com Fri Apr 10 11:45:38 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 10 Apr 2009 11:45:38 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> References: <49DE5D19.3070602@gmail.com> <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> Message-ID: <49DF1542.6050502@stroeder.com> Olivier Sessink wrote: > 2009/4/10 Geert Jansen : >> As a related solution, you could have a look at python-ad [1]. >> Python-AD is built on top of python-ldap and provides lots of >> functionality that you normally need to connect to AD built in. For >> example, service discovery, credential management and multi-domain >> functionality. There's a few examples on the site, including how to >> use Kerberos credentials with AD. > > I noticed that there is some C code related to Kerberos in python-ad. > Is this code required to initialize a kerberos authentication, or is > this just to change passwords and things like that? You can bind with SASL/GSSAPI to AD with plain python-ldap provided you obtained a valid TGT with kinit before (just like with command-line tool ldapsearch). Ciao, Michael. From michael at stroeder.com Fri Apr 10 11:55:56 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 10 Apr 2009 11:55:56 +0200 Subject: New python-ldap home page Message-ID: <49DF17AC.8030205@stroeder.com> HI! The web pages of python-ldap were moved to http://www.python-ldap.org/ Ciao, Michael. From michael at stroeder.com Fri Apr 10 12:00:53 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 10 Apr 2009 12:00:53 +0200 Subject: Limited the usage of SF services for python-ldap In-Reply-To: <49DEB282.2070504@gmail.com> References: <49DE3E8C.6020509@stroeder.com> <49DEB282.2070504@gmail.com> Message-ID: <49DF18D5.1070002@stroeder.com> Zhang Huangbin wrote: > Try google code project hosting? > http://code.google.com/ Nope! I strongly prefer to cooperate with people who are not a big company and are personally committed to either directly support Python or OpenLDAP. I won't go for an infrastructure like SF anymore where download and admin pages are getting more and more complicated with mandantory Javascript, banner ads and all this crap. Even if such a service looks ok for now, the experience in the past showed that it's getting worse after some time. I will inform here about the decision taken. Ciao, Michael. From james at cs.mcgill.ca Mon Apr 6 22:48:58 2009 From: james at cs.mcgill.ca (James) Date: Mon, 06 Apr 2009 16:48:58 -0400 Subject: ldapsearch vs. python-ldap Message-ID: <1239050938.22619.5.camel@dazzle.CS.McGill.CA> Hey, I'm trying to use python-ldap to do something that works with the ldapsearch command line tool. I've posted code samples, can someone point out why the python-ldap fails? What is different about what python-ldap is doing. It seems that it forgets that it just _did_ bind successfully... thanks in advance, _James james at cs.mcgill.ca # from a command line you can successfully run: # $ # ldapsearch -x -b "" -D "place\" -h -p 389 -W "(&(objectcategory=person)(objectclass=user)(samaccountname=))" # # # however this doesn't work: import ldap import sys import getpass l = ldap.initialize('ldap://:389') try: #l.simple_bind_s('first.last at example.com', getpass.getpass()) l.simple_bind_s('\', getpass.getpass()) # Works except Exception, e: print e print 'Bind Failed' sys.exit(1) try: r = l.search_s('dc=', ldap.SCOPE_SUBTREE, '(&(objectcategory=person)(objectclass=user)(samaccountname=))', ['*']) except Exception, e: print e # this prints: # {'info': '00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'} print 'Search Died' sys.exit(1) for x in r: print x From sidnei.da.silva at gmail.com Tue Apr 7 18:38:14 2009 From: sidnei.da.silva at gmail.com (Sidnei da Silva) Date: Tue, 7 Apr 2009 13:38:14 -0300 Subject: tarball vs. download URL In-Reply-To: References: <49DB3D73.7030507@stroeder.com> <49DB5883.2070002@stroeder.com> Message-ID: On Tue, Apr 7, 2009 at 1:28 PM, Jens Vagelpohl wrote: > Personally, I haven't had the need to search for a service that offers > something like SF, including version control and bug tracking. I > either use my own systems, or those used by the Zope developer > community. > > One candidate you could look at, if you have a minute, is Launchpad. > They have all kinds of nice services, but there's one big drawback: > They force you onto their own VCS (bzr). I have not looked at any > other sites like Google Code. That's not true. You are not required to use bzr, you can easily host your code somewhere. When setting up a project you have the option to specify a CVS or Subversion repo URL. Regular code imports from CVS and SVN are supported too, and many Zope projects are being mirrored in Launchpad's Code Hosting. Soon git will be supported for code mirroring too. -- Sidnei da Silva Canonical Ltd. ?Landscape ? Changing the way you manage your systems http://landscape.canonical.com From oliviersessink at gmail.com Fri Apr 10 14:00:30 2009 From: oliviersessink at gmail.com (Olivier Sessink) Date: Fri, 10 Apr 2009 14:00:30 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <49DF1542.6050502@stroeder.com> References: <49DE5D19.3070602@gmail.com> <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> <49DF1542.6050502@stroeder.com> Message-ID: <61722e190904100500k19c0400atca31c4dde408b3ef@mail.gmail.com> 2009/4/10 Michael Str?der : > You can bind with SASL/GSSAPI to AD with plain python-ldap provided you > obtained a valid TGT with kinit before (just like with command-line tool > ldapsearch). thanks, that's what I need to know. I can't get it to work though.. ld = ldap.initialize('ldap://foobar') sasl = ldap.sasl.gssapi() ld.sasl_interactive_bind_s('', sasl) ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member']) ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'} this shell command works: ldapsearch -YGSSAPI -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member I've tried different ldap URL's, but from an ldapsearch strace I'm pretty sure I use the right ldap server. However, this is on a suse linux enterprise box, which has python-ldap 2.0.11. Could it be that this is too old? thanks, Olivier From michael at stroeder.com Fri Apr 10 14:24:50 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Fri, 10 Apr 2009 14:24:50 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <61722e190904100500k19c0400atca31c4dde408b3ef@mail.gmail.com> References: <49DE5D19.3070602@gmail.com> <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> <49DF1542.6050502@stroeder.com> <61722e190904100500k19c0400atca31c4dde408b3ef@mail.gmail.com> Message-ID: <49DF3A92.3000205@stroeder.com> Olivier Sessink wrote: > 2009/4/10 Michael Str?der : >> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you >> obtained a valid TGT with kinit before (just like with command-line tool >> ldapsearch). > > thanks, that's what I need to know. > > I can't get it to work though.. > > ld = ldap.initialize('ldap://foobar') > sasl = ldap.sasl.gssapi() > ld.sasl_interactive_bind_s('', sasl) > ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member']) > > ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627, > comment: In order to perform this operation a successful bind must be > completed on the connection., data 0, vece', 'desc': 'Operations > error'} > > this shell command works: > > ldapsearch -YGSSAPI -H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member > > I've tried different ldap URL's, but from an ldapsearch strace I'm > pretty sure I use the right ldap server. Hmm, this should simply work just like the ldapsearch usage. Since you're searching from domain level it would be worth to try to explicitly switch off referral chasing within libldap: ld = ldap.initialize('ldap://foobar') ld.set_option(ldap.OPT_REFERRALS,0) Note that automatic referral chasing within libldap was always using anonymous bind. > However, this is on a suse linux enterprise box, which has python-ldap > 2.0.11. Could it be that this is too old? Glancing over CHANGES there were no related fixes to SASL but maybe the default for ldap.OPT_REFERRALS was changed. But you should upgrade anyway for various reasons... Ciao, Michael. From michael at stroeder.com Fri Apr 10 14:28:13 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Fri, 10 Apr 2009 14:28:13 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <49DF3A92.3000205@stroeder.com> References: <49DE5D19.3070602@gmail.com> <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> <49DF1542.6050502@stroeder.com> <61722e190904100500k19c0400atca31c4dde408b3ef@mail.gmail.com> <49DF3A92.3000205@stroeder.com> Message-ID: <49DF3B5D.6000603@stroeder.com> Michael Str?der wrote: > Hmm, this should simply work just like the ldapsearch usage. BTW: If you're using MS AD of W2K8 (not W2K3) you can check whether your bound with ld.whoami_s() which on W2K8 returns 'u:DOMAIN\SAMACCOUNTNAME'. Ciao, Michael. From cderr at simons-rock.edu Fri Apr 10 14:02:38 2009 From: cderr at simons-rock.edu (charlie derr) Date: Fri, 10 Apr 2009 08:02:38 -0400 Subject: Limited the usage of SF services for python-ldap In-Reply-To: <49DF18D5.1070002@stroeder.com> References: <49DE3E8C.6020509@stroeder.com> <49DEB282.2070504@gmail.com> <49DF18D5.1070002@stroeder.com> Message-ID: <49DF355E.6000603@simons-rock.edu> Michael Str?der wrote: > Zhang Huangbin wrote: >> Try google code project hosting? >> http://code.google.com/ > > Nope! > > I strongly prefer to cooperate with people who are not a big company and > are personally committed to either directly support Python or OpenLDAP. > I won't go for an infrastructure like SF anymore where download and > admin pages are getting more and more complicated with mandantory > Javascript, banner ads and all this crap. Even if such a service looks > ok for now, the experience in the past showed that it's getting worse > after some time. > > I will inform here about the decision taken. > > Ciao, Michael. > Kudos for your clear thinking on this. In my estimation, you're absolutely choosing the correct path by proceeding this way. ~c > From oliviersessink at gmail.com Fri Apr 10 14:45:22 2009 From: oliviersessink at gmail.com (Olivier Sessink) Date: Fri, 10 Apr 2009 14:45:22 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <49DF3A92.3000205@stroeder.com> References: <49DE5D19.3070602@gmail.com> <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> <49DF1542.6050502@stroeder.com> <61722e190904100500k19c0400atca31c4dde408b3ef@mail.gmail.com> <49DF3A92.3000205@stroeder.com> Message-ID: <61722e190904100545g40ed9ee1hb652dbf962650f60@mail.gmail.com> 2009/4/10 Michael Str?der : > Olivier Sessink wrote: >> 2009/4/10 Michael Str?der : >>> You can bind with SASL/GSSAPI to AD with plain python-ldap provided you >>> obtained a valid TGT with kinit before (just like with command-line tool >>> ldapsearch). >> >> thanks, that's what I need to know. >> >> I can't get it to work though.. >> >> ld = ldap.initialize('ldap://foobar') >> sasl = ldap.sasl.gssapi() >> ld.sasl_interactive_bind_s('', sasl) >> ld.search_s('DC=foo,DC=foo', ldap.SCOPE_SUBTREE, '(CN=blabla)', ['Member']) >> >> ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627, >> comment: In order to perform this operation a successful bind must be >> completed on the connection., data 0, vece', 'desc': 'Operations >> error'} >> >> this shell command works: >> >> ldapsearch -YGSSAPI ?-H ldap://foobar -bDC=foo,DC=foo '(CN=blabla)' Member >> >> I've tried different ldap URL's, but from an ldapsearch strace I'm >> pretty sure I use the right ldap server. > > Hmm, this should simply work just like the ldapsearch usage. Since > you're searching from domain level it would be worth to try to > explicitly switch off referral chasing within libldap: > > ld = ldap.initialize('ldap://foobar') > ld.set_option(ldap.OPT_REFERRALS,0) you saved my day! it works. sorry for my limited knowledge, but what does "referrals should be automatically chased" mean? many thanks Olivier From michael at stroeder.com Fri Apr 10 15:05:43 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Fri, 10 Apr 2009 15:05:43 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <61722e190904100545g40ed9ee1hb652dbf962650f60@mail.gmail.com> References: <49DE5D19.3070602@gmail.com> <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> <49DF1542.6050502@stroeder.com> <61722e190904100500k19c0400atca31c4dde408b3ef@mail.gmail.com> <49DF3A92.3000205@stroeder.com> <61722e190904100545g40ed9ee1hb652dbf962650f60@mail.gmail.com> Message-ID: <49DF4427.6070309@stroeder.com> Olivier Sessink wrote: >> ld = ldap.initialize('ldap://foobar') >> ld.set_option(ldap.OPT_REFERRALS,0) > > you saved my day! > > it works. Glad that worked. > sorry for my limited knowledge, but what does "referrals should be > automatically chased" mean? Referrals are basically LDAP URLs returned potentially pointing to other LDAP servers where to look for. The client has to chase the referrals. This is a broken concept since the LDAPv3 standard says nothing about which credentials to use when chasing the referral. libldap by default chased referrals anonymously. Ciao, Michael. From michael at stroeder.com Sat Apr 11 14:31:02 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 11 Apr 2009 14:31:02 +0200 Subject: ldapsearch vs. python-ldap In-Reply-To: <1239050938.22619.5.camel@dazzle.CS.McGill.CA> References: <1239050938.22619.5.camel@dazzle.CS.McGill.CA> Message-ID: <49E08D86.8040309@stroeder.com> You might also have hit the problem with automatic referral chasing within libldap as anonymous. Try this to switch that off: l = ldap.initialize('ldap://:389') l.set_option(ldap.OPT_REFERRALS,0) > try: > #l.simple_bind_s('first.last at example.com', getpass.getpass()) > l.simple_bind_s('\', getpass.getpass()) # Works > > except Exception, e: You should rather catch ldap.LDAPError here. Ciao, Michael. From geert at boskant.nl Sat Apr 11 17:36:56 2009 From: geert at boskant.nl (Geert Jansen) Date: Sat, 11 Apr 2009 17:36:56 +0200 Subject: using Kerberos to authenticate to Active Directory from python ldap In-Reply-To: <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> References: <49DE5D19.3070602@gmail.com> <648242720904092350g475ceedcv52819259583d3413@mail.gmail.com> <61722e190904100224udd77b0avd55dfb7f58834587@mail.gmail.com> Message-ID: <648242720904110836g4c83ad3cp7f9119b34a199988@mail.gmail.com> On Fri, Apr 10, 2009 at 11:24 AM, Olivier Sessink wrote: > I noticed that there is some C code related to Kerberos in python-ad. > Is this code required to initialize a kerberos authentication, or is > this just to change passwords and things like that? Actually, both. The C code exposes a small subset of the Kerberos API to Python. I use it for credential management so things like acquire a ticket using a password or a keytab, and to set or change a password. Regards, Geert From melander at dfn-cert.de Mon Apr 27 18:02:06 2009 From: melander at dfn-cert.de (Fredrik Melander) Date: Mon, 27 Apr 2009 18:02:06 +0200 Subject: Recursive ldap lookups In-Reply-To: <49D4A813.4040704@stroeder.com> References: <49D498F2.2000900@dfn-cert.de> <49D4A813.4040704@stroeder.com> Message-ID: <49F5D6FE.4030604@dfn-cert.de> Hi, first of all thanks for the answer, and sorry that I haven't replied earlier. Lots of reasons not really interesting for anybody and a bit of good ol' laziness, of course ;) >> Which ldapsearch tool are you talking about? OpenLDAP's command-line >> tool ldapsearch does not have an option -C. Do you have several >> implementations of ldapsearch on your system? That's true, if you consider the latest version(s?) of ldapsearch. There used to be a -C option for client-chasing referals. I'm not sure exactly when or why this was taken out, but even after it was removed from the documentation it lingered as an "undocumented feature" for while, meaning you could use it if you happened to know about it. The guys here at work also tells me that before it got removed completely it remained in some broken kind of way, that is, you could still use the option, but it wouldn't quite work. I've never seen this myself though. By the way (looking now), where I sit, "man ldapsearch" gives me, among other things: -C Chase referrals (anonymously) This is OpenLDAP 2.3.37. >>Are you talking about client-chasing of LDAPv3 referrals? Yes, you can >>do it by processing the LDAP URLs returned in search continuations >>yourself. You have to check the result type to be >>ldap.RES_SEARCH_REFERENCE. You can then use module 'ldapurl' to parse >>the referral URL in the result. Yes, that's what I'm talking about. Since my question we've also decided to do things this way, and parse the replies manually instead of trying to make the server do anything for us. >>Note that the concept of client-chasing referral chasing is seriously >>broken since the LDAPv3 standard does not specify which credentials to >>use when connecting to the server specified in the referral URL. My >>web2ldap therefore raises a bind form to interactively ask the user >>what >>to do in this case. So I'd rather recommend to configure your LDAP >>server to chase the referral with well-defined credentials if it >>supports chaining or however it's called in your LDAP server (which >>one?). That's some useful information. Our server is OpenLDAP. Not sure which version right now, though. Think I've got the hang of it now. I will simply check the type of the reply manually and keep requesting around 'til I don't get another reference. Thanks again! Greetings, Fredrik -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5927 bytes Desc: S/MIME Cryptographic Signature URL: From metebilgin48 at gmail.com Tue Apr 28 12:48:57 2009 From: metebilgin48 at gmail.com (mete bilgin) Date: Tue, 28 Apr 2009 13:48:57 +0300 Subject: how can LDAP injection blocked? Message-ID: Hi all, I'm developing a web-based ldap gui with python ( with python-ldap ). And i miss something about security. How can i blocked ldap injection? thanks all. Good days. ps: http://freshmeat.net/projects/pyldapadmin - pyldapadmin -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Tue Apr 28 13:30:26 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue, 28 Apr 2009 13:30:26 +0200 Subject: how can LDAP injection blocked? In-Reply-To: References: Message-ID: <49F6E8D2.9020707@stroeder.com> mete bilgin wrote: > I'm developing a web-based ldap gui with python ( with python-ldap ). > And i miss something about security. How can i blocked ldap injection? Could you please elaborate on what you mean with "ldap injection"? Most security issues with attacking the connection can be cured with SSL/TLS. So your client should support LDAPS and StartTLS ext.op. and defining the trusted root CA certs. Ciao, Michael. From burak at arskom.com.tr Tue Apr 28 15:10:43 2009 From: burak at arskom.com.tr (Burak Arslan) Date: Tue, 28 Apr 2009 16:10:43 +0300 Subject: how can LDAP injection blocked? In-Reply-To: <49F6E8D2.9020707@stroeder.com> References: <49F6E8D2.9020707@stroeder.com> Message-ID: <49F70053.4020209@arskom.com.tr> Michael Str?der yazm??: > mete bilgin wrote: > >> I'm developing a web-based ldap gui with python ( with python-ldap ). >> And i miss something about security. How can i blocked ldap injection? >> > > Could you please elaborate on what you mean with "ldap injection"? > > i guess what he means is something like this: imagine the following filter: (&(objectClass=inetOrgPerson)(uid=$input)) where $input comes from a web form, or similar. if $input==')' you get (&(objectClass=inetOrgPerson)(uid=))) which is invalid. so some form of input validation must be used. please correct me if i'm wrong best regards burak From metebilgin48 at gmail.com Tue Apr 28 17:08:04 2009 From: metebilgin48 at gmail.com (mete) Date: Tue, 28 Apr 2009 18:08:04 +0300 Subject: how can LDAP injection blocked? In-Reply-To: <49F70053.4020209@arskom.com.tr> References: <49F6E8D2.9020707@stroeder.com> <49F70053.4020209@arskom.com.tr> Message-ID: <200904281808.04575.metebilgin48@gmail.com> > > i guess what he means is something like this: imagine the following filter: > > (&(objectClass=inetOrgPerson)(uid=$input)) > > where $input comes from a web form, or similar. if $input==')' you get > > (&(objectClass=inetOrgPerson)(uid=))) > > which is invalid. > > so some form of input validation must be used. > > please correct me if i'm wrong > > best regards > burak It's have a login window. You can write your dn and password, after login you can search, list etc. But it's not to be too security. How can i stop them? Sorry for my english. It's not good at all. good day. From yancey at unt.edu Tue Apr 28 17:32:49 2009 From: yancey at unt.edu (Yancey Yeargan) Date: Tue, 28 Apr 2009 10:32:49 -0500 Subject: how can LDAP injection blocked? In-Reply-To: <200904281808.04575.metebilgin48@gmail.com> References: <49F6E8D2.9020707@stroeder.com> <49F70053.4020209@arskom.com.tr> <200904281808.04575.metebilgin48@gmail.com> Message-ID: I believe he is asking how to defend against potential web-based LDAP filter injection attacks (similar to SQL injection attacks), or generally how to validate user input. I think there are better forums elsewhere (OpenLDAP perhaps) for asking this question. There is a potential for abuse with some filters, but I do not see any way to abuse the "(&(objectClass=inetOrgPerson)(uid=$input))" filter. As mete wrote, it's easy to enter something that makes the filter invalid. I just can't think of anything extra a person could type that would be a valid filter and return unwanted data. Unlike SQL, the returned attributes are not specified in the LDAP filter string, so there is limited potential for abuse. Yancey On Apr 28, 2009, at 10:08 AM, mete wrote: > >> >> i guess what he means is something like this: imagine the following >> filter: >> >> (&(objectClass=inetOrgPerson)(uid=$input)) >> >> where $input comes from a web form, or similar. if $input==')' you >> get >> >> (&(objectClass=inetOrgPerson)(uid=))) >> >> which is invalid. >> >> so some form of input validation must be used. >> >> please correct me if i'm wrong >> >> best regards >> burak > It's have a login window. You can write your dn and password, after > login you > can search, list etc. But it's not to be too security. How can i > stop them? > > Sorry for my english. It's not good at all. good day. > > ------------------------------------------------------------------------------ > Register Now & Save for Velocity, the Web Performance & Operations > Conference from O'Reilly Media. Velocity features a full day of > expert-led, hands-on workshops and two days of sessions from industry > leaders in dedicated Performance & Operations tracks. Use code > vel09scf > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf > _______________________________________________ > Python-LDAP-dev mailing list > Python-LDAP-dev at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3911 bytes Desc: not available URL: From michael at stroeder.com Tue Apr 28 23:23:38 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 28 Apr 2009 23:23:38 +0200 Subject: how can LDAP injection blocked? In-Reply-To: References: <49F6E8D2.9020707@stroeder.com> <49F70053.4020209@arskom.com.tr> <200904281808.04575.metebilgin48@gmail.com> Message-ID: <49F773DA.5020804@stroeder.com> Yancey Yeargan wrote: > > I believe he is asking how to defend against potential web-based LDAP > filter injection attacks (similar to SQL injection attacks), Ah ok. To prevent someone to pass in special filter chars these have to be escaped before the user's input is used as (partial) value in the LDAP filter string representation. One should use the functions in module ldap.filter for that: http://www.python-ldap.org/doc/html/ldap-filter.html > or generally how to validate user input. This depends on the application's context and could be handled in the web app library. Ciao, Michael. From zhbmaillistonly at gmail.com Fri May 1 06:11:22 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Fri, 01 May 2009 12:11:22 +0800 Subject: ANN: python-ldap-2.3.8 In-Reply-To: <49F9A3A6.7010007@stroeder.com> References: <49F9A3A6.7010007@stroeder.com> Message-ID: <49FA766A.3080309@gmail.com> Michael Str?der wrote: > Find a new release of python-ldap: > > http://www.python-ldap.org/ > Thanks for your great work, Michael. ^_^ -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL/CentOS 5.x: http://code.google.com/p/iredmail/ From geert at boskant.nl Sun May 3 17:19:09 2009 From: geert at boskant.nl (Geert Jansen) Date: Sun, 3 May 2009 17:19:09 +0200 Subject: ANN: python-ldap-2.3.8 In-Reply-To: <49F9A3A6.7010007@stroeder.com> References: <49F9A3A6.7010007@stroeder.com> Message-ID: <648242720905030819t3052eeacnd86a6e1b72ce8c61@mail.gmail.com> Hi Michael, could you have a look at the patch that i submitted a while ago to expose LDAP_OPT_X_SASL_NOCANON? This option is a new LDAP option that disables SASL host name canonicalization. It is very useful in Windows AD environments. Patch attached. References: - http://sourceforge.net/mailarchive/message.php?msg_name=648242720811211518k726c54b9y1c8357255477ae5a%40mail.gmail.com - http://www.openldap.org/lists/openldap-bugs/200811/msg00116.html Regards, Geert -------------- next part -------------- A non-text attachment was scrubbed... Name: python-ldap-2.3.8-canon.patch Type: application/octet-stream Size: 1026 bytes Desc: not available URL: From michael at stroeder.com Sun May 3 20:37:11 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Sun, 03 May 2009 20:37:11 +0200 Subject: ANN: python-ldap-2.3.8 In-Reply-To: <648242720905030819t3052eeacnd86a6e1b72ce8c61@mail.gmail.com> References: <49F9A3A6.7010007@stroeder.com> <648242720905030819t3052eeacnd86a6e1b72ce8c61@mail.gmail.com> Message-ID: <49FDE457.7080701@stroeder.com> Geert Jansen wrote: > > could you have a look at the patch that i submitted a while ago to > expose LDAP_OPT_X_SASL_NOCANON? This option is a new LDAP option that > disables SASL host name canonicalization. It is very useful in Windows > AD environments. Sorry, this was still in the pipe. Questions: Why didn't you patch LDAP_get_option()? If I also extend LDAP_get_option() l.get_option(ldap.OPT_X_SASL_NOCANON) will always return -1 if set to any value instead of 0. Is that correct? Ciao, Michael. From geert at boskant.nl Mon May 4 09:05:25 2009 From: geert at boskant.nl (Geert Jansen) Date: Mon, 4 May 2009 09:05:25 +0200 Subject: ANN: python-ldap-2.3.8 In-Reply-To: <49FDE457.7080701@stroeder.com> References: <49F9A3A6.7010007@stroeder.com> <648242720905030819t3052eeacnd86a6e1b72ce8c61@mail.gmail.com> <49FDE457.7080701@stroeder.com> Message-ID: <648242720905040005uf236c84yc054635992cc60a2@mail.gmail.com> 2009/5/3 Michael Str?der : > > Why didn't you patch LDAP_get_option()? That is an oversight. It should be updated as well. New patch attached. > If I also extend LDAP_get_option() l.get_option(ldap.OPT_X_SASL_NOCANON) > will always return -1 if set to any value instead of 0. Is that correct? Yes, that should be fine. Thanks, Geert -------------- next part -------------- A non-text attachment was scrubbed... Name: python-ldap-2.3.8-canon.patch Type: application/octet-stream Size: 1332 bytes Desc: not available URL: From michael at stroeder.com Mon May 4 12:10:51 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Mon, 04 May 2009 12:10:51 +0200 Subject: ldap.OPT_X_SASL_NOCANON (was: ANN: python-ldap-2.3.8) In-Reply-To: <648242720905040005uf236c84yc054635992cc60a2@mail.gmail.com> References: <49F9A3A6.7010007@stroeder.com> <648242720905030819t3052eeacnd86a6e1b72ce8c61@mail.gmail.com> <49FDE457.7080701@stroeder.com> <648242720905040005uf236c84yc054635992cc60a2@mail.gmail.com> Message-ID: <49FEBF2B.5060204@stroeder.com> Geert Jansen wrote: > 2009/5/3 Michael Str?der : >> Why didn't you patch LDAP_get_option()? > > That is an oversight. It should be updated as well. New patch attached. > >> If I also extend LDAP_get_option() l.get_option(ldap.OPT_X_SASL_NOCANON) >> will always return -1 if set to any value instead of 0. Is that correct? > > Yes, that should be fine. Ok, committed in HEAD. Please test. Is it urgent to have that in a generally available release? Ciao, Michael. From geert at boskant.nl Sat May 9 18:27:03 2009 From: geert at boskant.nl (Geert Jansen) Date: Sat, 9 May 2009 18:27:03 +0200 Subject: ldap.OPT_X_SASL_NOCANON (was: ANN: python-ldap-2.3.8) In-Reply-To: <49FEBF2B.5060204@stroeder.com> References: <49F9A3A6.7010007@stroeder.com> <648242720905030819t3052eeacnd86a6e1b72ce8c61@mail.gmail.com> <49FDE457.7080701@stroeder.com> <648242720905040005uf236c84yc054635992cc60a2@mail.gmail.com> <49FEBF2B.5060204@stroeder.com> Message-ID: <648242720905090927i1eb0a36av31e0247535a89fb7@mail.gmail.com> 2009/5/4 Michael Str?der : > Ok, committed in HEAD. Please test. I've tested current HEAD and it works for me. > Is it urgent to have that in a generally available release? Not really urgent but it would be good if a new release was made in the next 2-3 months or so. This would ensure that the next wave of distribution releases (Fedora 12, Ubuntu 9.10) pick this up. Regards, Geert From michael at stroeder.com Thu May 14 11:46:28 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 14 May 2009 11:46:28 +0200 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0BE59B.1080209@gmail.com> References: <4A0BE59B.1080209@gmail.com> Message-ID: <4A0BE874.6030604@stroeder.com> Zhang Huangbin wrote: > > Does anyone has working code snippet of server/client side sorting? > > I use serverctrls in search_ext_s() like this: > > search_ext_s(xxxx, serverctrls = [ > ldap.controls.LDAPControl('1.2.840.113556.1.4.473',1,None) ],) > > got error msg: > > UNAVAILABLE_CRITICAL_EXTENSION: {'info': 'critical extension is not > recognized', 'desc': 'Critical extension is unavailable'} > > * Use clientctrls: > > search_ext_s(xxxx, clientctrls = [ > ldap.controls.LDAPControl('1.2.840.113556.1.4.473',1,None) ],) > > got error msg: > > NOT_SUPPORTED: {'info': '', 'desc': 'Not Supported'} > > My os is Ubuntu 9.04, OpenLDAP-2.4.15-1ubuntu3. The error message is pretty clear: This particular LDAP server does not support server-side sorting. Besides that you should read RFC 2891 to learn how to generate the controlValue which specifies which attribute and matching rule (optional) is used for sorting and whether you want reverse order (optional). You could try to generate the controlValue with module pyasn1. Ciao, Michael. From zhbmaillistonly at gmail.com Thu May 14 11:34:19 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Thu, 14 May 2009 17:34:19 +0800 Subject: Any example of Server/Client Side Sorting? Message-ID: <4A0BE59B.1080209@gmail.com> Hi, all. Does anyone has working code snippet of server/client side sorting? I use serverctrls in search_ext_s() like this: search_ext_s(xxxx, serverctrls = [ ldap.controls.LDAPControl('1.2.840.113556.1.4.473',1,None) ],) got error msg: UNAVAILABLE_CRITICAL_EXTENSION: {'info': 'critical extension is not recognized', 'desc': 'Critical extension is unavailable'} * Use clientctrls: search_ext_s(xxxx, clientctrls = [ ldap.controls.LDAPControl('1.2.840.113556.1.4.473',1,None) ],) got error msg: NOT_SUPPORTED: {'info': '', 'desc': 'Not Supported'} My os is Ubuntu 9.04, OpenLDAP-2.4.15-1ubuntu3. -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian: http://code.google.com/p/iredmail/ From zhbmaillistonly at gmail.com Thu May 14 14:37:50 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Thu, 14 May 2009 20:37:50 +0800 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0BE874.6030604@stroeder.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> Message-ID: <4A0C109E.20109@gmail.com> Michael Str?der wrote: > > The error message is pretty clear: This particular LDAP server does not > support server-side sorting. > I checked the rootdse, neither server side sort nor client side sort is supported: ---- supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 ---- > Besides that you should read RFC 2891 to learn how to generate the > controlValue which specifies which attribute and matching rule > (optional) is used for sorting and whether you want reverse order > (optional). You could try to generate the controlValue with module pyasn1. Got it. Thanks Michael :) -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian: http://code.google.com/p/iredmail/ From michael at stroeder.com Thu May 14 14:54:14 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 14 May 2009 14:54:14 +0200 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C109E.20109@gmail.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> Message-ID: <4A0C1476.7070105@stroeder.com> Zhang Huangbin wrote: > Michael Str?der wrote: >> The error message is pretty clear: This particular LDAP server does not >> support server-side sorting. > > I checked the rootdse, neither server side sort nor client side sort is > supported: 1. Client-side sorting is done within the client libs if supported. So it wouldn't be listed in the attribute 'supportedControl' of the DSA's rootDSE anyway. Not sure whether client controls are used in OpenLDAP's libldap at all. 2. One should always try out whether a DSA supports a particular control within a certain naming context. E.g. former versions of OpenLDAP supported the Tree Deletion Control only for naming contexts served by back-sql. Feature detection is not that easy. > supportedControl: 2.16.840.1.113730.3.4.18 > supportedControl: 2.16.840.1.113730.3.4.2 > supportedControl: 1.3.6.1.4.1.4203.1.10.1 > supportedControl: 1.2.840.113556.1.4.319 > supportedControl: 1.2.826.0.1.3344810.2.3 > supportedControl: 1.3.6.1.1.13.2 > supportedControl: 1.3.6.1.1.13.1 > supportedControl: 1.3.6.1.1.12 > supportedExtension: 1.3.6.1.4.1.1466.20037 > supportedExtension: 1.3.6.1.4.1.4203.1.11.1 > supportedExtension: 1.3.6.1.4.1.4203.1.11.3 > supportedExtension: 1.3.6.1.1.8 Everyone tired of looking up the OIDs should use my http://web2ldap.de since it contains a registry of OIDs with descriptions of the meaning which are displayed when displaying the rootDSE. Ciao, Michael. From zhbmaillistonly at gmail.com Thu May 14 15:09:59 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Thu, 14 May 2009 21:09:59 +0800 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C1476.7070105@stroeder.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> Message-ID: <4A0C1827.2090102@gmail.com> Michael Str?der wrote: > > 1. Client-side sorting is done within the client libs if supported. So > it wouldn't be listed in the attribute 'supportedControl' of the DSA's > rootDSE anyway. Not sure whether client controls are used in OpenLDAP's > libldap at all. > Any exist python module/function to sort ldap search results? > 2. One should always try out whether a DSA supports a particular control > within a certain naming context. E.g. former versions of OpenLDAP > supported the Tree Deletion Control only for naming contexts served by > back-sql. > > Feature detection is not that easy. > I also need function to delete ldap tree too, and reading your web2ldap/pylib/ldapsession.py now. > Everyone tired of looking up the OIDs should use my http://web2ldap.de > since it contains a registry of OIDs with descriptions of the meaning > which are displayed when displaying the rootDSE. I found it moment ago. :) Tring to learn ldap programing from web2ldap now. Thanks for your great program. :) -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian: http://code.google.com/p/iredmail/ From michael at stroeder.com Thu May 14 15:18:42 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 14 May 2009 15:18:42 +0200 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C1827.2090102@gmail.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> Message-ID: <4A0C1A32.7090607@stroeder.com> Zhang Huangbin wrote: > Michael Str?der wrote: >> 1. Client-side sorting is done within the client libs if supported. So >> it wouldn't be listed in the attribute 'supportedControl' of the DSA's >> rootDSE anyway. Not sure whether client controls are used in OpenLDAP's >> libldap at all. > > Any exist python module/function to sort ldap search results? Well, why do you really need that? I don't have client-side sorting in web2ldap because it won't scale with large search results. Some of my customers have more than 100k person/user entries in their directories. >> 2. One should always try out whether a DSA supports a particular control >> within a certain naming context. E.g. former versions of OpenLDAP >> supported the Tree Deletion Control only for naming contexts served by >> back-sql. >> >> Feature detection is not that easy. > > I also need function to delete ldap tree too, and reading your > web2ldap/pylib/ldapsession.py now. The function DelTree() is in pylib/w2lapp/delete.py. If the tree deletion control cannot or shall not be used it also makes use of some operational attributes (e.g. hasSubordinates etc.) to determine whether a found entry is a leaf-entry. > Tring to learn ldap programing from web2ldap now. Thanks for your great > program. :) Bear in mind that I started learning Python when the first code was written almost 11 years ago. So I have to admit that many parts are really ugly code and not really good programming examples. Ciao, Michael. From michael at stroeder.com Thu May 14 16:10:31 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 14 May 2009 16:10:31 +0200 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C24B2.9080603@gmail.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> <4A0C24B2.9080603@gmail.com> Message-ID: <4A0C2657.6020602@stroeder.com> Zhang Huangbin wrote: > Michael Str?der wrote: >> Zhang Huangbin wrote: >> >>> Any exist python module/function to sort ldap search results? >> Well, why do you really need that? I don't have client-side sorting in >> web2ldap because it won't scale with large search results. Some of my >> customers have more than 100k person/user entries in their directories. >> > > I have 100+ accounts in LDAP, but they are not listed orderly. 100+ entries are not so many. So you could try sorting the list of search results retrieved with LDAPObject.ldap_search_ext_s() by invoking list method .sort(). Make sure you understand how to control the comparisons. See item 8. here: http://docs.python.org/library/stdtypes.html#index-591 Ciao, Michael. From zhbmaillistonly at gmail.com Thu May 14 16:03:30 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Thu, 14 May 2009 22:03:30 +0800 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C1A32.7090607@stroeder.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> Message-ID: <4A0C24B2.9080603@gmail.com> Michael Str?der wrote: > Zhang Huangbin wrote: > >> Any exist python module/function to sort ldap search results? > > Well, why do you really need that? I don't have client-side sorting in > web2ldap because it won't scale with large search results. Some of my > customers have more than 100k person/user entries in their directories. > I have 100+ accounts in LDAP, but they are not listed orderly. like this: dn: mail=www2 at xxx,---- dn: mail=www5 at xxx,---- dn: mail=www3 at xxx,---- dn: mail=www at xxx,---- I just want to make them listed orderly like this: dn: mail=www at xxx,---- dn: mail=www2 at xxx,---- dn: mail=www3 at xxx,---- dn: mail=www5 at xxx,---- Do you make them listed in the original order? >> Tring to learn ldap programing from web2ldap now. Thanks for your great >> program. :) >> > > Bear in mind that I started learning Python when the first code was > written almost 11 years ago. So I have to admit that many parts are > really ugly code and not really good programming examples. Got it. thanks for your remind :) -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian: http://code.google.com/p/iredmail/ From zhbmaillistonly at gmail.com Thu May 14 17:25:23 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Thu, 14 May 2009 23:25:23 +0800 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C2657.6020602@stroeder.