From michael at stroeder.com Sun Jul 17 15:47:25 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sun, 17 Jul 2016 21:47:25 +0200 Subject: [python-ldap] preparing for 2.4.26 - please test! Message-ID: <578BE0CD.9030409@stroeder.com> HI! If you make serious use of python-ldap then please test CVS HEAD now. I plan to release 2.4.26 during the next days (see below for changes so far). Ciao, Michael. ---------------------------------------------------------------- Released 2.4.26 2016-xx-xx Changes since 2.4.25: Installation: * added ldap.controls.sss to py_modules in setup.py Lib/ * LDAPObject.unbind_ext() now removes class attribute LDAPObject._l to completely invalidate C wrapper object * LDAPObject.unbind_ext() now flushes trace file * added functions ldap.strf_secs() and ldap.strp_secs() * Refactored ldif.LDIFParser * ldif.LDIFParser.version ?s now Integer * ignore multiple empty lines between records Modules/ * Fixed #69 Segmentation fault on whoami_s after unbind (thanks to Christian Heimes and Petr Viktorin) Tests/ * Fixed result3() being used instead of correct result4() (see #66, thanks to David D. Riddle) * Tests/slapd.py honors env var $TMP instead of just using hard-coded /var/tmp * Tests/slapd.py now expects schema to be in /etc/openldap/ * Tests/t_ldapurl.py now independent of module ldap * Tests/t_ldif.py now has more test-cases also for change records -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Sun Jul 17 15:39:59 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sun, 17 Jul 2016 21:39:59 +0200 Subject: [python-ldap] feature request: be more lenient in LDIFParser In-Reply-To: <56F2D36B.4040802@stroeder.com> References: <56F2D36B.4040802@stroeder.com> Message-ID: <578BDF0F.6050500@stroeder.com> Michael Str?der wrote: > Jephte Clain wrote: >> FYI, I made feature request #18 on >> http://sourceforge.net/p/python-ldap/feature-requests/18/ to make >> LDIFParser more lenient > > I saw your feature request and patch. Please test recent updates in CVS HEAD. It's pretty liberal now. Feel free to add more tests to t_ldif.py. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From pcarlson at redhat.com Wed Jul 20 13:01:37 2016 From: pcarlson at redhat.com (Patrick Carlson) Date: Wed, 20 Jul 2016 17:01:37 +0000 (UTC) Subject: [python-ldap] =?utf-8?q?ValueError=3A_option_error_on_trying_to_?= =?utf-8?q?set_OPT=5FX=5FTLS=5FCACERTFILE?= References: <56B44BEC.90006@stroeder.com> Message-ID: > Peter Bengtsson wrote: > I'm on OSX 10.11.3 and I installed python-ldap 2.4.25 with pip in a > virtualenv. And I always get this error: > >>>> import ldap >>>> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to.crt') > Traceback (most recent call last): >? ?File "", line 1, in >? ?File > "/Users/peterbe/virtualenvs/medlem/lib/python2.7/site-packages/ python_ldap-2.4.25-py2.7-macosx-10.11-x86_64.egg/ldap/functions.py", > line 133, in set_option >? ? ?return _ldap_function_call(None,_ldap.set_option,option,invalue) >? ?File > "/Users/peterbe/virtualenvs/medlem/lib/python2.7/site-packages/ python_ldap-2.4.25-py2.7-macosx-10.11-x86_64.egg/ldap/functions.py", > line 64, in _ldap_function_call >? ? ?result = func(*args,**kwargs) > ValueError: option error Was this issue ever solved? I've been working with python-ldap recently and have come across the same issue. I know the cert file exists and i've used the cert filed when working with openldap. From michael at stroeder.com Wed Jul 20 17:17:46 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 20 Jul 2016 23:17:46 +0200 Subject: [python-ldap] ValueError: option error on trying to set OPT_X_TLS_CACERTFILE In-Reply-To: References: <56B44BEC.90006@stroeder.com>

Message-ID: <578FEA7A.8000400@stroeder.com> Patrick Carlson wrote: >> Peter Bengtsson wrote: >> "/Users/peterbe/virtualenvs/medlem/lib/python2.7/site-packages/ > python_ldap-2.4.25-py2.7-macosx-10.11-x86_64.egg/ldap/functions.py", >> line 64, in _ldap_function_call >> result = func(*args,**kwargs) >> ValueError: option error > > Was this issue ever solved? Not on Mac OS X. It seems they've heavily patched libldap on Mac OS X for using the OS's keyring / trust store. So as work-around for Mac OS X you have to import the CA cert there and *not* set this option. > I've been working with python-ldap > recently and have come across the same issue. I know the cert file exists > and i've used the cert filed when working with openldap. Also on Mac OS X? Or another OS? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From pcarlson at redhat.com Thu Jul 21 10:25:58 2016 From: pcarlson at redhat.com (Patrick Carlson) Date: Thu, 21 Jul 2016 14:25:58 +0000 (UTC) Subject: [python-ldap] =?utf-8?q?ValueError=3A_option_error_on_trying_to_?= =?utf-8?q?set_OPT=5FX=5FTLS=5FCACERTFILE?= References: <56B44BEC.90006@stroeder.com>

<578FEA7A.8000400@stroeder.com> Message-ID: > > > I've been working with python-ldap > > recently and have come across the same issue. I know the cert file exists > > and i've used the cert filed when working with openldap. > > Also on Mac OS X? Or another OS? Been using Max OS X. Thanks for the help I'll try the import on the keyring and see if I can make that work. Thanks for the help. From michael at stroeder.com Sun Jul 24 12:37:14 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sun, 24 Jul 2016 18:37:14 +0200 Subject: [python-ldap] ANN: python-ldap 2.4.26 Message-ID: <5794EEBA.2080309@stroeder.com> Find a new release of python-ldap: https://pypi.python.org/pypi/python-ldap/2.4.26 python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAP URLs and LDAPv3 schema). Project's web site: http://www.python-ldap.org/ Checksums: md5sum python-ldap-2.4.26.tar.gz ef5a5eff45972232205115e3f4a71955 sha1sum python-ldap-2.4.26.tar.gz 38416b0bf9311dad61c2ca1f68c76055a107e5e4 sha256sum python-ldap-2.4.26.tar.gz 09c852e343ab97f566279be331736ebdb35723b7887db30a10990f4099e7619b Ciao, Michael. ---------------------------------------------------------------- Released 2.4.26 2016-07-24 Changes since 2.4.25: Installation: * added ldap.controls.sss to py_modules in setup.py Lib/ * LDAPObject.unbind_ext() now removes class attribute LDAPObject._l to completely invalidate C wrapper object * LDAPObject.unbind_ext() now flushes trace file * ldap.ldapobject.SimpleLDAPObject: added convenience methods read_rootdse_s() and get_naming_contexts() * added functions ldap.strf_secs() and ldap.strp_secs() * added function ldap.filter.time_span_filter() * Refactored ldif.LDIFParser * ldif.LDIFParser.version ?s now Integer * ignore multiple empty lines between records * Fixed ldap.dn.is_dn() Modules/ * Fixed #69 Segmentation fault on whoami_s after unbind (thanks to Christian Heimes and Petr Viktorin) Tests/ * Fixed result3() being used instead of correct result4() (see #66, thanks to David D. Riddle) * Tests/slapd.py honors env var $TMP instead of just using hard-coded /var/tmp * Tests/slapd.py now expects schema to be in /etc/openldap/ * Tests/t_ldapurl.py now independent of module ldap * Tests/t_ldif.py now has more test-cases including change records * added some more test scripts for sub-modules ldap.dn, ldap.filter and ldap.functions (not complete yet) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From bdauvergne at entrouvert.com Tue Jul 26 04:19:24 2016 From: bdauvergne at entrouvert.com (Benjamin Dauvergne) Date: Tue, 26 Jul 2016 10:19:24 +0200 Subject: [python-ldap] ANN: python-ldap 2.4.26 In-Reply-To: <5794EEBA.2080309@stroeder.com> References: <5794EEBA.2080309@stroeder.com> Message-ID: <20160726081924.GA16551@dor-lomin.entrouvert.com> I have a problem with the new LDIF parser, the following LDIF fixture (it's part of tests of an LDAP connector) used to be parsed correctly: '''dn: uid=john.doe,o=orga objectClass: inetOrgPerson cn: John Doe sn: Doe mail: john.doe at example.com uid: john.doe uid: john.doe at entrouvert.com ''' now I need to feed this, i.e. I need two new lines at the end of the file: '''dn: uid=john.doe,o=orga objectClass: inetOrgPerson cn: John Doe sn: Doe mail: john.doe at example.com uid: john.doe uid: john.doe at entrouvert.com ''' Was my fixture already not conformant or is the modified parser in 2.4.26 broken ? Le 07/24, Michael Str?der a ?crit : > Find a new release of python-ldap: > > https://pypi.python.org/pypi/python-ldap/2.4.26 > > python-ldap provides an object-oriented API to access LDAP directory > servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for > that purpose. Additionally it contains modules for other LDAP-related > stuff (e.g. processing LDIF, LDAP URLs and LDAPv3 schema). > > Project's web site: > > http://www.python-ldap.org/ > > Checksums: > > md5sum python-ldap-2.4.26.tar.gz > ef5a5eff45972232205115e3f4a71955 > > sha1sum python-ldap-2.4.26.tar.gz > 38416b0bf9311dad61c2ca1f68c76055a107e5e4 > > sha256sum python-ldap-2.4.26.tar.gz > 09c852e343ab97f566279be331736ebdb35723b7887db30a10990f4099e7619b > > Ciao, Michael. > > ---------------------------------------------------------------- > Released 2.4.26 2016-07-24 > > Changes since 2.4.25: > > Installation: > * added ldap.controls.sss to py_modules in setup.py > > Lib/ > * LDAPObject.unbind_ext() now removes class attribute > LDAPObject._l to completely invalidate C wrapper object > * LDAPObject.unbind_ext() now flushes trace file > * ldap.ldapobject.SimpleLDAPObject: > added convenience methods read_rootdse_s() and get_naming_contexts() > * added functions ldap.strf_secs() and ldap.strp_secs() > * added function ldap.filter.time_span_filter() > * Refactored ldif.LDIFParser > * ldif.LDIFParser.version ?s now Integer > * ignore multiple empty lines between records > * Fixed ldap.dn.is_dn() > > Modules/ > * Fixed #69 Segmentation fault on whoami_s after unbind > (thanks to Christian Heimes and Petr Viktorin) > > Tests/ > * Fixed result3() being used instead of correct result4() > (see #66, thanks to David D. Riddle) > * Tests/slapd.py honors env var $TMP instead of just using > hard-coded /var/tmp > * Tests/slapd.py now expects schema to be in /etc/openldap/ > * Tests/t_ldapurl.py now independent of module ldap > * Tests/t_ldif.py now has more test-cases including change records > * added some more test scripts for sub-modules ldap.dn, ldap.filter and > ldap.functions (not complete yet) > > > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap -- Benjamin Dauvergne - Tel Entrouvert: 01 43 35 01 35 - Tel perso: 01 84 16 24 53 From michael at stroeder.com Wed Jul 27 05:03:40 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 27 Jul 2016 11:03:40 +0200 Subject: [python-ldap] ANN: python-ldap 2.4.26 In-Reply-To: <20160726081924.GA16551@dor-lomin.entrouvert.com> References: <5794EEBA.2080309@stroeder.com> <20160726081924.GA16551@dor-lomin.entrouvert.com> Message-ID: <579878EC.90806@stroeder.com> Benjamin Dauvergne wrote: > I have a problem with the new LDIF parser, the following LDIF fixture (it's part > of tests of an LDAP connector) used to be parsed correctly: > > '''dn: uid=john.doe,o=orga > objectClass: inetOrgPerson > cn: John Doe > sn: Doe > mail: john.doe at example.com > uid: john.doe > uid: john.doe at entrouvert.com > ''' > > now I need to feed this, i.e. I need two new lines at the end of the file: > > '''dn: uid=john.doe,o=orga > objectClass: inetOrgPerson > cn: John Doe > sn: Doe > mail: john.doe at example.com > uid: john.doe > uid: john.doe at entrouvert.com > > ''' Which exact error do you get? > Was my fixture already not conformant or is the modified parser in 2.4.26 broken Hmm, not sure about that. If I produce LDIF I always add the trailing empty line to please all the LDIF parsers out there. But I couldn't find language in RFC 2849 which makes that mandatory. I'm currently looking into this and I'm not sure about the use of textwrap.dedent(ldif_string).lstrip() + '\n' in TestLDIFParser.check_records(). For sake of readability it seems to be too magic missing some of those corner-cases. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Wed Jul 27 05:37:18 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 27 Jul 2016 11:37:18 +0200 Subject: [python-ldap] LDIF corner-cases (was: ANN: python-ldap 2.4.26) In-Reply-To: <579878EC.90806@stroeder.com> References: <5794EEBA.2080309@stroeder.com> <20160726081924.GA16551@dor-lomin.entrouvert.com> <579878EC.90806@stroeder.com> Message-ID: <579880CE.4020206@stroeder.com> Michael Str?der wrote: > Benjamin Dauvergne wrote: >> I have a problem with the new LDIF parser, the following LDIF fixture (it's part >> of tests of an LDAP connector) used to be parsed correctly: >> >> '''dn: uid=john.doe,o=orga >> objectClass: inetOrgPerson >> cn: John Doe >> sn: Doe >> mail: john.doe at example.com >> uid: john.doe >> uid: john.doe at entrouvert.com >> ''' >> >> now I need to feed this, i.e. I need two new lines at the end of the file: >> >> '''dn: uid=john.doe,o=orga >> objectClass: inetOrgPerson >> cn: John Doe >> sn: Doe >> mail: john.doe at example.com >> uid: john.doe >> uid: john.doe at entrouvert.com >> >> ''' > > Which exact error do you get? > >> Was my fixture already not conformant or is the modified parser in 2.4.26 broken > > Hmm, not sure about that. If I produce LDIF I always add the trailing empty line > to please all the LDIF parsers out there. But I couldn't find language in RFC > 2849 which makes that mandatory. > > I'm currently looking into this and I'm not sure about the use of > > textwrap.dedent(ldif_string).lstrip() + '\n' > > in TestLDIFParser.check_records(). For sake of readability it seems to be too > magic missing some of those corner-cases. I've added a test-case to Tests/t_ldif.py for this and removed the new-line magic in TestLDIFParser.check_records(). Note sure about all that. Someone could also argue that the parser should be liberal enough to accept a single record like this: '''dn: uid=john.doe,o=orga objectClass: inetOrgPerson cn: John Doe sn: Doe mail: john.doe at example.com uid: john.doe uid: john.doe at entrouvert.com''' Ummpf! My spare time is very limited and I already spent too much time pleasing broken LDIF generators. Also handling all these corner-cases makes the parser slower... Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Sat Jul 30 15:03:12 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 30 Jul 2016 21:03:12 +0200 Subject: [python-ldap] LDIF corner-cases In-Reply-To: <579880CE.4020206@stroeder.com> References: <5794EEBA.2080309@stroeder.com> <20160726081924.GA16551@dor-lomin.entrouvert.com> <579878EC.90806@stroeder.com> <579880CE.4020206@stroeder.com> Message-ID: <579CF9F0.8070801@stroeder.com> Michael Str?der wrote: > Michael Str?der wrote: >> Benjamin Dauvergne wrote: >>> I have a problem with the new LDIF parser, the following LDIF fixture (it's part >>> of tests of an LDAP connector) used to be parsed correctly: >>> >>> '''dn: uid=john.doe,o=orga >>> objectClass: inetOrgPerson >>> cn: John Doe >>> sn: Doe >>> mail: john.doe at example.com >>> uid: john.doe >>> uid: john.doe at entrouvert.com >>> ''' >>> >>> now I need to feed this, i.e. I need two new lines at the end of the file: >>> >>> '''dn: uid=john.doe,o=orga >>> objectClass: inetOrgPerson >>> cn: John Doe >>> sn: Doe >>> mail: john.doe at example.com >>> uid: john.doe >>> uid: john.doe at entrouvert.com >>> >>> ''' >> >> Which exact error do you get? >> >>> Was my fixture already not conformant or is the modified parser in 2.4.26 broken >> >> Hmm, not sure about that. If I produce LDIF I always add the trailing empty line >> to please all the LDIF parsers out there. But I couldn't find language in RFC >> 2849 which makes that mandatory. >> >> I'm currently looking into this and I'm not sure about the use of >> >> textwrap.dedent(ldif_string).lstrip() + '\n' >> >> in TestLDIFParser.check_records(). For sake of readability it seems to be too >> magic missing some of those corner-cases. > > I've added a test-case to Tests/t_ldif.py for this and removed the new-line > magic in TestLDIFParser.check_records(). > > Note sure about all that. Someone could also argue that the parser should be > liberal enough to accept a single record like this: > > '''dn: uid=john.doe,o=orga > objectClass: inetOrgPerson > cn: John Doe > sn: Doe > mail: john.doe at example.com > uid: john.doe > uid: john.doe at entrouvert.com''' > > Ummpf! My spare time is very limited and I already spent too much time pleasing > broken LDIF generators. Also handling all these corner-cases makes the parser > slower... Fixed for entry records for upcoming 2.4.27. Please test CVS HEAD. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From sebastian.wiesner at tu-dresden.de Mon Aug 1 04:39:45 2016 From: sebastian.wiesner at tu-dresden.de (Sebastian Wiesner) Date: Mon, 1 Aug 2016 10:39:45 +0200 Subject: [python-ldap] Using modify_s: TypeError: function takes exactly 3 arguments (2 given) Message-ID: <6254fa87-d48d-3225-eff8-7ff21b693f7b@tu-dresden.de> Hi, whenever I use the modify_s() method of my LDAP object, I get an Exception raised. Here is some trace of this: File "/home/zihprov/zihprov/zihprov/lib/python2.6/site-packages/ldap/ldapobject.py", line 401, in modify_s msgid = self.modify(dn,modlist) File "/home/zihprov/zihprov/zihprov/lib/python2.6/site-packages/ldap/ldapobject.py", line 398, in modify return self.modify_ext(dn,modlist,None,None) File "/home/zihprov/zihprov/zihprov/lib/python2.6/site-packages/ldap/ldapobject.py", line 370, in modify_ext return self._ldap_call(self._l.modify_ext,dn,modlist,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) File "/home/zihprov/zihprov/zihprov/lib/python2.6/site-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) TypeError: function takes exactly 3 arguments (2 given) Tried it with python-ldap 2.3.10 and already upgraded to 2.4.26. Same error. Kind regards Sebastian -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Mon Aug 1 05:51:45 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 1 Aug 2016 11:51:45 +0200 Subject: [python-ldap] Using modify_s: TypeError: function takes exactly 3 arguments (2 given) In-Reply-To: <6254fa87-d48d-3225-eff8-7ff21b693f7b@tu-dresden.de> References: <6254fa87-d48d-3225-eff8-7ff21b693f7b@tu-dresden.de> Message-ID: <579F1BB1.5010005@stroeder.com> Sebastian Wiesner wrote: > whenever I use the modify_s() method of my LDAP object, I get an Exception > raised. Here is some trace of this: Please post a small example script demonstrating your issue. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Mon Aug 1 06:19:37 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 1 Aug 2016 12:19:37 +0200 Subject: [python-ldap] ANN: python-ldap 2.4.27 Message-ID: <579F2239.6040604@stroeder.com> Find a new release of python-ldap: https://pypi.python.org/pypi/python-ldap/2.4.27 python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAP URLs and LDAPv3 schema). Project's web site: http://www.python-ldap.org/ Checksums: md5sum python-ldap-2.4.27.tar.gz 3725db082e8624d4c797e62a92ee761a sha1sum python-ldap-2.4.27.tar.gz 5abd5e294ab68a8bdde6997b74565f9db843ee08 sha256sum python-ldap-2.4.27.tar.gz 6306a57a3c659ffda0003b386b1a23fdcee0b903a0ede0ce04c33ba78be64a2e Ciao, Michael. ---------------------------------------------------------------- Released 2.4.27 2016-08-01 Changes since 2.4.26: Lib/ * added 'strf_secs' and 'strp_secs' to ldap.functions.__all__ * fixed regression introduced with 2.4.26: ldif.LDIFParser did not fully parse LDIF records without trailing empty separator line -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From sebastian.wiesner at tu-dresden.de Mon Aug 1 09:29:22 2016 From: sebastian.wiesner at tu-dresden.de (Sebastian Wiesner) Date: Mon, 1 Aug 2016 15:29:22 +0200 Subject: [python-ldap] Using modify_s: TypeError: function takes exactly 3 arguments (2 given) In-Reply-To: <579F1BB1.5010005@stroeder.com> References: <6254fa87-d48d-3225-eff8-7ff21b693f7b@tu-dresden.de> <579F1BB1.5010005@stroeder.com> Message-ID: Thank you. I read the code like 1000 times, but while pasting it four you I finally found the error myself. I used an addModlist as argument to the modify_s() method. Seems to be solved. The Exception thrown is hard to track down, though. Am 01.08.2016 um 11:51 schrieb Michael Str?der: > Sebastian Wiesner wrote: >> whenever I use the modify_s() method of my LDAP object, I get an Exception >> raised. Here is some trace of this: > Please post a small example script demonstrating your issue. > > Ciao, Michael. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Mon Aug 1 10:00:59 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 1 Aug 2016 16:00:59 +0200 Subject: [python-ldap] Using modify_s: TypeError: function takes exactly 3 arguments (2 given) In-Reply-To: References: <6254fa87-d48d-3225-eff8-7ff21b693f7b@tu-dresden.de> <579F1BB1.5010005@stroeder.com> Message-ID: <579F561B.2030300@stroeder.com> Sebastian Wiesner wrote: > Thank you. I read the code like 1000 times, but while pasting it four you I > finally found the error myself. I hoped so. ;-) > I used an addModlist as argument to the > modify_s() method. Seems to be solved. The Exception thrown is hard to track > down, though. I'm open to concrete suggestions for improving that without sacrificing performance too much. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From arominge at redhat.com Tue Aug 23 15:53:25 2016 From: arominge at redhat.com (Alan Rominger) Date: Tue, 23 Aug 2016 15:53:25 -0400 Subject: [python-ldap] SyntaxError with pytest import of ldap in Django Message-ID: The recently-released pytest version 3.0.0 will include things in `globals()` that can not be directly evaluated. In particular, "@py_builtins" and "@pytest_ar" will be returned in the list from `dir()`, causing a traceback when running tests in a project that uses pytest-django and imports ldap. The traceback I've been seeing ends with this: File "/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 19, in o = eval(_name) File "", line 1 @py_builtins ^ SyntaxError: invalid syntax My suggestion is to do nothing when a variable in the current local scope can not be evaluated. This would require a small change in the ldap/schema/subentry.py file. For instance, replace this code: for _name in dir(): o = eval(_name) if hasattr(o,'schema_attribute'): SCHEMA_CLASS_MAPPING[o.schema_attribute] = o SCHEMA_ATTR_MAPPING[o] = o.schema_attribute with this: for _name in dir(): try: o = eval(_name) except SyntaxError: continue if hasattr(o,'schema_attribute'): SCHEMA_CLASS_MAPPING[o.schema_attribute] = o SCHEMA_ATTR_MAPPING[o] = o.schema_attribute Alternatively, if you wanted to be sure that you picked up every variable, the following line replacement will still work as far as I have tested. But if all you need are variables from the imports from ldap.schema.models, the eval() method will pick all of those up either way. o = globals()[_name] It would be great if this could get into a future release of python-ldap, so that people using this kind of test environment could continue to test with up-to-date versions of their dependencies. Best, Alan Rominger github: AlanCoding -------------- next part -------------- An HTML attachment was scrubbed... URL: From cloverobert at gmail.com Fri Sep 9 07:20:48 2016 From: cloverobert at gmail.com (Robert Clove) Date: Fri, 9 Sep 2016 16:50:48 +0530 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap Message-ID: Hi, Is it possible in python using ldap module to verify if the Group exist in active directory user in group exist Can some one provide me with the sample code. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sebastian.wiesner at tu-dresden.de Fri Sep 9 08:37:59 2016 From: sebastian.wiesner at tu-dresden.de (Sebastian Wiesner) Date: Fri, 9 Sep 2016 14:37:59 +0200 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: References: Message-ID: Hi, the actual filter string for "user in group exist" depends on which LDAP object is holding this information inside which attribute, so please provide further information. Provided your group RDN part is cn=,ou=Group your filterstring for verifying a special group exists is as follows: (&(ou:dn:=Group)(cn=)) Kind regards Am 09.09.2016 um 13:20 schrieb Robert Clove: > > Hi, > > Is it possible in python using ldap module to verify if the > > Group exist in active directory > user in group exist > > Can some one provide me with the sample code. > > > > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature URL: From sebastian.wiesner at tu-dresden.de Fri Sep 9 08:48:48 2016 From: sebastian.wiesner at tu-dresden.de (Sebastian Wiesner) Date: Fri, 9 Sep 2016 14:48:48 +0200 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: References: Message-ID: <28abf7b2-faef-a30f-2f05-17d463e1bad1@tu-dresden.de> Sorry, forgot to provide some python sample code: my_ldap = ldap.initialize('ldap://ldap.example.org:389') my_ldap.simple_bind_s('cn=Manager,dc=ldap,dc=example,dc=org', 'your_ldap_password') my_ldap.search_s('dc=ldap,dc=example,dc=org', ldap.SCOPE_SUBTREE, filterstr=(&(ou:dn:=Group)(cn=SampleGroup))) Kind regards Am 09.09.2016 um 13:20 schrieb Robert Clove: > > Hi, > > Is it possible in python using ldap module to verify if the > > Group exist in active directory > user in group exist > > Can some one provide me with the sample code. > > > > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature URL: From sebastian.wiesner at tu-dresden.de Fri Sep 9 09:38:52 2016 From: sebastian.wiesner at tu-dresden.de (Sebastian Wiesner) Date: Fri, 9 Sep 2016 15:38:52 +0200 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: <57D2B931.8020909@stroeder.com> References:

<57D2B931.8020909@stroeder.com> Message-ID: <6f4f4b72-7fa8-5a73-9f65-89967ffafcb8@tu-dresden.de> Yes, I know. But thank you for pointing this out though. To use objectClass=group would not work in my case, but using part of the DN would. It all depends on how the actual directory is set up. Thats what I already mentioned. Greets Am 09.09.2016 um 15:29 schrieb Michael Str?der: > Sebastian Wiesner wrote: >> the actual filter string for "user in group exist" depends on which LDAP object >> is holding this information inside which attribute, so please provide further >> information. Provided your group RDN part is cn=,ou=Group your >> filterstring for verifying a special group exists is as follows: >> >> (&(ou:dn:=Group)(cn=)) > With this filter you're assuming that the string "ou=Group" is a component of > the group entry's DN. This is wrong in most cases. > > Should rather be: > > (&(objectClass=group)(cn=)) > > Ciao, Michael. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Fri Sep 9 09:29:21 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Fri, 9 Sep 2016 15:29:21 +0200 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: References:

Message-ID: <57D2B931.8020909@stroeder.com> Sebastian Wiesner wrote: > the actual filter string for "user in group exist" depends on which LDAP object > is holding this information inside which attribute, so please provide further > information. Provided your group RDN part is cn=,ou=Group your > filterstring for verifying a special group exists is as follows: > > (&(ou:dn:=Group)(cn=)) With this filter you're assuming that the string "ou=Group" is a component of the group entry's DN. This is wrong in most cases. Should rather be: (&(objectClass=group)(cn=)) Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From cloverobert at gmail.com Fri Sep 9 10:34:06 2016 From: cloverobert at gmail.com (Robert Clove) Date: Fri, 9 Sep 2016 20:04:06 +0530 Subject: [python-ldap] Python LDAP3 module or LDAP Module Message-ID: Hi All, I am using python 2.7, in that there is no ldap module even if i do pip install ldap i don't get any module and if i do pip install ldap3 it get installed. But the problems is all the samples i see on the net i using ldap. like i was trying a sample: # build a client ldap_client = ldap.initialize(LDAP_SERVER) # perform a synchronous bind ldap_client.set_option(ldap.OPT_REFERRALS,0) ldap_client.simple_bind_s(LDAP_USERNAME, LDAP_PASSWORD) it works with ldap but for ldap3, i have to do ldap_client = ldap.connection(LDAP_SERVER) i could not find the equivalent function for the following in ldap3 ldap_client.set_option(ldap.OPT_REFERRALS,0) ldap_client.simple_bind_s(LDAP_USERNAME, LDAP_PASSWORD) If u know the mapping in ldap3 to ldap or samples of ldap3 please send the link I am trying to run the following code here https://blogs.oracle.com/marginNotes/entry/ldap_basics_with_python Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Sep 9 10:39:40 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Fri, 9 Sep 2016 16:39:40 +0200 Subject: [python-ldap] Python LDAP3 module or LDAP Module In-Reply-To: References: Message-ID: <57D2C9AC.8060406@stroeder.com> Robert Clove wrote: > I am using python 2.7, in that there is no ldap module even if i do pip > install ldap Try instead: pip install python-ldap > i don't get any module and if i do pip install ldap3 it get > installed. That's an entirely different module package with completely different API. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Fri Sep 9 10:41:30 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Fri, 9 Sep 2016 16:41:30 +0200 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: <6f4f4b72-7fa8-5a73-9f65-89967ffafcb8@tu-dresden.de> References:

<57D2B931.8020909@stroeder.com> <6f4f4b72-7fa8-5a73-9f65-89967ffafcb8@tu-dresden.de> Message-ID: <57D2CA1A.3090904@stroeder.com> Sebastian Wiesner wrote: > Yes, I know. But thank you for pointing this out though. To use > objectClass=group would not work in my case, but using part of the DN would. Why not? If you know the complete (unique) group name using the filter (&(objectClass=group)(cn=)) should always return this particular group. > It all depends on how the actual directory is set up. Please elaborate on why the filter above does not work in your case. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From cloverobert at gmail.com Fri Sep 9 10:44:16 2016 From: cloverobert at gmail.com (Robert Clove) Date: Fri, 9 Sep 2016 20:14:16 +0530 Subject: [python-ldap] Python LDAP3 module or LDAP Module In-Reply-To: <57D2C9AC.8060406@stroeder.com> References: <57D2C9AC.8060406@stroeder.com> Message-ID: Whats preferable? if i do pip install python-ldap it says something microsoft visual c++ is required. if i do pip install **any other name** i dont get this error On Fri, Sep 9, 2016 at 8:09 PM, Michael Str?der wrote: > Robert Clove wrote: > > I am using python 2.7, in that there is no ldap module even if i do pip > > install ldap > > Try instead: > > pip install python-ldap > > > i don't get any module and if i do pip install ldap3 it get > > installed. > > That's an entirely different module package with completely different API. > > Ciao, Michael. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Sep 9 10:54:51 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Fri, 9 Sep 2016 16:54:51 +0200 Subject: [python-ldap] Python LDAP3 module or LDAP Module In-Reply-To: References: <57D2C9AC.8060406@stroeder.com> Message-ID: <57D2CD3B.1010808@stroeder.com> Robert Clove wrote: > if i do pip install python-ldap it says something microsoft visual c++ is > required. python-ldap is a C module wrapping the OpenLDAP client libs. Therefore pip install requires a C compiler if PyPI does not have binaries for your OS platform. https://www.python-ldap.org/doc/html/installing.html I don't have a working build environment for Windows. In former times Waldemar contributed installable Windows binaries. > if i do pip install **any other name** i dont get this error This is true for all pure Python modules. For all C or C++ wrapper modules you need a compiler. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From jcasale at activenetwerx.com Fri Sep 9 14:05:37 2016 From: jcasale at activenetwerx.com (Joseph L. Casale) Date: Fri, 9 Sep 2016 18:05:37 +0000 Subject: [python-ldap] Python LDAP3 module or LDAP Module In-Reply-To: References: <57D2C9AC.8060406@stroeder.com> Message-ID: <4bc5788ab01c484594dee6d8c875a476@activenetwerx.com> > Whats preferable? > if i do?pip install python-ldap it says something microsoft visual c++ is required. > if i do pip install **any other name** i dont get this error Christoph Gohlke provides pre built packages for Windows: http://www.lfd.uci.edu/~gohlke/pythonlibs/#python-ldap hth, jlc From waldemar.osuch at gmail.com Sat Sep 10 01:17:26 2016 From: waldemar.osuch at gmail.com (Waldemar Osuch) Date: Fri, 9 Sep 2016 23:17:26 -0600 Subject: [python-ldap] Python LDAP3 module or LDAP Module In-Reply-To: <57D2CD3B.1010808@stroeder.com> References: <57D2C9AC.8060406@stroeder.com> <57D2CD3B.1010808@stroeder.com> Message-ID: On Fri, Sep 9, 2016 at 8:54 AM, Michael Str?der wrote: > I don't have a working build environment for Windows. > In former times Waldemar contributed installable Windows binaries. > I've have missed the announcement of the latest release :-( Sorry about that. The binaries have been uploaded to PyPI. Waldemar -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sat Sep 10 05:16:59 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 10 Sep 2016 11:16:59 +0200 Subject: [python-ldap] Python LDAP3 module or LDAP Module In-Reply-To: References: <57D2C9AC.8060406@stroeder.com> <57D2CD3B.1010808@stroeder.com> Message-ID: <57D3CF8B.7060307@stroeder.com> Waldemar Osuch wrote: > On Fri, Sep 9, 2016 at 8:54 AM, Michael Str?der > wrote: > >> I don't have a working build environment for Windows. >> In former times Waldemar contributed installable Windows binaries. > > I've have missed the announcement of the latest release :-( Sorry about > that. > The binaries have been uploaded to PyPI. Thanks a lot for your continous support. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From cloverobert at gmail.com Sun Sep 11 04:43:05 2016 From: cloverobert at gmail.com (Robert Clove) Date: Sun, 11 Sep 2016 14:13:05 +0530 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: <57D2CA1A.3090904@stroeder.com> References:

<57D2B931.8020909@stroeder.com> <6f4f4b72-7fa8-5a73-9f65-89967ffafcb8@tu-dresden.de> <57D2CA1A.3090904@stroeder.com> Message-ID: I don't know whether should i create a separate mail thread or should i question here itself, trying here only *How can i find the nested group membership like if the group1 exist in group2, group3 * On Fri, Sep 9, 2016 at 8:11 PM, Michael Str?der wrote: > Sebastian Wiesner wrote: > > Yes, I know. But thank you for pointing this out though. To use > > objectClass=group would not work in my case, but using part of the DN > would. > > Why not? If you know the complete (unique) group name using the filter > (&(objectClass=group)(cn=)) > should always return this particular group. > > > It all depends on how the actual directory is set up. > > Please elaborate on why the filter above does not work in your case. > > Ciao, Michael. > > > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sebastian.Wiesner at tu-dresden.de Sun Sep 11 07:19:53 2016 From: Sebastian.Wiesner at tu-dresden.de (Sebastian Wiesner) Date: Sun, 11 Sep 2016 13:19:53 +0200 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: <57D2CA1A.3090904@stroeder.com> References:

<57D2B931.8020909@stroeder.com> <6f4f4b72-7fa8-5a73-9f65-89967ffafcb8@tu-dresden.de> <57D2CA1A.3090904@stroeder.com> Message-ID: <004701d20c1e$6bba9d70$432fd850$@tu-dresden.de> This is not hard to elaborate on. The group objects in our directory don't have objectClass group, instead they have posixGroup. I could change the objectClass filter to that, but since they have ou=Group as part of their DN I don't see the point on changing it. Is it best practice to not use DN parts inside filter criteria? -----Urspr?ngliche Nachricht----- Von: Michael Str?der [mailto:michael at stroeder.com] Gesendet: Freitag, 9. September 2016 16:42 An: Sebastian Wiesner ; python-ldap at python.org Betreff: Re: [python-ldap] Can i check if the group exist in active directory using python ldap Sebastian Wiesner wrote: > Yes, I know. But thank you for pointing this out though. To use > objectClass=group would not work in my case, but using part of the DN would. Why not? If you know the complete (unique) group name using the filter (&(objectClass=group)(cn=)) should always return this particular group. > It all depends on how the actual directory is set up. Please elaborate on why the filter above does not work in your case. Ciao, Michael. From trs80 at ucc.gu.uwa.edu.au Sun Sep 11 08:14:46 2016 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Sun, 11 Sep 2016 20:14:46 +0800 (AWST) Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: References:

<57D2B931.8020909@stroeder.com> <6f4f4b72-7fa8-5a73-9f65-89967ffafcb8@tu-dresden.de> <57D2CA1A.3090904@stroeder.com> Message-ID: On Sun, 11 Sep 2016, Robert Clove wrote: > I don't know whether should i create a separate mail thread or should i question here itself, trying here only > How can i find the nested group membership like if the group1 exist in group2, group3? You need to use the matching rule 1.2.840.113556.1.4.1941, eg (memberOf:1.2.840.113556.1.4.1941:=cn=Test,ou=East,dc=Domain,dc=com) http://stackoverflow.com/questions/12562275/ldap-nested-group-membership-filter -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From michael at stroeder.com Sun Sep 11 09:05:16 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sun, 11 Sep 2016 15:05:16 +0200 Subject: [python-ldap] Can i check if the group exist in active directory using python ldap In-Reply-To: <004701d20c1e$6bba9d70$432fd850$@tu-dresden.de> References:

<57D2B931.8020909@stroeder.com> <6f4f4b72-7fa8-5a73-9f65-89967ffafcb8@tu-dresden.de> <57D2CA1A.3090904@stroeder.com> <004701d20c1e$6bba9d70$432fd850$@tu-dresden.de> Message-ID: <57D5568C.8050407@stroeder.com> Sebastian Wiesner wrote: > This is not hard to elaborate on. The group objects in our directory don't > have objectClass group, instead they have posixGroup. In MS Active Directory? > Is it best practice to not use DN > parts inside filter criteria? Yes, if you want to implement generic LDAP clients supporting a wide range of different LDAP server deployments. If one is looking for good examples there are some client implementations doing this right with sufficiently but not overwhelming client-side configuration: Jira/Confluence, jenkins... Ciao, Michael. From cloverobert at gmail.com Mon Sep 12 05:37:34 2016 From: cloverobert at gmail.com (Robert Clove) Date: Mon, 12 Sep 2016 15:07:34 +0530 Subject: [python-ldap] LDAP- Group exist in AD Message-ID: Hi, Can someone provide me the filter to be used if we need to find if the group exist in AD. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Sep 12 14:02:18 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 12 Sep 2016 20:02:18 +0200 Subject: [python-ldap] LDAP- Group exist in AD In-Reply-To: References: Message-ID: <57D6EDAA.1040707@stroeder.com> Robert Clove wrote: > Can someone provide me the filter to be used if we need to find if the > group exist in AD. Did you actually read all the follow-ups to your posting in which you asked the very same thing? https://mail.python.org/pipermail/python-ldap/2016q3/thread.html#3790 Ciao, Michael. From cloverobert at gmail.com Thu Sep 15 22:54:12 2016 From: cloverobert at gmail.com (Robert Clove) Date: Fri, 16 Sep 2016 08:24:12 +0530 Subject: [python-ldap] Find Nested group in LDAP Message-ID: Hi, I was looking for search query in LDAP for nested group memebership. It would be great if someone can provide the python code for the same. Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From cloverobert at gmail.com Fri Sep 16 05:31:27 2016 From: cloverobert at gmail.com (Robert Clove) Date: Fri, 16 Sep 2016 15:01:27 +0530 Subject: [python-ldap] Find Nested group in LDAP by this i mean group in group Message-ID: Hi, I was looking for search query in LDAP for nested group memebership. It would be great if someone can provide the python code for the same. Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From andreas.stenius at astekk.se Thu Sep 29 09:42:49 2016 From: andreas.stenius at astekk.se (Andreas Stenius) Date: Thu, 29 Sep 2016 13:42:49 +0000 Subject: [python-ldap] =?utf-8?q?=C2=A7_in_passwords?= In-Reply-To: References: Message-ID: Hi, I seem to have run into a bug in python-ldap. I have a user who consistently fail to login, but for "everyone" else it works just fine. After some troubleshooting, I became aware of his password containing a ?-sign. I've done some testing locally, and have verified using wireshark, that when I try to bind a user with a password containing a ?, there is no activity for that bind on the network at all. I have the following python code: ``` obj = ldap.initialize (cfg['url']) obj.bind_s (cfg['bind_dn'], cfg['bind_password'], ldap.AUTH_SIMPLE) search_filter = cfg['search_filter'].format (username = username) groups = cfg['groups_attr'] users = obj.search_s ( cfg['base_dn'], ldap.SCOPE_SUBTREE, search_filter, [groups]) if len (users) < 1: break obj.bind_s (users[0][0], password, ldap.AUTH_SIMPLE) ``` If the test cases are standalone in some way, I could look into writing a test for this, with some helpful pointers into where/how that works.. I have attached a redacted screenshot of the wireshark capture, logging two login attempts (both with wrong passwords), the first using "foobar" as password, and the second using "foo?bar". The screenshot is from using python-ldap version 2.4.25, but I see the same behaviour on 2.4.27 as well. ---- And, just after posting this (re-posted, thanks for the moderation blocker :p), I realized I was masking the exception raised, which provided a good indication to the problem at hand.. Here's the bottom of the traceback: obj.bind_s (users[0][0], password, ldap.AUTH_SIMPLE) File "/Users/aadt/.virtualenvs/ssoauth/lib/python2.7/site-packages/ldap/ldapobject.py", line 237, in bind_s msgid = self.bind(who,cred,method) File "/Users/aadt/.virtualenvs/ssoauth/lib/python2.7/site-packages/ldap/ldapobject.py", line 231, in bind return self.simple_bind(who,cred) File "/Users/aadt/.virtualenvs/ssoauth/lib/python2.7/site-packages/ldap/ldapobject.py", line 216, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) File "/Users/aadt/.virtualenvs/ssoauth/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) UnicodeEncodeError: 'ascii' codec can't encode character u'\xa7' in position 5: ordinal not in range(128) [image: ldap-wireshark-capture.png]Cheers, Andreas -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ldap-wireshark-capture.png Type: image/png Size: 251395 bytes Desc: not available URL: From michael at stroeder.com Thu Sep 29 15:30:32 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 29 Sep 2016 21:30:32 +0200 Subject: [python-ldap] =?utf-8?q?=C2=A7_in_passwords?= In-Reply-To: References:

Message-ID: <57ED6BD8.5040108@stroeder.com> Andreas Stenius wrote: > I seem to have run into a bug in python-ldap. I have a user who consistently > fail to login, but for "everyone" else it works just fine. > > After some troubleshooting, I became aware of his password containing a ?-sign. > [..] > UnicodeEncodeError: 'ascii' codec can't encode character u'\xa7' in position 5: > ordinal not in range(128) Yupp. Python 2.7.12 (default, Jun 28 2016, 06:57:42) [GCC] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> u'?'.encode('ascii') Traceback (most recent call last): File "", line 1, in UnicodeEncodeError: 'ascii' codec can't encode character u'\xa7' in position 0: ordinal not in range(128) >>> u'?'.encode('utf-8') '\xc2\xa7' python-ldap only accepts binary strings. => Your application has to invoke .encode('utf-8'). Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From fgonzalez at uci.cu Fri Sep 30 16:22:33 2016 From: fgonzalez at uci.cu (=?utf-8?Q?Felipe=5FG0NZ=C3=81LEZ=5FSANTIAG0?=) Date: Fri, 30 Sep 2016 16:22:33 -0400 (CDT) Subject: [python-ldap] ldap operation In-Reply-To: References: Message-ID: <638779009.1961016.1475266953625.JavaMail.zimbra@uci.cu> Hello: I 'm new using python-ldap. I'm cannot run any LDAP operation. I work with a Samba4 AD. This is my code: import ldap import ldap.modlist as modlist l.ldap(ldap://127.0.0.1) l.protocol_version=ldap.VERSION3 l.simple_bind=("CN=Administrator,CN=Users,DC=example,DC=com", "mypassw0rd") #trying to delete a user dn= "CN=pepe,CN=Users,DC=example,DC=com" l.delete(dn) l.unbind() And then user pepe persist, I mean wasn' t deleted. Any idea? THANKS ___________________________________________ Felipe_ Gonz?lez_Santiago ?The University of Informatics Sciences invites you to participate in the Scientific Conference UCIENCIA 2016, [extended] deadline: september 30th. Conferencia Cient?fica UCIENCIA 2016, plazo de env?o de trabajos hasta el 30 de septiembre. http://uciencia.eventos.uci.cu/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From whalenster at gmail.com Fri Sep 30 14:49:51 2016 From: whalenster at gmail.com (Sean Whalen) Date: Fri, 30 Sep 2016 14:49:51 -0400 Subject: [python-ldap] Searching for nested membership in AD groups Message-ID: Hi all, I'm using pyldap, but the same problems occur in python-ldap. I'm trying to run a search in Active Directory with this filter, which should return all of the groups that I am a member of, including nested groups: (member:1.2.840.113556.1.4.1941:=CN=Whalen, Sean,OU=Users,OU=Users and Groups,DC=redacted,DC=net) This filter is described in https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx This works fine in powershell, but instantly returns 0 results in python-ldap Then I tried (member:1.2.840.113556.1.4.1941:=CN=Whalen\5c, Sean,OU=Users,OU=Users and Groups,DC=redacted,DC=net) That ran for about 10 seconds in python-ldap, and returned 0 results. powershell returned 0 results instantly. She reverse query (finding all nested members of a group) works fine (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x) Any ideas about what's going wrong/how to fix it? -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Sep 30 20:26:31 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 1 Oct 2016 02:26:31 +0200 Subject: [python-ldap] ldap operation In-Reply-To: <638779009.1961016.1475266953625.JavaMail.zimbra@uci.cu> References: <638779009.1961016.1475266953625.JavaMail.zimbra@uci.cu> Message-ID: <57EF02B7.2030909@stroeder.com> Felipe_G0NZ?LEZ_SANTIAG0 wrote: > I 'm new using python-ldap. I'm cannot run any LDAP operation. I work with a > Samba4 AD. > This is my code: > import ldap > import ldap.modlist as modlist > > l.ldap(ldap://127.0.0.1) ^^^^^^^^^^^^^^^^^^^^^^^^ This code line looks completely bogus. Please see Demo/initialize.py in the source distribution on how to connect and bind. > l.protocol_version=ldap.VERSION3 > l.simple_bind=("CN=Administrator,CN=Users,DC=example,DC=com", "mypassw0rd") > #trying to delete a user > dn= "CN=pepe,CN=Users,DC=example,DC=com" > l.delete(dn) > l.unbind() > > And then user pepe persist, I mean wasn' t deleted. > > Any idea? Any error message? Any logs? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Fri Sep 30 20:37:16 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 1 Oct 2016 02:37:16 +0200 Subject: [python-ldap] Searching for nested membership in AD groups In-Reply-To: References: Message-ID: <57EF053C.2000106@stroeder.com> Sean Whalen wrote: > Then I tried > > (member:1.2.840.113556.1.4.1941:=CN=Whalen\5c, Sean,OU=Users,OU=Users and ^^^^ Yes, you must escape the comma in the DN. But the escaped hex-encoded character \5C must fully *replace* the comma. Or simply escape the comma like \, (see RFC 4514). Bear in mind that you have to deal with extra escaping in Python string syntax when hard-coding a DN like this in your source code. Also note that there can be a bunch of specific performance differences depending on how and from where you connect and bind to Active Directory, especially if it's not well maintained (stale directory replicas / site topology). Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From stephen.butler at gmail.com Fri Sep 30 22:01:16 2016 From: stephen.butler at gmail.com (Stephen J. Butler) Date: Fri, 30 Sep 2016 21:01:16 -0500 Subject: [python-ldap] Searching for nested membership in AD groups In-Reply-To: <57EF053C.2000106@stroeder.com> References: <57EF053C.2000106@stroeder.com> Message-ID: \5C is blackslash itself, not comma. I think what he wants is really: r'(member:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=redacted,DC=net)' Notice the raw string. Otherwise, if you aren't using a raw string, then: "(member:1.2.840.113556.1.4.1941:=CN=Whalen\\, Sean,OU=Users,OU=Users and Groups,DC=redacted,DC=net)" IDK how you're building your DN's in general, but what you should be doing is this when you have arbitrary input: from ldap.dn import escape_dn_chars filter = '(member:1.2.840.113556.1.4.1941:=CN={0},OU=Users,OU=Users and Groups,DC=redacted,DC=net)'.format(escape_dn_chars('Whalen, Sean')) That will always do the right thing. On Fri, Sep 30, 2016 at 7:37 PM, Michael Str?der wrote: > Sean Whalen wrote: > > Then I tried > > > > (member:1.2.840.113556.1.4.1941:=CN=Whalen\5c, Sean,OU=Users,OU=Users > and > ^^^^ > Yes, you must escape the comma in the DN. > > But the escaped hex-encoded character \5C must fully *replace* the comma. > Or > simply escape the comma like \, (see RFC 4514). > > Bear in mind that you have to deal with extra escaping in Python string > syntax > when hard-coding a DN like this in your source code. > > Also note that there can be a bunch of specific performance differences > depending on how and from where you connect and bind to Active Directory, > especially if it's not well maintained (stale directory replicas / site > topology). > > Ciao, Michael. > > > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap > > -------------- next part -------------- An HTML attachment was scrubbed... URL: