[python-ldap] Adding members to a group in AD

Patrick Fitzgerald patrickf at signaller.net
Wed Aug 31 13:19:46 CEST 2011 

Thanks - just the clues I needed to get it working.

Building the modify list by hand worked as it exposed an error in my code.

Thanks again- Patrick


On 29/08/2011 12:32, Michael Ströder wrote:
> Russell Jackson wrote:
>> modifyModList() is a bit ham fisted in that it just does a replace rather than
>> figure out what to add and delete.
> More precise: modifyModList() will result in MOD_DEL all values, MOD_ADD
> complete new value list. The reason for this is that not all attributes have
> an EQUALITY matching rule assigned to it (e.g. binary attributes) which is
> required for doing something smarter. This turned out to be successful with
> most LDAP servers. But some LDAP server seem to do schema-checking not on the
> overall result of the modify operation. It seems that MOD_DEL all values leads
> to a schema violation one these servers.
>
> My web2ldap has a smarter variant of this function which looks in the
> subschema for determining whether an EQUALITY matching rule is usable.
>
> Anyway one would not want to use that for large group entries.
>
>> dn, entry = dir.search_s('dc=domain', ldap.SCOPE_SUBTREE, '''
>> (&
>>    (objectClass=group)
>>    (cn=some_group)
>> )
>> '''.strip())[0]
>>
>> member_dn_list = [
>>    'cn=foo,ou=people,dc=domain',
>>    'cn=bar,ou=people,dc=domain',
>>    'cn=baz,ou=people,dc=domain',
>> ]
>> modlist = [
>>    (ldap.MOD_ADD, 'member', [
>>      dn
>>      for dn in member_dn_list
>>      if dn not in entry.get('member', [])
>>    ])
>> ]
>>
>> ldif.LDIFWriter(sys.stderr).unparse(dn, modlist)
>> dir.modify_s(dn, modlist)
> Hmm, in principle this is ok but one should make it a bit faster by
> pre-initializing a set. Also one might to make this case-insensitive.
>
> I'd usually do:
>
> member_list = set([av.lower() for av in entry.get('member', [])])
>
> and then:
>
> if not dn.lower() in member_list:
>
> If one already knows which DN to add it's more easy anyway.
>
> Note that DNs are not case-insensitive in general. E.g. OpenLDAP looks applys
> the exact matching rules for the attributes used in a DN.
>
> Ciao, Michael.

More information about the python-ldap mailing list