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> <4A0C24B2.9080603@gmail.com> <4A0C2657.6020602@stroeder.com> Message-ID: <4A0C37E3.4070601@gmail.com> Michael Str?der wrote: > > 100+ entries are not so many. So you could try sorting the list of > search results retrieved with LDAPObject.ldap_search_ext_s() by invoking > list method .sort(). Make sure you understand how to control the > comparisons. > > See item 8. here: > http://docs.python.org/library/stdtypes.html#index-591 > No idea yet. Any example? Thanks :) -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian: http://code.google.com/p/iredmail/ From michael at stroeder.com Thu May 14 19:04:25 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 14 May 2009 19:04:25 +0200 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C37E3.4070601@gmail.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> <4A0C24B2.9080603@gmail.com> <4A0C2657.6020602@stroeder.com> <4A0C37E3.4070601@gmail.com> Message-ID: <4A0C4F19.9060903@stroeder.com> Zhang Huangbin wrote: > Michael Str?der wrote: >> 100+ entries are not so many. So you could try sorting the list of >> search results retrieved with LDAPObject.ldap_search_ext_s() by invoking >> list method .sort(). Make sure you understand how to control the >> comparisons. >> >> See item 8. here: >> http://docs.python.org/library/stdtypes.html#index-591 >> > > No idea yet. Any example? Bear in mind search results returned by synchronous search methods are in a list of 2-tuples each consisting of the DN string and the entry dictionary like this: [(dn,entry)] Without testing just as food for thought: Compare function for case-insensitive comparison of the DN: cmp=lambda x,y: cmp(x[0].lower(), y[0}.lower()) Compare function for case-insensitive comparison of the first attribute value of 'cn' (this would choke with KeyError exception if there's no attribute 'cn' in the entry): cmp=lambda x,y: cmp(x[1]['cn'][0].lower(), y[1]['cn'][0].lower()) And then results.sort(cmp). I don't know how fast this is though. The rest of the homework is up to you. For various list sorting aspects you should ask in news:comp.lang.python Ciao, Michael. From raj at csub.edu Thu May 14 20:38:19 2009 From: raj at csub.edu (Russell Jackson) Date: Thu, 14 May 2009 11:38:19 -0700 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C1A32.7090607@stroeder.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> Message-ID: <4A0C651B.8070205@csub.edu> Michael Str?der wrote: > Zhang Huangbin wrote: >> Michael Str?der wrote: >> Tring to learn ldap programing from web2ldap now. Thanks for your great >> program. :) > > Bear in mind that I started learning Python when the first code was > written almost 11 years ago. So I have to admit that many parts are > really ugly code and not really good programming examples. Every programmer I've ever talked to always thinks their own code sucks. -- Russell A. Jackson Network Analyst California State University, Bakersfield With a gentleman I try to be a gentleman and a half, and with a fraud I try to be a fraud and a half. -- Otto von Bismarck -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: From zhbmaillistonly at gmail.com Fri May 15 05:05:38 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Fri, 15 May 2009 11:05:38 +0800 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0C4F19.9060903@stroeder.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> <4A0C24B2.9080603@gmail.com> <4A0C2657.6020602@stroeder.com> <4A0C37E3.4070601@gmail.com> <4A0C4F19.9060903@stroeder.com> Message-ID: <4A0CDC02.6000800@gmail.com> Michael Str?der wrote: > > Compare function for case-insensitive comparison of the DN: > > cmp=lambda x,y: cmp(x[0].lower(), y[0}.lower()) > > Thanks Michael. :) I tried this compare function, but got this err msg: ---- RuntimeError: maximum recursion depth exceeded ---- The result contains less than 10 records. -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian: http://code.google.com/p/iredmail/ From michael at stroeder.com Fri May 15 10:56:47 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 15 May 2009 10:56:47 +0200 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0CDC02.6000800@gmail.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> <4A0C24B2.9080603@gmail.com> <4A0C2657.6020602@stroeder.com> <4A0C37E3.4070601@gmail.com> <4A0C4F19.9060903@stroeder.com> <4A0CDC02.6000800@gmail.com> Message-ID: <4A0D2E4F.7080604@stroeder.com> Zhang Huangbin wrote: > Michael Str?der wrote: >> Compare function for case-insensitive comparison of the DN: >> >> cmp=lambda x,y: cmp(x[0].lower(), y[0}.lower()) > > I tried this compare function, but got this err msg: Sorry, there's a typo in there: cmp=lambda x,y: cmp(x[0].lower(), y[0}.lower()) ^ Should be ] Ciao, Michael. From zhbmaillistonly at gmail.com Fri May 15 14:46:14 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Fri, 15 May 2009 20:46:14 +0800 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0D2E4F.7080604@stroeder.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> <4A0C24B2.9080603@gmail.com> <4A0C2657.6020602@stroeder.com> <4A0C37E3.4070601@gmail.com> <4A0C4F19.9060903@stroeder.com> <4A0CDC02.6000800@gmail.com> <4A0D2E4F.7080604@stroeder.com> Message-ID: <4A0D6416.3030306@gmail.com> Michael Str?der wrote: > > Sorry, there's a typo in there: > > cmp=lambda x,y: cmp(x[0].lower(), y[0}.lower()) > ^ > Should be ] I found that before, but got the same error: >>> alist [('mail=postmaster at a.cn,o=domainAdmins,dc=iredmail,dc=org', {'mail': ['postmaster at a.cn'], 'accountStatus': ['active'], 'enabledService': ['awstats'], 'domainGlobalAdmin': ['yes']}), ('mail=www at a.cn,o=domainAdmins,dc=iredmail,dc=org', {'mail': ['www at a.cn'], 'accountStatus': ['active'], 'domainGlobalAdmin': ['yes']}), ('mail=www5 at a.cn,o=domainAdmins,dc=iredmail,dc=org', {'mail': ['www5 at a.cn'], 'accountStatus': ['active'], 'domainGlobalAdmin': ['no']}), ('mail=www3 at a.cn,o=domainAdmins,dc=iredmail,dc=org', {'mail': ['www3 at a.cn'], 'accountStatus': ['active'], 'domainGlobalAdmin': ['no']})] >>> cmp=lambda x,y: cmp(x[0].lower(), y[0].lower()) >>> alist.sort(cmp) Traceback (most recent call last): File "", line 1, in ? File "", line 1, in File "", line 1, in File "", line 1, in File "", line 1, in File "", line 1, in File "", line 1, in File "", line 1, in File "", line 1, in ...... SKIP MANY LINES HERE ...... File "", line 1, in File "", line 1, in File "", line 1, in File "", line 1, in RuntimeError: maximum recursion depth exceeded -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian: http://code.google.com/p/iredmail/ From michael at stroeder.com Fri May 15 15:02:45 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 15 May 2009 15:02:45 +0200 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0D6416.3030306@gmail.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> <4A0C24B2.9080603@gmail.com> <4A0C2657.6020602@stroeder.com> <4A0C37E3.4070601@gmail.com> <4A0C4F19.9060903@stroeder.com> <4A0CDC02.6000800@gmail.com> <4A0D2E4F.7080604@stroeder.com> <4A0D6416.3030306@gmail.com> Message-ID: <4A0D67F5.3020204@stroeder.com> Zhang Huangbin wrote: > >>> cmp=lambda x,y: cmp(x[0].lower(), y[0].lower()) > > >>> alist.sort(cmp) Ouch! One should probably not mask the standard function name cmp. So try this: mycmp=lambda x,y: cmp(x[0].lower(), y[0].lower()) alist.sort(mycmp) Ciao, Michael. From zhbmaillistonly at gmail.com Fri May 15 16:09:12 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Fri, 15 May 2009 22:09:12 +0800 Subject: Any example of Server/Client Side Sorting? In-Reply-To: <4A0D67F5.3020204@stroeder.com> References: <4A0BE59B.1080209@gmail.com> <4A0BE874.6030604@stroeder.com> <4A0C109E.20109@gmail.com> <4A0C1476.7070105@stroeder.com> <4A0C1827.2090102@gmail.com> <4A0C1A32.7090607@stroeder.com> <4A0C24B2.9080603@gmail.com> <4A0C2657.6020602@stroeder.com> <4A0C37E3.4070601@gmail.com> <4A0C4F19.9060903@stroeder.com> <4A0CDC02.6000800@gmail.com> <4A0D2E4F.7080604@stroeder.com> <4A0D6416.3030306@gmail.com> <4A0D67F5.3020204@stroeder.com> Message-ID: <4A0D7788.3070509@gmail.com> Michael Str?der wrote: > mycmp=lambda x,y: cmp(x[0].lower(), y[0].lower()) > alist.sort(mycmp) I found this and solved too. Big thanks :) -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian: http://code.google.com/p/iredmail/ From lgp171188 at gmail.com Sat May 16 14:29:39 2009 From: lgp171188 at gmail.com (Guruprasad) Date: Sat, 16 May 2009 17:59:39 +0530 Subject: LDIF Generation using Python-LDAP Message-ID: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> Hi, I tried generating a LDIF file from a dictionary using 'ldif' module as illustrated in http://www.python-ldap.org/doc/html/ldif.html. But at the end of the LDIF data, I get a newline and a 'None', whereas there is no such thing in the result shown in that example. How to get rid of those unwanted characters. I am using Python-LDAP 2.3.5-1 on Debian Lenny. Thank you. Regards, Guruprasad. From lgp171188 at gmail.com Sat May 16 14:47:27 2009 From: lgp171188 at gmail.com (Guruprasad) Date: Sat, 16 May 2009 18:17:27 +0530 Subject: LDIF Generation using Python-LDAP In-Reply-To: <4A0EB487.1030808@stroeder.com> References: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> <4A0EB487.1030808@stroeder.com> Message-ID: <7c956f0c0905160547m63c9df5ak860263e35d55dcbb@mail.gmail.com> Hi, 2009/5/16 Michael Str?der : > Guruprasad wrote: >> Hi, >> I tried generating a LDIF file from a dictionary using 'ldif' module >> as illustrated in http://www.python-ldap.org/doc/html/ldif.html. But >> at the end of the LDIF data, I get a newline and a 'None', whereas >> there is no such thing in the result shown in that example. How to get >> rid of those unwanted characters. I am using Python-LDAP 2.3.5-1 on >> Debian Lenny. > > Could you please post your code (in a short form) demonstrating the > issue? Note that there is a new-line after each entry record. But was > 'None' is in your case is not clear to me. > Basically what I am trying to do with this code is that, I manipulate the result returned by ldapsearch to remove some attributes and generate a LDIF output for the modified entry. res_type, result_data=l.result(res_id,0) if (result_data==[]): break dn=result_data[0][0] resd=result_data[0][1] resd["objectClass"].remove("inetLocalMailRecipient") resd["objectClass"].remove("organizationalPerson") resd["objectClass"].remove("inetOrgPerson") resd["objectClass"].remove("posixAccount") lw=ldif.LDIFWriter(sys.stdout) guru=lw.unparse(dn,resd) print guru Is it some issue or am I making some mistakes with general usage of Python? Thank you. Regards, L.Guruprasad From lgp171188 at gmail.com Sat May 16 14:51:38 2009 From: lgp171188 at gmail.com (Guruprasad) Date: Sat, 16 May 2009 18:21:38 +0530 Subject: LDIF Generation using Python-LDAP In-Reply-To: <7c956f0c0905160547m63c9df5ak860263e35d55dcbb@mail.gmail.com> References: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> <4A0EB487.1030808@stroeder.com> <7c956f0c0905160547m63c9df5ak860263e35d55dcbb@mail.gmail.com> Message-ID: <7c956f0c0905160551w2096bfe7ma5affa095c5e69f6@mail.gmail.com> 2009/5/16 Guruprasad : > Hi, > > 2009/5/16 Michael Str?der : > > ? ? ? ?res_type, result_data=l.result(res_id,0) > ? ? ? ?if (result_data==[]): > ? ? ? ? ? ?break > ? ? ? ?dn=result_data[0][0] > ? ? ? ?resd=result_data[0][1] > ? ? ? ?resd["objectClass"].remove("inetLocalMailRecipient") > ? ? ? ? ? ?resd["objectClass"].remove("organizationalPerson") > ? ? ? ? ? ?resd["objectClass"].remove("inetOrgPerson") > ? ? ? ?resd["objectClass"].remove("posixAccount") > ? ? ? ?lw=ldif.LDIFWriter(sys.stdout) > ? ? ? ?guru=lw.unparse(dn,resd) > ? ? ? ?print guru > > > Is it some issue or am I making some mistakes with general usage of Python? > > Thank you. > > Regards, > L.Guruprasad > My ldapsearch query returns only one record. I have written such a filter. Regards, Guruprasad From michael at stroeder.com Sat May 16 14:41:44 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 16 May 2009 14:41:44 +0200 Subject: LDIF Generation using Python-LDAP In-Reply-To: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> References: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> Message-ID: <4A0EB487.1030808@stroeder.com> Guruprasad wrote: > Hi, > I tried generating a LDIF file from a dictionary using 'ldif' module > as illustrated in http://www.python-ldap.org/doc/html/ldif.html. But > at the end of the LDIF data, I get a newline and a 'None', whereas > there is no such thing in the result shown in that example. How to get > rid of those unwanted characters. I am using Python-LDAP 2.3.5-1 on > Debian Lenny. Could you please post your code (in a short form) demonstrating the issue? Note that there is a new-line after each entry record. But was 'None' is in your case is not clear to me. Ciao, Michael. From michael at stroeder.com Sat May 16 14:58:13 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 16 May 2009 14:58:13 +0200 Subject: LDIF Generation using Python-LDAP In-Reply-To: <7c956f0c0905160547m63c9df5ak860263e35d55dcbb@mail.gmail.com> References: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> <4A0EB487.1030808@stroeder.com> <7c956f0c0905160547m63c9df5ak860263e35d55dcbb@mail.gmail.com> Message-ID: <4A0EB865.90007@stroeder.com> Guruprasad wrote: > 2009/5/16 Michael Str?der : >> Guruprasad wrote: >>> Hi, >>> I tried generating a LDIF file from a dictionary using 'ldif' module >>> as illustrated in http://www.python-ldap.org/doc/html/ldif.html. But >>> at the end of the LDIF data, I get a newline and a 'None', whereas >>> there is no such thing in the result shown in that example. How to get >>> rid of those unwanted characters. I am using Python-LDAP 2.3.5-1 on >>> Debian Lenny. >> Could you please post your code (in a short form) demonstrating the >> issue? Note that there is a new-line after each entry record. But was >> 'None' is in your case is not clear to me. >> > > Basically what I am trying to do with this code is that, I manipulate > the result returned by ldapsearch to remove some attributes and > generate a LDIF output for the modified entry. > > > res_type, result_data=l.result(res_id,0) > if (result_data==[]): > break > dn=result_data[0][0] > resd=result_data[0][1] > resd["objectClass"].remove("inetLocalMailRecipient") > resd["objectClass"].remove("organizationalPerson") > resd["objectClass"].remove("inetOrgPerson") > resd["objectClass"].remove("posixAccount") > lw=ldif.LDIFWriter(sys.stdout) > guru=lw.unparse(dn,resd) > print guru > Your code looks like processing of LDAP search results (because of the res_type). I'd recommend to look at the actual data in dictionary resd. Also note that the identiation seems wrong. This could be because of cut&paste to your MUA from the editor with different tab-interpretation. But make sure identiation is correct in the real code. Ciao, Michael. From michael at stroeder.com Sat May 16 14:59:18 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 16 May 2009 14:59:18 +0200 Subject: LDIF Generation using Python-LDAP In-Reply-To: <7c956f0c0905160551w2096bfe7ma5affa095c5e69f6@mail.gmail.com> References: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> <4A0EB487.1030808@stroeder.com> <7c956f0c0905160547m63c9df5ak860263e35d55dcbb@mail.gmail.com> <7c956f0c0905160551w2096bfe7ma5affa095c5e69f6@mail.gmail.com> Message-ID: <4A0EB8A6.20003@stroeder.com> Guruprasad wrote: > My ldapsearch query returns only one record. I have written such a filter. Sorry, my crystal ball is a bit blurry. I can't help without really knowing what you're trying to achieve. Ciao, Michael. From lgp171188 at gmail.com Sat May 16 15:13:54 2009 From: lgp171188 at gmail.com (Guruprasad) Date: Sat, 16 May 2009 18:43:54 +0530 Subject: LDIF Generation using Python-LDAP In-Reply-To: <4A0EB865.90007@stroeder.com> References: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> <4A0EB487.1030808@stroeder.com> <7c956f0c0905160547m63c9df5ak860263e35d55dcbb@mail.gmail.com> <4A0EB865.90007@stroeder.com> Message-ID: <7c956f0c0905160613k291f2ff4k38df7140039c7a61@mail.gmail.com> Hi, 2009/5/16 Michael Str?der : > Guruprasad wrote: >> 2009/5/16 Michael Str?der : >>> Guruprasad wrote: >>>> Hi, >>>> I tried generating a LDIF file from a dictionary using 'ldif' module >>>> as illustrated in http://www.python-ldap.org/doc/html/ldif.html. But >>>> at the end of the LDIF data, I get a newline and a 'None', whereas >>>> there is no such thing in the result shown in that example. How to get >>>> rid of those unwanted characters. I am using Python-LDAP 2.3.5-1 on >>>> Debian Lenny. >>> Could you please post your code (in a short form) demonstrating the >>> issue? Note that there is a new-line after each entry record. But was >>> 'None' is in your case is not clear to me. >>> >> >> Basically what I am trying to do with this code is that, I manipulate >> the result returned by ldapsearch to remove some attributes and >> generate a LDIF output for the modified entry. >> >> >> ? ? ? ? res_type, result_data=l.result(res_id,0) >> ? ? ? ? if (result_data==[]): >> ? ? ? ? ? ? break >> ? ? ? ? dn=result_data[0][0] >> ? ? ? resd=result_data[0][1] >> ? ? ? ? resd["objectClass"].remove("inetLocalMailRecipient") >> ? ? ? ? ? resd["objectClass"].remove("organizationalPerson") >> ? ? ? ? ? resd["objectClass"].remove("inetOrgPerson") >> ? ? ? ? resd["objectClass"].remove("posixAccount") >> ? ? ? ? lw=ldif.LDIFWriter(sys.stdout) >> ? ? ? guru=lw.unparse(dn,resd) >> ? ? ? print guru >> > > Your code looks like processing of LDAP search results (because of the > res_type). I'd recommend to look at the actual data in dictionary resd. > Also note that the identiation seems wrong. This could be because of > cut&paste to your MUA from the editor with different tab-interpretation. > But make sure identiation is correct in the real code. > > Ciao, Michael. > The indentation is correct in the real code. The dictionary 'resd' has the values returned by the ldapsearch and there is no 'None' anywhere in it. Thank you. Regards, Guruprasad. From michael at stroeder.com Sat May 16 15:43:29 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 16 May 2009 15:43:29 +0200 Subject: LDIF Generation using Python-LDAP In-Reply-To: <7c956f0c0905160613k291f2ff4k38df7140039c7a61@mail.gmail.com> References: <7c956f0c0905160529p3686d12bsa0a64d888caddf2c@mail.gmail.com> <4A0EB487.1030808@stroeder.com> <7c956f0c0905160547m63c9df5ak860263e35d55dcbb@mail.gmail.com> <4A0EB865.90007@stroeder.com> <7c956f0c0905160613k291f2ff4k38df7140039c7a61@mail.gmail.com> Message-ID: <4A0EC301.2040203@stroeder.com> Guruprasad wrote: > Hi, > 2009/5/16 Michael Str?der : >> Guruprasad wrote: >>> 2009/5/16 Michael Str?der : >>>> Guruprasad wrote: >>>>> Hi, >>>>> I tried generating a LDIF file from a dictionary using 'ldif' module >>>>> as illustrated in http://www.python-ldap.org/doc/html/ldif.html. But >>>>> at the end of the LDIF data, I get a newline and a 'None', whereas >>>>> there is no such thing in the result shown in that example. How to get >>>>> rid of those unwanted characters. I am using Python-LDAP 2.3.5-1 on >>>>> Debian Lenny. >>>> Could you please post your code (in a short form) demonstrating the >>>> issue? Note that there is a new-line after each entry record. But was >>>> 'None' is in your case is not clear to me. >>>> >>> Basically what I am trying to do with this code is that, I manipulate >>> the result returned by ldapsearch to remove some attributes and >>> generate a LDIF output for the modified entry. >>> >>> >>> res_type, result_data=l.result(res_id,0) >>> if (result_data==[]): >>> break >>> dn=result_data[0][0] >>> resd=result_data[0][1] >>> resd["objectClass"].remove("inetLocalMailRecipient") >>> resd["objectClass"].remove("organizationalPerson") >>> resd["objectClass"].remove("inetOrgPerson") >>> resd["objectClass"].remove("posixAccount") >>> lw=ldif.LDIFWriter(sys.stdout) >>> guru=lw.unparse(dn,resd) >>> print guru >>> >> Your code looks like processing of LDAP search results (because of the >> res_type). I'd recommend to look at the actual data in dictionary resd. >> Also note that the identiation seems wrong. This could be because of >> cut&paste to your MUA from the editor with different tab-interpretation. >> But make sure identiation is correct in the real code. > > The indentation is correct in the real code. The dictionary 'resd' has > the values returned by the ldapsearch and there is no 'None' anywhere > in it. I think your interpretation of the output is wrong. Method LDIFWrite.unparse() outputs the LDIF to the file object (in your case sys.stdout). If you print the result of method unparse() that's obviously None. Ciao, Michael. From mike at mozy.com Thu May 28 21:23:26 2009 From: mike at mozy.com (Mike Lovell) Date: Thu, 28 May 2009 13:23:26 -0600 Subject: problem with set_option and tls Message-ID: <4A1EE4AE.1080701@mozy.com> First off, hello everyone. I am working on some software that uses python-ldap that is trying to connect to an ldaps server. If I do this sequence import ldap ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/cert') conn = ldap.initialize('ldaps://server') conn.simple_bind_s('uid', 'pass') things work fine. But if I do it like this import ldap conn = ldap.initialize('ldaps://server') conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/cert') conn.simple_bind_s('uid', 'pass') then I get an error saying that it can't contact the server. I am guessing it just can't verify the server's ssl certificate and just saying it can't contact the server. But it appears that if I set the option on the ldap module it works but setting the option on the individual connection doesn't. Is this expected behavior? Is this a restriction of the underlying openldap client libraries? Or a bug that could use some attention? I am wanting to get it so that the options are on the connections so that I could do multiple connections with different options. Thanks for any help in advance. mike From michael at stroeder.com Thu May 28 22:03:54 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 28 May 2009 22:03:54 +0200 Subject: problem with set_option and tls In-Reply-To: <4A1EE4AE.1080701@mozy.com> References: <4A1EE4AE.1080701@mozy.com> Message-ID: <4A1EEE2A.3010304@stroeder.com> Mike Lovell wrote: > First off, hello everyone. > I am working on some software that uses python-ldap that is trying to > connect to an ldaps server. If I do this sequence > > import ldap > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/cert') > conn = ldap.initialize('ldaps://server') > conn.simple_bind_s('uid', 'pass') > > things work fine. But if I do it like this > > import ldap > conn = ldap.initialize('ldaps://server') > conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/cert') > conn.simple_bind_s('uid', 'pass') > > then I get an error saying that it can't contact the server. I am > guessing it just can't verify the server's ssl certificate and just > saying it can't contact the server. I guess you're using python-ldap built against OpenLDAP 2.3 client libs. With OpenLDAP 2.4 connection-specific TLS options should be supported. > Is this expected behavior? Is this a restriction of the underlying > openldap client libraries? Yupp. Version-specific. Ciao, Michael. From mike at mozy.com Thu May 28 22:21:50 2009 From: mike at mozy.com (Mike Lovell) Date: Thu, 28 May 2009 14:21:50 -0600 Subject: problem with set_option and tls In-Reply-To: <4A1EEE2A.3010304@stroeder.com> References: <4A1EE4AE.1080701@mozy.com> <4A1EEE2A.3010304@stroeder.com> Message-ID: <4A1EF25E.40802@mozy.com> Michael Str?der wrote: > I guess you're using python-ldap built against OpenLDAP 2.3 client libs. > With OpenLDAP 2.4 connection-specific TLS options should be supported. > > I am using a machine with Ubuntu 9.04 which has the 2.4 OpenLDAP libraries. I double checked the package dependencies and did ldd on the _ldap.so file and both show it was compiled against the 2.4 libraries. I am using python-ldap 2.3.5. I don't know if a newer version is needed for this. But I am planning on several Debian Etch machines which were built against older OpenLDAP libraries so I should still plan for this behavior. Thanks for the help. mike From michael at stroeder.com Fri May 29 00:03:45 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 29 May 2009 00:03:45 +0200 Subject: problem with set_option and tls In-Reply-To: <4A1EF25E.40802@mozy.com> References: <4A1EE4AE.1080701@mozy.com> <4A1EEE2A.3010304@stroeder.com> <4A1EF25E.40802@mozy.com> Message-ID: <4A1F0A41.8080603@stroeder.com> Mike Lovell wrote: > Michael Str?der wrote: >> I guess you're using python-ldap built against OpenLDAP 2.3 client libs. >> With OpenLDAP 2.4 connection-specific TLS options should be supported. >> >> > I am using a machine with Ubuntu 9.04 which has the 2.4 OpenLDAP > libraries. Please post the exact OpenLDAP version. Ciao, Michael. From yves at zioup.com Mon Jun 1 16:17:32 2009 From: yves at zioup.com (Yves Dorfsman) Date: Mon, 01 Jun 2009 08:17:32 -0600 Subject: Problem with names that include "," In-Reply-To: <4A23CCA5.7040305@gmx.de> References: <4A23CCA5.7040305@gmx.de> Message-ID: <4A23E2FC.3030901@zioup.com> Christoph Holtermann wrote: > I am working on a filter that makes Thunderbirds LDIF-Output > importable to OpenLDAP. It works quite fine except for names > that include ",". OpenLDAP dislikes the output that is produced > like : > > dn: cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph Escaping characters is used by some LDAP servers, not all of them, but is not conform to LDIF. -- Yves. http://www.sollers.ca/ From c.holtermann at gmx.de Mon Jun 1 14:42:13 2009 From: c.holtermann at gmx.de (Christoph Holtermann) Date: Mon, 01 Jun 2009 14:42:13 +0200 Subject: Problem with names that include "," Message-ID: <4A23CCA5.7040305@gmx.de> Hello ! I am working on a filter that makes Thunderbirds LDIF-Output importable to OpenLDAP. It works quite fine except for names that include ",". OpenLDAP dislikes the output that is produced like : dn: cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph cn: Lehmann\, Veronika givenName: Lehmann, mail: infektiologie at uniklinik-ulm.de objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: mozillaAbPersonAlpha sn: Veronika I found out that an encoding like "\2C" is accepted, like : dn: cn=Lehmann\2C Veronika,dc=Adressbuch,dc=christoph cn: Lehmann, Veronika givenName: Lehmann, mail: infektiologie at uniklinik-ulm.de objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: mozillaAbPersonAlpha sn: Veronika Thunderbird exported the entry like this : dn: cn="Lehmann, Veronika",mail=infektiologie at uniklinik-ulm.de objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: mozillaAbPersonAlpha givenName: Lehmann, sn: Veronika cn: "Lehmann, Veronika" mail: infektiologie at uniklinik-ulm.de modifytimestamp: 0Z This is about one of the last things that I have to change by hand. Maybe someone can help me with this encoding problem. The code that is about that problem looks like : basedn='dc=Adressbuch,dc=christoph' def fix_dn(self, dn): try: self.head=ldap.dn.explode_dn(dn)[0] for i in range(len(dn_warning)): if self.head.find(dn_warning[i])>-1: print "dn :",self.head, "contains '",dn_warning[i],"' - change manually !" return self.head + ',' + basedn except: if dn==None: print "No dn specified" return None regards, C. Holtermann From c.holtermann at gmx.de Tue Jun 2 13:13:24 2009 From: c.holtermann at gmx.de (Christoph Holtermann) Date: Tue, 02 Jun 2009 13:13:24 +0200 Subject: Problem with names that include "," In-Reply-To: <4A23E2FC.3030901@zioup.com> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> Message-ID: <4A250954.7000705@gmx.de> Hello ! Thanks for your reply and that of Marc Balmer. But I still wonder if it is allowed by LDAP or LDIF- Specification to have a comma in dn. I also tried it with "" and Base64, some of which openldap accepted. C. Holtermann Yves Dorfsman schrieb: > Christoph Holtermann wrote: > > >> I am working on a filter that makes Thunderbirds LDIF-Output >> importable to OpenLDAP. It works quite fine except for names >> that include ",". OpenLDAP dislikes the output that is produced >> like : >> >> dn: cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph >> > > Escaping characters is used by some LDAP servers, not all of them, but is > not conform to LDIF. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From c.holtermann at gmx.de Tue Jun 2 13:43:50 2009 From: c.holtermann at gmx.de (Christoph Holtermann) Date: Tue, 02 Jun 2009 13:43:50 +0200 Subject: Problem with names that include "," In-Reply-To: <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A250954.7000705@gmx.de> <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> Message-ID: <4A251076.9040000@gmx.de> Hi ! >> >> Thanks for your reply and that of Marc Balmer. >> But I still wonder if it is allowed by LDAP or LDIF- >> Specification to have a comma in dn. I also tried it >> with "" and Base64, some of which >> openldap accepted. > > take a look at RFC 1779. A semicolon could be used as an > alternate delimiter and it shuld be possible to enclose strings > in quotes, i.e. like this: > > dn="Balmer, Marc",ou=research,dc=msys,dc=ch > > But I did not test if OpenLDAP "eats" this... ;) > > - Marc Balmer > I just fed it with dn: cn="Lehmann, Veronika",dc=Adressbuch,dc=christoph objectclass: top objectclass: person objectclass: inetOrgPerson objectclass: mozillaAbPersonAlpha sn: Lehmann cn: Lehmann, Veronika it works fine. But the Output of OpenLDAP, when I ldapsearch it is : > ldapsearch -x "(cn=*lehmann*)" # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (cn=*lehmann*) # requesting: ALL # # Lehmann\2C Veronika, Adressbuch.christoph dn: cn=Lehmann\2C Veronika,dc=Adressbuch,dc=christoph objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: mozillaAbPersonAlpha sn: Lehmann cn: Lehmann, Veronika And what I saw was : escape-codes. And I just have been told, that it's not LDIF-conform ;-) probably they don't know ? So my goal now is to make my filter put entrys which contain commas in "". Does anyone know how to make Python-ldap do so ? C. Holtermann From marc at msys.ch Tue Jun 2 13:25:03 2009 From: marc at msys.ch (Marc Balmer) Date: Tue, 2 Jun 2009 13:25:03 +0200 Subject: Problem with names that include "," In-Reply-To: <4A250954.7000705@gmx.de> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A250954.7000705@gmx.de> Message-ID: <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> Am 02.06.2009 um 13:13 schrieb Christoph Holtermann: > Hello ! > > Thanks for your reply and that of Marc Balmer. > But I still wonder if it is allowed by LDAP or LDIF- > Specification to have a comma in dn. I also tried it > with "" and Base64, some of which > openldap accepted. take a look at RFC 1779. A semicolon could be used as an alternate delimiter and it shuld be possible to enclose strings in quotes, i.e. like this: dn="Balmer, Marc",ou=research,dc=msys,dc=ch But I did not test if OpenLDAP "eats" this... ;) - Marc Balmer > > C. Holtermann > > Yves Dorfsman schrieb: >> >> Christoph Holtermann wrote: >> >> >>> I am working on a filter that makes Thunderbirds LDIF-Output >>> importable to OpenLDAP. It works quite fine except for names >>> that include ",". OpenLDAP dislikes the output that is produced >>> like : >>> >>> dn: cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph >>> >> >> Escaping characters is used by some LDAP servers, not all of them, >> but is >> not conform to LDIF. >> >> > > From michael at stroeder.com Tue Jun 2 14:12:11 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 02 Jun 2009 14:12:11 +0200 Subject: Problem with names that include "," In-Reply-To: <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A250954.7000705@gmx.de> <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> Message-ID: <4A25171B.5030100@stroeder.com> Marc Balmer wrote: > take a look at RFC 1779. A semicolon could be used as an > alternate delimiter and it shuld be possible to enclose strings > in quotes, i.e. like this: RFC 1779 was part of LDAPv2 standard which has been obsoleted for quite a while now. Today RFC 4514 is relevant for LDAPv3-based DSAs which does not allow semicolon as delimiter. Ciao, Michael. From michael at stroeder.com Tue Jun 2 14:23:55 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 02 Jun 2009 14:23:55 +0200 Subject: Problem with names that include "," In-Reply-To: <4A23CCA5.7040305@gmx.de> References: <4A23CCA5.7040305@gmx.de> Message-ID: <4A2519DB.4010701@stroeder.com> Christoph Holtermann wrote: > I am working on a filter that makes Thunderbirds LDIF-Output > importable to OpenLDAP. It works quite fine except for names > that include ",". OpenLDAP dislikes the output that is produced > like : Can you please elaborate on which exact problems you have with OpenLDAP? > dn: cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph This looks like a perfectly valid DN string representation to me. > cn: Lehmann\, Veronika This is wrong since the attribute value for cn is supposed to be 'Lehmann, Veronika' not 'Lehmann\\, Veronika' (strings here in Python string notation with single \ escaped to \\). OpenLDAP is pretty strict when checking the characteristic attribute used in the RDN of entry. > I found out that an encoding like "\2C" is accepted, like : > > dn: cn=Lehmann\2C Veronika,dc=Adressbuch,dc=christoph Yes, that's an alternate style also valid according to RFC 4514. > The code that is about that problem looks like : > > basedn='dc=Adressbuch,dc=christoph' > > def fix_dn(self, dn): > try: > self.head=ldap.dn.explode_dn(dn)[0] > for i in range(len(dn_warning)): > if self.head.find(dn_warning[i])>-1: > print "dn :",self.head, "contains '",dn_warning[i],"' - change > manually !" > return self.head + ',' + basedn > except: > if dn==None: > print "No dn specified" > return None Glancing over this I don't understand your code. What is this function supposed to do? At least this looks correct to me: Python 2.6 (r26:66714, Feb 3 2009, 20:52:03) [GCC 4.3.2 [gcc-4_3-branch revision 141291]] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ldap >>> ldap.explode_dn('cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph') ['cn=Lehmann\\, Veronika', 'dc=Adressbuch', 'dc=christoph'] >>> Ciao, Michael. From michael at stroeder.com Tue Jun 2 14:25:00 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 02 Jun 2009 14:25:00 +0200 Subject: Problem with names that include "," In-Reply-To: <4A23E2FC.3030901@zioup.com> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> Message-ID: <4A251A1C.8080903@stroeder.com> Yves Dorfsman wrote: > Christoph Holtermann wrote: > >> I am working on a filter that makes Thunderbirds LDIF-Output >> importable to OpenLDAP. It works quite fine except for names >> that include ",". OpenLDAP dislikes the output that is produced >> like : >> >> dn: cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph > > Escaping characters is used by some LDAP servers, not all of them, but is > not conform to LDIF. Yves, that sounds wrong to me. According to RFC 4514 a comma within a RDN value has to either be escaped with \ or converted to hex-escaped value. That's what function ldap.dn.escape_dn_chars() is for. And you can directly use the result in LDIF. Ciao, Michael. From michael at stroeder.com Tue Jun 2 14:30:11 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 02 Jun 2009 14:30:11 +0200 Subject: Problem with names that include "," In-Reply-To: <4A251076.9040000@gmx.de> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A250954.7000705@gmx.de> <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> <4A251076.9040000@gmx.de> Message-ID: <4A251B53.1060604@stroeder.com> Christoph Holtermann wrote: > I just fed it with > > dn: cn="Lehmann, Veronika",dc=Adressbuch,dc=christoph > objectclass: top > objectclass: person > objectclass: inetOrgPerson > objectclass: mozillaAbPersonAlpha > sn: Lehmann > cn: Lehmann, Veronika And that's the correct LDIF for the entry you want to add. > it works fine. But the Output of OpenLDAP, when I ldapsearch it is : > >> ldapsearch -x "(cn=*lehmann*)" > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: (cn=*lehmann*) > # requesting: ALL > # > > # Lehmann\2C Veronika, Adressbuch.christoph > dn: cn=Lehmann\2C Veronika,dc=Adressbuch,dc=christoph > objectClass: top > objectClass: person > objectClass: inetOrgPerson > objectClass: mozillaAbPersonAlpha > sn: Lehmann > cn: Lehmann, Veronika And that's correct either. > And what I saw was : escape-codes. And I just have been told, that > it's not LDIF-conform ;-) Yes, this was wrong information. > So my goal now is to make my filter put entrys which contain commas > in "". Does anyone know how to make Python-ldap do so ? I'm not sure what you want to achieve. I'd use module 'ldif' to read the Thunderbird export file and sanitize it. If Thunderbird put the \ in the value for attribute 'cn' then you have to strip this wrong escaping, but only for this particular attribute value. It seems you can use the DN as is. Ciao, Michael. From michael at stroeder.com Tue Jun 2 14:46:25 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 02 Jun 2009 14:46:25 +0200 Subject: Problem with names that include "," In-Reply-To: <4A251B53.1060604@stroeder.com> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A250954.7000705@gmx.de> <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> <4A251076.9040000@gmx.de> <4A251B53.1060604@stroeder.com> Message-ID: <4A251F21.9050406@stroeder.com> Michael Str?der wrote: > Christoph Holtermann wrote: >> I just fed it with >> >> dn: cn="Lehmann, Veronika",dc=Adressbuch,dc=christoph >> objectclass: top >> objectclass: person >> objectclass: inetOrgPerson >> objectclass: mozillaAbPersonAlpha >> sn: Lehmann >> cn: Lehmann, Veronika > > And that's the correct LDIF for the entry you want to add. And dn: cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph would have been correct either. Ciao, Michael. From michael at stroeder.com Tue Jun 2 15:02:52 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 02 Jun 2009 15:02:52 +0200 Subject: Problem with names that include "," In-Reply-To: <4A2518ED.5080500@gmx.de> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A250954.7000705@gmx.de> <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> <4A251076.9040000@gmx.de> <4A2518ED.5080500@gmx.de> Message-ID: <4A2522FC.8010306@stroeder.com> Christoph Holtermann wrote: > > Still working on commas in dn. When I now look > at the functions supplied in python ldap there is > for example : > >>>> a='cn="lehmann, Andreas",dc=Adressbuch' >>>> b=ldap.dn.str2dn(a) >>>> b > [[('cn', 'lehmann, Andreas', 1)], [('dc', 'Adressbuch', 1)]] >>>> ldap.dn.dn2str(b) > 'cn=lehmann\\, Andreas,dc=Adressbuch' >>>> ldap.dn.explode_dn(a) > ['cn=lehmann\\, Andreas', 'dc=Adressbuch'] > > So Python-LDAP itself goes this nonconform way of > using escape sequences if I get it right. Why do you think that this is wrong? I'd recommend to read RFC 4514 to learn in detail instead of relying on false information given by others. > I guess it's quite easy using dn2str and then converting it to a new > string using "" instead of using str2dn or explode_dn that lead to > ESC-Codes. There's nothing wrong with correct escaping. Quoted RDN attribute values should be avoided. > But wouldn't it make sense to change the functions ? No. Ciao, Michael. From c.holtermann at gmx.de Tue Jun 2 14:19:57 2009 From: c.holtermann at gmx.de (Christoph Holtermann) Date: Tue, 02 Jun 2009 14:19:57 +0200 Subject: Problem with names that include "," In-Reply-To: <4A251076.9040000@gmx.de> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A250954.7000705@gmx.de> <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> <4A251076.9040000@gmx.de> Message-ID: <4A2518ED.5080500@gmx.de> Hello ! Still working on commas in dn. When I now look at the functions supplied in python ldap there is for example : >>> a='cn="lehmann, Andreas",dc=Adressbuch' >>> b=ldap.dn.str2dn(a) >>> b [[('cn', 'lehmann, Andreas', 1)], [('dc', 'Adressbuch', 1)]] >>> ldap.dn.dn2str(b) 'cn=lehmann\\, Andreas,dc=Adressbuch' >>> ldap.dn.explode_dn(a) ['cn=lehmann\\, Andreas', 'dc=Adressbuch'] So Python-LDAP itself goes this nonconform way of using escape sequences if I get it right. I guess it's quite easy using dn2str and then converting it to a new string using "" instead of using str2dn or explode_dn that lead to ESC-Codes. But wouldn't it make sense to change the functions ? regards, C. Holtermann From yves at zioup.com Tue Jun 2 15:26:43 2009 From: yves at zioup.com (Yves Dorfsman) Date: Tue, 02 Jun 2009 07:26:43 -0600 Subject: Problem with names that include "," In-Reply-To: <4A251A1C.8080903@stroeder.com> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A251A1C.8080903@stroeder.com> Message-ID: <4A252893.9020105@zioup.com> Michael Str?der wrote: >> >>> I am working on a filter that makes Thunderbirds LDIF-Output >>> importable to OpenLDAP. It works quite fine except for names >>> that include ",". OpenLDAP dislikes the output that is produced >>> like : >>> >>> dn: cn=Lehmann\, Veronika,dc=Adressbuch,dc=christoph >> Escaping characters is used by some LDAP servers, not all of them, but is >> not conform to LDIF. > > Yves, that sounds wrong to me. > > According to RFC 4514 a comma within a RDN value has to either be > escaped with \ or converted to hex-escaped value. That's what function > ldap.dn.escape_dn_chars() is for. And you can directly use the result in > LDIF. Michael is right here, even though there is no escaping in LDIF itself, you can use a backslash in an LDIF file, and RFC 4514 defines the backslash syntax to escape some characters. Sorry to mislead you Christoph. -- Yves. http://www.sollers.ca/ From marc at msys.ch Tue Jun 2 15:57:00 2009 From: marc at msys.ch (Marc Balmer) Date: Tue, 2 Jun 2009 15:57:00 +0200 Subject: Problem with names that include "," In-Reply-To: <4A25171B.5030100@stroeder.com> References: <4A23CCA5.7040305@gmx.de> <4A23E2FC.3030901@zioup.com> <4A250954.7000705@gmx.de> <82677626-9E66-4834-A9EF-353A1A0C8833@msys.ch> <4A25171B.5030100@stroeder.com> Message-ID: <34470B58-3060-4764-97AC-4A6D24DC243C@msys.ch> Am 02.06.2009 um 14:12 schrieb Michael Str?der: > Marc Balmer wrote: >> take a look at RFC 1779. A semicolon could be used as an >> alternate delimiter and it shuld be possible to enclose strings >> in quotes, i.e. like this: > > RFC 1779 was part of LDAPv2 standard which has been obsoleted for > quite > a while now. Today RFC 4514 is relevant for LDAPv3-based DSAs which > does > not allow semicolon as delimiter. grmbll, that is what you get when you work with 40 years old systems.... Sorry for the wrong information, though. Marc Balmer (long time BSD developer ;) From guisim at gmail.com Tue Jun 2 20:35:25 2009 From: guisim at gmail.com (Guillaume Simard) Date: Tue, 2 Jun 2009 14:35:25 -0400 Subject: Python-ldap and client-only OpenLDAP Message-ID: Hey everyone, I want to build OpenLDAP and Python-LDAP from source. However, I can't install Berkeley DB so I installed Open-LDAP with ./configure --disable-slapd --disable-slurpd I then built and installed Python-LDAP. However, when I try to import, I get File "/usr/local/lib/python2.6/site-packages/ldap/__init__.py", line 22, in from _ldap import * ImportError: /usr/local/lib/python2.6/site-packages/_ldap.so: undefined symbol: ber_pvt_opt_on Does Python-LDAP have any dependencies toward the "server" part of OpenLDAP ? Any help is most welcome, thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Jun 3 01:33:26 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 03 Jun 2009 01:33:26 +0200 Subject: Python-ldap and client-only OpenLDAP In-Reply-To: References: Message-ID: <4A25B6C6.5080509@stroeder.com> Guillaume Simard wrote: > > I want to build OpenLDAP and Python-LDAP from source. > However, I can't install Berkeley DB so I installed Open-LDAP with > > ./configure --disable-slapd --disable-slurpd Yes, that should be sufficient for python-ldap. > I then built and installed Python-LDAP. > > However, when I try to import, I get > > File "/usr/local/lib/python2.6/site-packages/ldap/__init__.py", line > 22, in > from _ldap import * > ImportError: /usr/local/lib/python2.6/site-packages/_ldap.so: undefined > symbol: ber_pvt_opt_on Which platform is that on? Could you please check with ldd /usr/local/lib/python2.6/site-packages/_ldap.so or a similar tool whether libldap(_r) of your OpenLDAP build is dynamically linked? Did you adjust the parameters 'library_dirs' and 'include_dirs' in file setup.cfg to point to your OpenLDAP client lib installation before running python setup.py build? > Does Python-LDAP have any dependencies toward the "server" part of > OpenLDAP ? No. Ciao, Michael. From mike at mozy.com Mon Jun 1 18:01:29 2009 From: mike at mozy.com (Mike Lovell) Date: Mon, 01 Jun 2009 10:01:29 -0600 Subject: problem with set_option and tls In-Reply-To: <4A1F0A41.8080603@stroeder.com> References: <4A1EE4AE.1080701@mozy.com> <4A1EEE2A.3010304@stroeder.com> <4A1EF25E.40802@mozy.com> <4A1F0A41.8080603@stroeder.com> Message-ID: <4A23FB59.60105@mozy.com> Michael Str?der wrote: > Mike Lovell wrote: > >> Michael Str?der wrote: >> >>> I guess you're using python-ldap built against OpenLDAP 2.3 client libs. >>> With OpenLDAP 2.4 connection-specific TLS options should be supported. >>> >>> >>> >> I am using a machine with Ubuntu 9.04 which has the 2.4 OpenLDAP >> libraries. >> > > Please post the exact OpenLDAP version. > > Ciao, Michael. > hopefully this is enough info for you. mike at thor:~/Desktop$ dpkg -l python-ldap libldap* ii libldap-2.4-2 2.4.15-1ubuntu OpenLDAP libraries ii python-ldap 2.3.5-1ubuntu1 An LDAP interface module for Python mike at thor:~/Desktop$ ldd /usr/lib/python2.6/dist-packages/_ldap.so linux-vdso.so.1 => (0x00007fff5b1ff000) libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00007f8252b90000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00007f8252981000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f8252766000) libpthread.so.0 => /lib/libpthread.so.0 (0x00007f825254a000) libc.so.6 => /lib/libc.so.6 (0x00007f82521d8000) libdl.so.2 => /lib/libdl.so.2 (0x00007f8251fd3000) libresolv.so.2 => /lib/libresolv.so.2 (0x00007f8251dbb000) libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00007f8251b0e000) libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00007f82518fc000) libz.so.1 => /lib/libz.so.1 (0x00007f82516e4000) libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00007f825147d000) /lib64/ld-linux-x86-64.so.2 (0x00007f8253005000) libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00007f8251279000) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike at mozy.com Tue Jun 2 18:53:50 2009 From: mike at mozy.com (Mike Lovell) Date: Tue, 02 Jun 2009 10:53:50 -0600 Subject: problem with set_option and tls In-Reply-To: <4A1F0A41.8080603@stroeder.com> References: <4A1EE4AE.1080701@mozy.com> <4A1EEE2A.3010304@stroeder.com> <4A1EF25E.40802@mozy.com> <4A1F0A41.8080603@stroeder.com> Message-ID: <4A25591E.3090601@mozy.com> Michael Str?der wrote: > Mike Lovell wrote: > >> Michael Str?der wrote: >> >>> I guess you're using python-ldap built against OpenLDAP 2.3 client libs. >>> With OpenLDAP 2.4 connection-specific TLS options should be supported. >>> >>> >>> >> I am using a machine with Ubuntu 9.04 which has the 2.4 OpenLDAP >> libraries. >> > > Please post the exact OpenLDAP version. > > Ciao, Michael. > So, I was testing this on an Ubuntu 9.04 system that was upgraded from 8.10 and has various other quirks and it was showing this problem. I just tested on a Debian Lenny system which has libldap-2.4-2 with python-ldap 2.3.5-1 and it works fine. So I am guessing it is just another one of the quirks with the system I was using. mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From guisim at gmail.com Wed Jun 3 14:29:50 2009 From: guisim at gmail.com (Guillaume Simard) Date: Wed, 3 Jun 2009 08:29:50 -0400 Subject: Python-ldap and client-only OpenLDAP In-Reply-To: <4A25B6C6.5080509@stroeder.com> References: <4A25B6C6.5080509@stroeder.com> Message-ID: Thanks a lot for the detailed response. I finally fixed this issue. I thought that library_dirs and include_dirs would search /usr/local/lib and /usr/local/include without having to specify these directories. Have a good day ! 2009/6/2 Michael Str?der > Guillaume Simard wrote: > > > > I want to build OpenLDAP and Python-LDAP from source. > > However, I can't install Berkeley DB so I installed Open-LDAP with > > > > ./configure --disable-slapd --disable-slurpd > > Yes, that should be sufficient for python-ldap. > > > I then built and installed Python-LDAP. > > > > However, when I try to import, I get > > > > File "/usr/local/lib/python2.6/site-packages/ldap/__init__.py", line > > 22, in > > from _ldap import * > > ImportError: /usr/local/lib/python2.6/site-packages/_ldap.so: undefined > > symbol: ber_pvt_opt_on > > Which platform is that on? Could you please check with > > ldd /usr/local/lib/python2.6/site-packages/_ldap.so > > or a similar tool whether libldap(_r) of your OpenLDAP build is > dynamically linked? > > Did you adjust the parameters 'library_dirs' and 'include_dirs' in > file setup.cfg to point to your OpenLDAP client lib installation before > running python setup.py build? > > > Does Python-LDAP have any dependencies toward the "server" part of > > OpenLDAP ? > > No. > > Ciao, Michael. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zhbmaillistonly at gmail.com Fri Jun 5 16:48:23 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Fri, 05 Jun 2009 22:48:23 +0800 Subject: Any example to display jpegPhoto? Message-ID: <4A293037.5040404@gmail.com> Hi, list. Is there ny example to display jpegPhoto stored in LDAP as base64 format? I only found example to add jpegPhoto in python-ldap-2.3.8/Demo/simple.py. Thanks very much. :) -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian, Ubuntu: + Homepage: http://code.google.com/p/iredmail/ + Forum: http://www.iredmail.org/forum/ From michael at stroeder.com Fri Jun 5 21:25:56 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 05 Jun 2009 21:25:56 +0200 Subject: Any example to display jpegPhoto? In-Reply-To: <4A293037.5040404@gmail.com> References: <4A293037.5040404@gmail.com> Message-ID: <4A297144.6060409@stroeder.com> Zhang Huangbin wrote: > > Is there ny example to display jpegPhoto stored in LDAP as base64 format? Not sure what you really want to display and where. How about entry['jpegPhoto'][0].encode('base64') ? Or are you talking about LDIF? Then use module ldif which automagically base64-encodes NON-ASCII values. Ciao, Michael. From zhbmaillistonly at gmail.com Sat Jun 6 01:52:12 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Sat, 06 Jun 2009 07:52:12 +0800 Subject: Any example to display jpegPhoto? In-Reply-To: <4A297144.6060409@stroeder.com> References: <4A293037.5040404@gmail.com> <4A297144.6060409@stroeder.com> Message-ID: <4A29AFAC.2070902@gmail.com> Michael Str?der wrote: > Zhang Huangbin wrote: > >> Is there ny example to display jpegPhoto stored in LDAP as base64 format? >> > > Not sure what you really want to display and where. > > How about entry['jpegPhoto'][0].encode('base64') ? > > Or are you talking about LDIF? Then use module ldif which automagically > base64-encodes NON-ASCII values. > > Thanks Michael :) Just display the jpegPhoto on web page, not LDIF. :) I got encoded string after 'entry['jpegPhoto'][0].encode('base64') ', but how to convert it to a image file and use ' tag in HTML to display it? -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian, Ubuntu: + Homepage: http://code.google.com/p/iredmail/ + Forum: http://www.iredmail.org/forum/ From michael at stroeder.com Sat Jun 6 12:35:18 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 06 Jun 2009 12:35:18 +0200 Subject: Any example to display jpegPhoto? In-Reply-To: <4A29AFAC.2070902@gmail.com> References: <4A293037.5040404@gmail.com> <4A297144.6060409@stroeder.com> <4A29AFAC.2070902@gmail.com> Message-ID: <4A2A4666.6030403@stroeder.com> Zhang Huangbin wrote: > Michael Str?der wrote: >> Zhang Huangbin wrote: >> >>> Is there ny example to display jpegPhoto stored in LDAP as base64 format? >>> >> Not sure what you really want to display and where. >> >> How about entry['jpegPhoto'][0].encode('base64') ? >> >> Or are you talking about LDIF? Then use module ldif which automagically >> base64-encodes NON-ASCII values. > > Just display the jpegPhoto on web page, not LDIF. :) > > I got encoded string after 'entry['jpegPhoto'][0].encode('base64') ', > but how to convert it to a image file and use ' tag in HTML to > display it? entry['jpegPhoto'][0] is the raw binary JPEG data. You can send this directly to the browser in the body of a HTTP response with MIME-type image/jpeg. This is kind of off-topic here since it's rather related to web app programming. So I'd recommend to ask in the forum related to the web app framework you're using. Ciao, Michael. From ryan at stat.berkeley.edu Tue Jun 9 20:26:25 2009 From: ryan at stat.berkeley.edu (Ryan Lovett) Date: Tue, 9 Jun 2009 11:26:25 -0700 Subject: Any example to display jpegPhoto? In-Reply-To: <4A2E27F9.9050503@gmail.com> References: <4A293037.5040404@gmail.com> <4A297144.6060409@stroeder.com> <4A29AFAC.2070902@gmail.com> <4A2E2702.7000005@gmail.com> <4A2E27F9.9050503@gmail.com> Message-ID: <20090609182625.GA66536@stat.berkeley.edu> On Tue, Jun 09, 2009 at 05:14:33PM +0800, Zhang Huangbin wrote: > > How can i display it if i use 'content-type: image/jpeg' header? > > Forget to say, it works in non-IE browsers like this: > ---- > > ---- You would have a tag such as where jpegphoto.cgi is a CGI script that outputs "Content-type: image/jpeg" followed by the JPEG data. But that is an HTTP topic so you should probably consult a Python/CGI resource. Ryan From michael at stroeder.com Tue Jun 9 21:37:22 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 09 Jun 2009 21:37:22 +0200 Subject: Any example to display jpegPhoto? In-Reply-To: <4A2E2702.7000005@gmail.com> References: <4A293037.5040404@gmail.com> <4A297144.6060409@stroeder.com> <4A29AFAC.2070902@gmail.com> <4A2E2702.7000005@gmail.com> Message-ID: <4A2EB9F2.6080304@stroeder.com> Zhang Huangbin wrote: > Zhang Huangbin wrote: >>> Not sure what you really want to display and where. >>> >>> How about entry['jpegPhoto'][0].encode('base64') ? > > Still confused what data type it stored in LDAP. > Already base64 encoded? Please read my e-mails more carefully. As said in <4A2A4666.6030403 at stroeder.com> it's the raw binary JPEG image data. > Display entry['jpegPhoto'][0] directly, got error msg: > ---- > 'ascii' codec can't decode byte 0x89 in position 0: ordinal not in > range(128) > ---- > > How can i display it if i use 'content-type: image/jpeg' header? Send the binary data directly. Don't try to (implicitly) convert entry['jpegPhoto'][0] to a Unicode object. You might want to learn a bit more about normal strings vs. Unicode objects, string coercion and how to interpret exceptions like the one above before going any further. Ciao, Michael. From zhbmaillistonly at gmail.com Tue Jun 9 11:10:26 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Tue, 09 Jun 2009 17:10:26 +0800 Subject: Any example to display jpegPhoto? In-Reply-To: <4A29AFAC.2070902@gmail.com> References: <4A293037.5040404@gmail.com> <4A297144.6060409@stroeder.com> <4A29AFAC.2070902@gmail.com> Message-ID: <4A2E2702.7000005@gmail.com> Zhang Huangbin wrote: >> Not sure what you really want to display and where. >> >> How about entry['jpegPhoto'][0].encode('base64') ? Still confused what data type it stored in LDAP. Already base64 encoded? Display entry['jpegPhoto'][0] directly, got error msg: ---- 'ascii' codec can't decode byte 0x89 in position 0: ordinal not in range(128) ---- How can i display it if i use 'content-type: image/jpeg' header? -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian, Ubuntu: + Homepage: http://code.google.com/p/iredmail/ + Forum: http://www.iredmail.org/forum/ From zhbmaillistonly at gmail.com Tue Jun 9 11:14:33 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Tue, 09 Jun 2009 17:14:33 +0800 Subject: Any example to display jpegPhoto? In-Reply-To: <4A2E2702.7000005@gmail.com> References: <4A293037.5040404@gmail.com> <4A297144.6060409@stroeder.com> <4A29AFAC.2070902@gmail.com> <4A2E2702.7000005@gmail.com> Message-ID: <4A2E27F9.9050503@gmail.com> Zhang Huangbin wrote: > Zhang Huangbin wrote: >>> Not sure what you really want to display and where. >>> >>> How about entry['jpegPhoto'][0].encode('base64') ? > > Still confused what data type it stored in LDAP. > Already base64 encoded? > > Display entry['jpegPhoto'][0] directly, got error msg: > ---- > 'ascii' codec can't decode byte 0x89 in position 0: ordinal not in > range(128) > ---- > > How can i display it if i use 'content-type: image/jpeg' header? > Forget to say, it works in non-IE browsers like this: ---- ---- -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian, Ubuntu: + Homepage: http://code.google.com/p/iredmail/ + Forum: http://www.iredmail.org/forum/ From zhbmaillistonly at gmail.com Wed Jun 10 03:39:14 2009 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Wed, 10 Jun 2009 09:39:14 +0800 Subject: Any example to display jpegPhoto? In-Reply-To: <20090609182625.GA66536@stat.berkeley.edu> References: <4A293037.5040404@gmail.com> <4A297144.6060409@stroeder.com> <4A29AFAC.2070902@gmail.com> <4A2E2702.7000005@gmail.com> <4A2E27F9.9050503@gmail.com> <20090609182625.GA66536@stat.berkeley.edu> Message-ID: <4A2F0EC2.6070502@gmail.com> Ryan Lovett wrote: > You would have a tag such as where > jpegphoto.cgi is a CGI script that outputs "Content-type: image/jpeg" > followed by the JPEG data. > > But that is an HTTP topic so you should probably consult a Python/CGI > resource. Solved, thanks all :) I use webpy framework, solved just like Ryan Lovett said. Related thread: http://groups.google.com/group/webpy/t/9f7fdff1c75f7e93 -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL, CentOS, Debian, Ubuntu: + Homepage: http://code.google.com/p/iredmail/ + Forum: http://www.iredmail.org/forum/ From Todd.Hanson at mariner-qs.com Tue Jun 23 21:02:49 2009 From: Todd.Hanson at mariner-qs.com (Todd Hanson) Date: Tue, 23 Jun 2009 14:02:49 -0500 Subject: python-ldap search_s hanging problem on Linux box Message-ID: <9B4EF74838C52B489690C529898B681902C031@mwa-server03.mariner.local> I have a query that was written in python (2.5) utilizing the python-ldap package (newest stable version for both Windows and Linux) to query an Active Directory server for a user's group membership. The code works fine on my test machine (2-3 seconds for result) which is Windows based but when I move the code over and run it on our production Linux (Ubuntu 8.10) server the query hangs for exactly 5 minutes and then displays the results. Does anyone have any ideas where this delay might be coming from and how I can resolve the issue? The code is (please note I replaced some real data i.e. login, password, etc with "????" but in my code real names are there): #!/usr/bin/envpython import ldap import ldap.sasl import sys server = 'ldap://10.200.1.10' user_id = ???? pw = ???? def main(): try: con = ldap.initialize(server) con.simple_bind_s(user_id, pw) print 'Connection Made' except ldap.INVALID_CREDENTIALS: print "Your username or password is incorrect." sys.exit() except ldap.LDAPError, e: if type(e.message) == dict and e.message.has_key('desc'): print 'Error - ' + e.message['desc'] else: print 'Error - ' + str(e) sys.exit() finally: print 'Connected' try: #con.timeout = 10 #con.network_timeout = 10 base_dn = 'dc=mariner,dc=local' filter = "(memberOf=CN=????,CN=Users,DC=????,DC=local)" attrs = ['sn','mail','cn','sAMAccountName','displayName','memberOf'] timeout = 3 results = con.search_s(base_dn, ldap.SCOPE_SUBTREE, filter, attrs) for dn,entry in results: if dn != None: print 'Processing',repr(dn) print entry['sAMAccountName'] print entry['displayName'] print entry['memberOf'] con.unbind() print "" print "Connection Closed" except ldap.LDAPError, e: print 'Error - ' + str(e) sys.exit() # End Of Code ## ### #### if __name__=="__main__": main() Thank You Todd J. Hanson todd.hanson at mariner-qs.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Jun 24 12:16:56 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 24 Jun 2009 12:16:56 +0200 Subject: python-ldap search_s hanging problem on Linux box In-Reply-To: <9B4EF74838C52B489690C529898B681902C031@mwa-server03.mariner.local> References: <9B4EF74838C52B489690C529898B681902C031@mwa-server03.mariner.local> Message-ID: <4A41FD18.4050805@stroeder.com> Todd Hanson wrote: > > I have a query that was written in python (2.5) utilizing the > python-ldap package (newest stable version for both Windows and Linux) > to query an Active Directory server for a user?s group membership. The > code works fine on my test machine (2-3 seconds for result) which is > Windows based but when I move the code over and run it on our production > Linux (Ubuntu 8.10) server the query hangs for exactly 5 minutes and > then displays the results. Does anyone have any ideas where this delay > might be coming from and how I can resolve the issue? I've also observed strange things like this with MS AD before. I don't know a clear solution. It kind of sounds like a timeout. One very important thing is to double-check the DNS A and PTR RRs for all systems involved and avoid using DNS aliases (CNAME). This is especially true e.g. for SASL bind requests where I experienced strange problems when using IP address instead of FQDN when binding to AD. Ciao, Michael. From michael at stroeder.com Thu Jun 25 14:03:32 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 25 Jun 2009 14:03:32 +0200 Subject: python-ldap search_s hanging problem on Linux box In-Reply-To: <9B4EF74838C52B489690C529898B681902C051@mwa-server03.mariner.local> References: <9B4EF74838C52B489690C529898B681902C031@mwa-server03.mariner.local> <4A41FD18.4050805@stroeder.com> <9B4EF74838C52B489690C529898B681902C051@mwa-server03.mariner.local> Message-ID: <4A436794.3050509@stroeder.com> Tood, please stay on the python-ldap-dev list (Cc:-ed) so others can learn and answer as well. Todd Hanson wrote: > Michael Str?der [mailto:michael at stroeder.com] wrote: >> Todd Hanson wrote: >>> I have a query that was written in python (2.5) utilizing the >>> python-ldap package (newest stable version for both Windows and >>> Linux) to query an Active Directory server for a user's group >>> membership. The code works fine on my test machine (2-3 seconds for >>> result) which is Windows based but when I move the code over and >>> run it on our production Linux (Ubuntu 8.10) server the query hangs >>> for exactly 5 minutes and then displays the results. >> >> I've also observed strange things like this with MS AD before. I >> don't know a clear solution. It kind of sounds like a timeout. >> >> One very important thing is to double-check the DNS A and PTR RRs for >> all systems involved and avoid using DNS aliases (CNAME). This is >> especially true e.g. for SASL bind requests where I experienced >> strange problems when using IP address instead of FQDN when binding >> to AD. > > The strange thing is I would expect the delay to come when I'm doing > the "con.simple_bind_s(user_id, pw)" but that appears to connect > right away. The delay comes when I issue the "search_s" command. If > it was a DNS or reverse DNS issue I would expect the delay to come on > the connection or is that a wrong assumption? Bear in mind that a Windows domain could be part of a forest with trust relationships etc. So you never know what is resolved internally when processing a search request. I do not claim to be an AD expert though. Maybe you could try asking about this particular issue in a MS-AD-related newsgroup: news:microsoft.public.windows.server.active_directory Ciao, Michael. From michael at stroeder.com Thu Jun 25 16:39:05 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 25 Jun 2009 16:39:05 +0200 Subject: python-ldap search_s hanging problem on Linux box In-Reply-To: <9B4EF74838C52B489690C529898B681902C06D@mwa-server03.mariner.local> References: <9B4EF74838C52B489690C529898B681902C031@mwa-server03.mariner.local> <4A41FD18.4050805@stroeder.com> <9B4EF74838C52B489690C529898B681902C051@mwa-server03.mariner.local> <4A436794.3050509@stroeder.com> <9B4EF74838C52B489690C529898B681902C06D@mwa-server03.mariner.local> Message-ID: <4A438C09.3010507@stroeder.com> Todd Hanson wrote: > I found the resolution!!! If I add the line of code > "con.set_option(ldap.OPT_REFERRALS, 0)" after making the connection > everything runs fine. Why? Search the python-ldap-dev archive. This is a known issue with automatic referral chasing within libldap. Switching it off does not do any harm. Ciao, Michael. From cybernytrix at yahoo.com Fri Apr 3 19:19:00 2009 From: cybernytrix at yahoo.com (Ashwin) Date: Fri, 3 Apr 2009 10:19:00 -0700 (PDT) Subject: SASL bind problem Message-ID: <505240.15748.qm@web30702.mail.mud.yahoo.com> Hello, I am using python-ldap to bind using SASL with DIGEST-MD5 authentication. My program: #!/usr/bin/python import ldap.sasl username = 'user' pw = 'pass'' url = "ldap://example.com/" bind = "dc=www,dc=example,dc=com" def doit(): con = ldap.initialize(url) auth_tok = ldap.sasl.digest_md5(username, pw) ret = con.sasl_interactive_bind_s(bind, auth_tok) print "bind:", ret ret = con.unbind() return doit() doit() The first bind is successful, the second one fails (with INVALID_CREDENTIALS): bind: 0 Traceback (most recent call last): File "./ldaptest.py", line 21, in doit() File "./ldaptest.py", line 12, in doit ret = con.sasl_interactive_bind_s(bind, auth_tok) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 219, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 97, in _ldap_call result = func(*args,**kwargs) ldap.INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 57, vece', 'desc': 'Invalid credentials'} It looks like that the credentials(nonce) are being cached and the server does not like this (it is a Windows server). Is there are way to ask the library to not cache the credentials? I ran wireshark and it confirms that on the first call to bind, only "sasl:mechanism" is sent. However, on the second call to bind, credentials are also being sent which confuses the server as it has not yet sent the challenge (via saslBindInProgress). Thanks! Ashwin -------------- next part -------------- An HTML attachment was scrubbed... URL: